Why saying you’re “ISO 27001-compliant” isn’t enough

If your organisation takes information security seriously, you will probably have implemented the requirements of ISO 27001. But stopping there and simply advertising yourself as ISO 27001-compliant isn’t sufficient. You really ought to be able to demonstrate it – and that means becoming certified.

If you don’t take this step, you’re essentially self-certifying to the Standard and telling customers and clients that you believe an ISO 27001 auditor would agree that your measures are sufficient. This might be true, but there’s obviously a possibility that it isn’t. In this scenario, you are misleading your customers and damaging the Standard’s reputation.

Have you fallen out of compliance?

Another big problem with self-certifying to the Standard is that it’s very easy to fall out of compliance. Organisations often put a lot of work into the implementation project, but once they have achieved compliance, complacency can creep in. They either don’t follow procedures quite so rigorously, or they fail to adjust when new challenges arise. Yet they aren’t aware that their performance is slipping and continue to advertise themselves as ISO 27001-compliant.

You can avoid this by achieving certification. An ISO 27001 certificate lasts up to three years, so you need to get externally audited on a regular basis to keep your certificate up to date.

Certification shouldn’t be hard

If you believe that your organisation meets ISO 27001’s requirements, becoming certified should be relatively easy. In fact, it will probably be simpler (and less expensive) than performing an internal audit verifying that you are compliant with the Standard.

All you need to do is select a certification body, which will send an auditor to review your documentation and business processes to confirm that you have the appropriate measures in place and that your organisation is following them.

If the auditor is satisfied, they will award your organisation with a certificate. You can then proudly use it to demonstrate to stakeholders and potential new clients that you are following information security best practices.

The time it takes an auditor to assess an organisation will depend on its size, type and the scope of the audit, but it usually takes days rather than weeks.

Get ready for certification

IT Governance offers a variety of resources to help you achieve and maintain ISO 27001 compliance. We are the world leader in implementing the Standard’s requirements, and we are happy to help you with whatever aspects you need assistance with. You might be stuck on how to conduct a gap analysis, unsure of what goes in a risk assessment or in need of guidance for the whole process.

You can learn more about how we help organisations certify to the Standard by reading our ISO 27001 consultancy brochure.