Why Adopting ISO 27001 is Good for Business and Customers
Cyber attacks have become a staple mention in global risks landscapes with respected bodies like the World Economic forum, amongst others, consistently featuring cyber attack threats in their annual reports.
Indeed, the perfect storm seems to be brewing. On one hand financially punitive regulations like the General Data Protection Regulations or GDPR are coming into force in the UK and the rest of Europe. On the other hand, the cyber threat landscape is becoming increasingly hostile and hazardous. In the midst of this storm, businesses, small and large, are facing the growing threat of cyber attacks that can impact a business in more ways than one, including:
Where in the past, business executives may have simply ignore cyber risk, today, it is safe to propose that cyber security can no longer be assumed as binary yes or no issue or ignored as a technical risk. Instead, CEOs, business executives and boards of directors, who are in place to manage risk at the companies they govern, must consider cybersecurity as another form of risk.
An effective and efficacious approach to meet the primary requirements, that of satisfying all parties, managing cyber risk and improving overall security maturity, is to adopt and align the business against an international standard for information security.
This document discusses the following topics:
The International Standards body(ISO) has the best answer to this.
“ISO was founded with the idea of answering a fundamental question: “what's the best way of doing this?””
Following a standard way of doing things (in this case - addressing the threats and reducing the risks from cyber attacks) means that your customers, consumers and the regulators have the confidence that you are adopting an accepted and tested approach to tackling cyber risks.
ISO 27001:2013 (referred to also as ISO 27001) is best described as a lifestyle that empowers a business to improve its overall information security posture. The executive branch of the organisation must be at the helm of adopting this lifestyle and lead by example for it to truly effective.
Officially, ISO 27001:2013 is an international standard in information security and asks that organisations provision and adopt an information security management system (ISMS).
An ISMS is a systematic approach to managing a company’s information so that it remains secure. A ISMS must:
The ISO 27001 standard brings equal benefits to all organisations. Integrating Information Security principles in your BAU "Business As Usual" processes will give you the confidence to meet clients growing data protection expectations and new business opportunities.
Furthermore, firms that are awarded ISO 27001 security certification can claim that they:
More tangible business benefits of having formal risk management processes and an ISMS include:
Certification is not a must for most organisations. However, a certification demonstrates that your organisation has formally met the objectives of the certification requirements. As part of the ISO 27001 certification procedure, an external body will assess your claim to ensure that you are doing what you claim.
ISO 27001 requires re-certification checks (also referred to as internal audits) every year, which ensures you are on track with your Information Security and compliance requirements. Our clients have seen significant benefits in taking control of their own existing risks and controls to safeguard assets from these risks.
Even when an organisation elects not to pursue an ISO 27001 certification, it is highly recommended that it aligns its business to the ISO 27001 framework, controls and principles. Such a move would help the business in multiple ways:
Undertaking an ISO 27001 certification requires time and effort. If anyone tells you otherwise they are not being truthful or they have never been involved in an end-to-end ISO 27001 implementation project.
Furthermore, achieving an ISO 27001 is not and should not be just a tickbox exercise. To truly make the journey effective, an organisation needs to inculcate a cultural change that needs to be driven from the top. Needless to point out, there are some things that cannot be outsourced. Culture being one of them.
Regardless of your organisation’s size, you should allow at least six months to a year to embed the main principles of the framework. From then onwards, you need to ensure you are constantly reviewing and optimising your ISMS (information security management system) to ensure ongoing maturity.
Outsourcing |
V |
Insourcing |
|
Professional and experienced people to take you through the ISO 27001 implementation. |
Inexperienced team with little or specific ISO 27001 experience. |
||
Defined implementation plan. |
Ad-hoc implementation activity. |
||
Dedicated resources that perform specific function. |
Operational team(s) with operational priority. |
||
Fixed costs agreed to time plan. |
Unplanned costs with indefinite time to implement. |
Here are some questions to ask yourself before you begin the journey to certification. Ideally, you want to answer yes to all questions before you begin.