With the spotlight currently on the newly released ISO 27001:2013 standard and the changes it will create, it’s easy to forget why you should implement it in the first place.
ISO 27001 certification provides considerable business benefits, so it’s no wonder that the numbers of certificates worldwide is growing year on year. Many markets have already shown a desire for ISO 27001 certification – there are 1700+ UK, 400+ US, 1450+ Chinese, 480+ German and 7100+ Japanese organisations that have achieved certification to ISO 27001 as of 2012 (according to the ISO).
This article attempts to summarise some of the major business benefits of ISO 27001:
- ISO 27001 is a widely recognised, internationally accepted, independent, information security standard that verifies and certifies the information security and data protection controls companies have in place.
- Increasingly organisations are required to provide some evidence of security credentials (according to the results of the IT Governance’s Boardroom Cyber Watch Survey). ISO 27001 certification often removes the need of completing extensive security questionnaires. It enables an organisation to prove to its clients that all areas of security risks have been considered, whilst saving them time and money.
- ISO 27001 certification demonstrates to all stakeholders that an organisation has invested in exemplary governance practices to safeguard its own and its stakeholder’s information assets. This increases trust in the organisation.
- With security breaches reaching their highest levels ever, companies can no longer afford to trust random security audits that do not comply with a universally accepted information security standard. ISO 27001 certification is an effective measure to dramatically reduce the risks associated with information security breaches.
- Implementing an ISO 27001-compliant information security management system (ISMS) will help protect your business from the threat of organised crime and defend your company from a destructive cyber-attack. This will also help reduce your company’s financial exposure to the risk of information and data losses.
- Supplier-specified security controls can vary from supplier to supplier, but with ISO 27001, all suppliers are audited using the same set of controls.
- In addition to the protection of your data and compliance with data handling laws like the Data Protection Act in the UK, it is simple to argue that there is a distinct market value to ISO 27001 certification. It is financially prudent to protect your organisation’s data and to meet the legal requirements of countries in which you seek to do business.
- ISO 27001 reflects the principles of the 2002 OECD guidance on the security of information systems and networks. When outsourcing aspects of IT that touch data repositories, companies need to be extra careful that the service providers they engage with follow these new rules of the law, and that the policies of their shareholders and/or management are aligned to sound information security management practices.
- ISO 27001 is not only recognised throughout the EU, but also has a broader appeal in other key markets via the International Accreditation Forum (IAF). The IAF ensures that ISO 27001 certification is recognised across the world through a ‘mutual recognition arrangement’, agreed by more than 60 national accreditation bodies.
Finally, it doesn’t matter which version of the ISO 27001 standard you are currently implementing (whether 2005 or 2013); the business benefits to you are the same.
If you wish to find out more about ISO 27001:2013, then read these books: The Case for ISO 27001 (2013) Second Edition and Nine Steps to Success – An ISO 27001(2013) Implementation Overview, Second Edition.
Find out more about the pathways to certification here: www.itgovernance.co.uk/iso27001-pathways-to-certification.aspx.
If you have any questions about ISO 27001 email IT Governance at firstname.lastname@example.org or call us on +44 (0) 845 070 1750.