Why Adopting ISO 27001 is Good for Business and Customers
Introduction ISO 27001
Cyber attacks have become a staple mention in global risks landscapes with respected bodies like the World Economic forum, amongst others, consistently featuring cyber attack threats in their annual reports.
Indeed, the perfect storm seems to be brewing. On one hand financially punitive regulations like the General Data Protection Regulations or GDPR are coming into force in the UK and the rest of Europe. On the other hand, the cyber threat landscape is becoming increasingly hostile and hazardous. In the midst of this storm, businesses, small and large, are facing the growing threat of cyber attacks that can impact a business in more ways than one, including:
- Loss of customer trust,
- Negatively impact the brand,
- Causing material financial damage to the bottom line.
Where in the past, business executives may have simply ignore cyber risk, today, it is safe to propose that cyber security can no longer be assumed as binary yes or no issue or ignored as a technical risk. Instead, CEOs, business executives and boards of directors, who are in place to manage risk at the companies they govern, must consider cybersecurity as another form of risk.
Information Risk Management
An effective and efficacious approach to meet the primary requirements, that of satisfying all parties, managing cyber risk and improving overall security maturity, is to adopt and align the business against an international standard for information security.
This document discusses the following topics:
- Why businesses must adopt an international standard in information security.
- The benefits of ISO 27001:2013 to a business.
- To certify OR not? Not everyone needs to certify. We analyse the pros and cons.
- Before you begin on the ISO journey.
- Outsource or Insource.
Why an International Standard?
The International Standards body(ISO) has the best answer to this.
“ISO was founded with the idea of answering a fundamental question: “what's the best way of doing this?””
Following a standard way of doing things (in this case - addressing the threats and reducing the risks from cyber attacks) means that your customers, consumers and the regulators have the confidence that you are adopting an accepted and tested approach to tackling cyber risks.
What is ISO 27001?
ISO 27001:2013 (referred to also as ISO 27001) is best described as a lifestyle that empowers a business to improve its overall information security posture. The executive branch of the organisation must be at the helm of adopting this lifestyle and lead by example for it to truly effective.
Officially, ISO 27001:2013 is an international standard in information security and asks that organisations provision and adopt an information security management system (ISMS).
What is an ISMS?
An ISMS is a systematic approach to managing a company’s information so that it remains secure. A ISMS must:
- Take into consideration people, processes and IT systems.
- Include a formal risk management framework and process.
The ISO 27001 standard brings equal benefits to all organisations. Integrating Information Security principles in your BAU "Business As Usual" processes will give you the confidence to meet clients growing data protection expectations and new business opportunities.
Furthermore, firms that are awarded ISO 27001:2013 certification can claim that they:
- Are taking appropriate control measures to protect confidential and privileged information.
- Are following international best practices to mitigate cyber threats and have cyber incident response and management processes to respond to cyber attacks.
- Have established a formal information risk management process and a functioning ISMS or Information Security Risk Management System.
More tangible business benefits of having formal risk management processes and an ISMS include:
- Building a solid foundation to comply with existing and upcoming national and international regulations (like the EU GDPR, for example) thereby, possibly, avoiding costly regulatory penalties and financial loss.
- Increasing the overall security maturity of your business.
- Assuring customers and regulators that the business takes cyber security risks seriously.
- Protecting and enhancing your brand reputation.
- Satisfying audit requirements by internal teams, customers and or regulators.
- Possibly realising financial savings in the long run (reduce expenditure on technology incidents, regulatory fines and non-compliance).
Is Certification a Must?
Certification is not a must for most organisations. However, a certification demonstrates that your organisation has formally met the objectives of the certification requirements. As part of the ISO 27001 certification procedure, an external body will assess your claim to ensure that you are doing what you claim.
ISO 27001 requires re-certification checks (also referred to as internal audits) every year, which ensures you are on track with your Information Security and compliance requirements. Our clients have seen significant benefits in taking control of their own existing risks and controls to safeguard assets from these risks.
Even when an organisation elects not to pursue an ISO 27001 certification, it is highly recommended that it aligns its business to the ISO 27001 framework, controls and principles. Such a move would help the business in multiple ways:
- Demonstrate to clients and regulators that the business is following an internationally-accepted and recognised standard.
- Enable easy certification when (and if) the organisation decides to pursue official recognition of their efforts.
Insourcing V Outsourcing
Undertaking an ISO 27001 certification requires time and effort. If anyone tells you otherwise they are not being truthful or they have never been involved in an end-to-end ISO 27001 implementation project.
Furthermore, achieving an ISO 27001 is not and should not be just a tickbox exercise. To truly make the journey effective, an organisation needs to inculcate a cultural change that needs to be driven from the top. Needless to point out, there are some things that cannot be outsourced. Culture being one of them.
Regardless of your organisation’s size, you should allow at least six months to a year to embed the main principles of the framework. From then onwards, you need to ensure you are constantly reviewing and optimising your ISMS (information security management system) to ensure ongoing maturity.
Professional and experienced people to take you through the ISO 27001 implementation.
Inexperienced team with little or specific ISO 27001 experience.
Defined implementation plan.
Ad-hoc implementation activity.
Dedicated resources that perform specific function.
Operational team(s) with operational priority.
Fixed costs agreed to time plan.
Unplanned costs with indefinite time to implement.
Before you Begin the Journey
Here are some questions to ask yourself before you begin the journey to certification. Ideally, you want to answer yes to all questions before you begin.
- Am I fully committed to this endeavour?
- Do I have buy-in from all senior management and the CEO?
- Is the management fully committed?
- Has the scope of the ISO 27001 been defined and agreed?
- Has the scope of ISO 27001 been communicated with the rest of the business, with the what and why explained?
- Has the ISO 27001 initiative been discussed with your key 3rd party suppliers?
- Has the internal or external legal counsel been engaged to prepare for possible contract changes?
- Have the various heads of departments including IT, Networks, Marketing, PR, Human Resources etc., been engaged?