The Security Certification Practice in the EU Survey published by ENISA in October 2013 comes as a very handy document in the debate around information security and cyber security best practice.
At IT Governance we’ve always insisted that implementing an information security management system (ISMS) which complies with ISO 27001 (the international information security standard) is the most logical thing to do in order to protect any company’s information from cyber threats.
ENISA’s survey which was carried out in 11 EU member states (Austria, Belgium, France, Germany, Italy, the Netherlands, Poland, Spain, Sweden, Slovakia and United Kingdom) sheds more light on the factors that motivate European organisations to implement an ISMS aligned with ISO 27001. Here is an overview of the results.
Private sector organisations are driven by the following factors for obtaining an ISMS certification:
- improvement in quality
- security-awareness of the employees
- marketing and competitive advantage
- keeping existing customers satisfied, but also at gaining new ones
- meet customer expectations – this has been mentioned as the most important incentive by the surveyed companies
- increased assurance level perceived by customers
- the requirement to be certified is set in a growing number of procurement procedures
- the decision to obtain certification under ISO 27001 was a natural choice as it forms a good base for other assurance schemes
The ENISA survey stresses the fact that all surveyed private sector companies had very good experiences with ISMS certification.
“One of the companies found that ISMS certification brings together ‘a wealth of industry experience and knowledge’, while another company characterised ISMS certification as possibly ‘the company’s main strategic business asset’.”
Other good experiences mentioned include:
- the actual preparation of the company for the certification increased internal awareness and contributed to the improvement of the processes and the offered services
- the ordinary management of security was greatly improved by having a formal system in place
- all surveyed companies also had very positive experiences with the acceptance of the certification by their customers
- the certification was found very useful in public procurement procedures, even when the certification was not obligatory requirement.
Public sector organisations also saw a lot of benefits in complying with ISO 27001. They were motivated by factors including:
- managing information in a secure way
- strengthening the confidence of citizens, or of companies that collaborate with them, in the security of the IT and data management processes
- certification was used in order to promote customer take up for services that they were developing
- integrating security throughout their business processes
- complying with the requirement to adhere to a sector scheme
The public sector organisations’ experience with certification was described as:
- ensures a regular and systematic identification of risks to information security
- contributes to improvements of the implemented system and thus improvements to the organisation of work
- continuous adjustment and further evolution in line with changing requirements can be achieved
- allows the management of information in a much more rigorous and deliberate way than before.
- sustainable security and safety in the organization’s processes, which would not be possible without such certification
- ISMS certification brought the organisation a lot of structure and strongly improved system availability
- ISMS certification preserves the compliance of rules for the processing and handling of personal data
Companies recognising one or more of the above benefits, have every reason to go ahead with implementing information security management system (ISMS).
Getting your ISMS certified should be a business decision and you may not want to do it if your customers don’t require it. However, you’ll be still reaping the benefits from adhering to ISO 27001 and as soon as you maintain your ISMS you can certify it at any point.
If you need some help to get started with your ISMS project, take a look at the following resources that are specifically designed to provide knowledge and guidance and save you time:
- An Introduction to Information Security and ISO 27001 (2013) A Pocket Guide, Second Edition
- Nine Steps to Success: An ISO27001:2013 Implementation Overview
- ISO27001 2013 ISMS Standalone Documentation Toolkit