3 lies you’ve been told about ISO 27001

It shouldn’t come as a surprise to learn that there’s a lot of misinformation swirling around the Internet. This includes ‘facts’ about ISO 27001, the international standard for information security, which we’ve addressed here.

1) Implementing ISO 27001 is expensive”

One of the big sticking points for organisations contemplating ISO 27001 is that it’s too expensive, but it’s possible to implement the Standard for as little as £2,850. 

Even if that doesn’t sound like spare change, it’s better than the alternative. Without effective information security processes, you will suffer a data breach sooner rather than later, and that will cost £2.48 million on average to put right.

2) “It’s too complicated”

‘Okay, so implementing ISO 27001 is affordable,’ you might say, ‘but we simply don’t have the time’. 

Information security is naturally going to be somewhat complicated, because it involves keeping your organisation safe from countless threats. That should automatically mean that ISO 27001 isn’t too complicated. After all, the benefits more than justify the effort it takes to implement. 

Besides, ISO 27001 isn’t even that complicated. When we spoke to information security expert Brian Honan last year, he expressed surprise at how many people thought the Standard required “thousands of mandates, lots of money to invest in IT equipment and systems, and would take forever to get implemented”. 

Honan mentioned that a lot of ISO 27001’s technical controls can be addressed with the built-in functionality and tools in Microsoft Windows. For everything else, you can find reasonably priced tools that lay out what you need to do clearly.

3) “It’s the IT department’s responsibility”

IT departments will do a lot of the work related to ISO 27001, but it’s not their job to initiate the process. 

The creation of an ISO 27001-compliant ISMS (information security management system) involves your whole organisation, and it’s senior management’s responsibility to bring all these threads together. They need to make sure the IT department’s work aligns with the overall scope of the project, legal requirements, HR and physical security controls.

Discover our nine-step approach to implementing an ISO 27001-compliant ISMS

You can find out more about the reality of ISO 27001 by reading our free green paper: Implementing an ISMS – The nine-step approach. 

This guide shows how you can create an ISMS that meets ISO 27001’s requirements while saving time and money. You’ll learn how an ISMS works and why you need one, as well as discovering our tried-and-tested implementation approach. 

The steps outlined in the green paper cover the full extent of the project, from initial discussions with managers through to testing the completed project and pursuing accredited certification.