The experiences of Wirefast’s management team are by no means unique. When most IT managers reference ISO/IEC 27001 certification in their reports, they look at the more obvious benefits of mitigating the risk of information security breaches, and mitigating the impact when they do occur. These are the principle reasons for adopting ISO27001 information security best practice, addressing the threats posed by hacking, malicious code and fraud.
There are several other business benefits that are not as well appreciated which to be better by understood by the C-suite, would form the best justifications for gaining certification to the standard.
To quote a recent IT Governance consultancy client, Paul Green of secure messaging service provider Wirefast, ‘What surprised us by adopting the ISO27001 framework, was that our teams had the blueprint in our information security management system (ISMS) for documenting the complete management system, going beyond simply information security, and bringing benefits across the board.’
The underlying benefits of ISO27001
So what do you gain from the ISO27001 Standard that might not be obvious from the content on the pages of Certification Bodies and industry pundits? Let’s start with the more obviously related plus point of avoiding – or at least reducing – possible penalties imposed by regulators, since the organisation’s information security and record-handling procedures follow internationally accepted best practices. Needless to say, in the context of trading in an international business environment, this can be a factor that is best taken into account before a major security breach costing millions. Wirefast supplies global companies, hence they need to think about more than one jurisdiction.
Demonstrating due diligence to your to shareholders, customers and business partners who might (and usually do) worry about these factors, with evidence of strategic thinking and a proactive compliance to legal, regulatory and contractual requirements. This is also a major card worth playing when securing investment capital and orders. Large contracts with national governments, the NHS and major corporations are often won or lost on compliance issues. It pays to adopt Standards.
ISO27001 is also by far the most comprehensive information security management certification that is internationally accepted. Obtaining certification through independent third-party validation companies (in the UK the necessary audits are provided by a UKAS-accredited Certification Body) is strong evidence of your information security best practice and overall cyber-resilience to hacking exploits.
‘Common denominator’ of ISO27001 Standard banishes management silos
But perhaps the Cinderella of ISO27001 benefits is that the framework provides a ‘common denominator’ – a strong basis to build system-specific controls without having to constantly revisit the basic controls. Through the adoption of ISO27001 there is no need to separately specify, implement and review common baseline requirements and controls on relevant systems.
The fact is, ISO27001 is generally applicable and therefore directly re-usable across multiple departments, functions and organisations without change.
To fast-growing technology organisations like Wirefast, this is an especially big bonus in terms of achieving cost savings with process improvements. The comprehensive and approved information security policies and procedures required under ISO27001 are easier for staff and managers to follow consistently than more proscriptive management system approaches – they are certainly preferable to playing ‘catch up’ with documentation.
The value of ISO27001 as a management system – the trick so often missed
Wirefast’s senior managers quickly spotted the value of achieving ISO27001 certification, ‘Having IT Governance on hand to guide our swift adoption of the ISO27001 Standard and provide ongoing expert support has been invaluable,’ says Paul. ‘… What we found, to our great satisfaction, is that the Standard could also help us to develop our management systems. The pillars of information security namely Confidentiality, Integrity and Availability – fondly referred to as C-I-A – corresponded with our own mission to robustly protect confidential data and make it available only to those who need to access it, when they need it. Every one of our 35 team members, including James Powell-Tuck (CEO), fully supported the implementation of ISO27001 from the outset.’
Wirefast’s customers and business partners are positively reassured by certification as a commitment not just to cybersecurity best practice, but also to robust management procedures. Through the creation and deployment of an information security management system (ISMS), Wirefast has demonstrated how ISO27001 compliance is not an encumbrance to doing business but facilitates growth.
Will your organisation be able to evidence the same level of due diligence?
For more information on how to plan your cyber security defences based on ISO27001 and keeping your business safe, download our free whitepaper here >>