ISO 27001 certification myths

ISO 27001 is the international standard that sets out the specifications of an information security management system (ISMS), a best-practice approach to addressing information security that encompasses people, processes and technology.

If you are considering ISO 27001 certification, you may be interested in our debunking of three myths about the Standard.

Myth 1: It’s complicated and expensive

In a recent podcast we caught up with information security expert and author Brian Honan, who said that it “really struck him how complicated people seemed to think ISO 27001 was”.

He added that many people thought ISO 27001 would “require thousands of mandates, lots of money to invest in IT equipment and systems, and would take forever to get implemented”.

However, Brian said that the Standard is not as complicated as you might think and that you may not have to buy new security systems to comply with it.

A lot of the technical controls in ISO 27001 can be addressed with the inbuilt functionality and tools in Microsoft Windows.

Read ISO27001 in a Windows® Environment, which provides essential guidance on carrying out a Windows-based ISO 27001 project.

Myth 2: It’s a job for the IT department

Although a large proportion of ISO 27001 certification will be the responsibility of your organisation’s IT department, the project is likely to fail without proper support from senior management and teams across your organisation.

In addition to IT measures, information security covers organisational and legal issues, human resource management and physical security controls. It’s important that both the IT and business sides of your organisation understand the key aspects of ISO 27001 and are fully on board with certification.

The CEO should be the driving force behind your ISO 27001 project, and certification to the Standard should be laid out in your organisation’s business plan.

Read September’s book of the month, The Case for ISO27001:2013, for a compelling business case for ISO 27001. This is the perfect supporting text for your ISO 27001 project proposal and you will save 10% if you buy in September.

Myth 3: Large organisations can implement ISO 27001 in a few months

ISO 27001 is a big project for most organisations and achieving certification in only a few months is unlikely for larger organisations.

Implementation takes time and can involve making major changes across your organisation.

However, our tools can help speed up your ISO 27001 project.

For micro enterprises, IT Governance offers a FastTrack™ consultancy service that has especially been formulated for small businesses with 19 employees or fewer, and which helps them prepare for ISO 27001:2013 certification within as little as three months. The service comes with a 100% certification guarantee.

vsRisk™ is a risk-assessment tool that helps you produce stress-free ISO 27001 risk assessments and saves 80% of your time. It provides accurate and auditable results year-on-year, and eliminates the need to use spreadsheets, which are prone to user input errors and can be difficult to set up and maintain.

Time-consuming tasks in your ISO 27001 project can be streamlined with vsRisk. For example, it produces an audit-ready ISO 27001 Statement of Applicability, saving you time and money while improving the efficiency of your risk-assessment process.

Find out more about vsRisk >>