Information Assurance


12 Reasons why you should be considering ISO27001

by Shannon Simpson | Apr 25, 2013

ISO/IEC 27001:2005 (as it's formally known) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

ISO 27001 has been developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

Here are 12 reasons why you may wish to consider it's utilisation.

Requirements in tender documents

Organisations have security breaches and larger organisations are taking security seriously. These organisations are implementing standards then pushing their requirements down onto suppliers and forcing them to meet their standards. These are often in tender documents from financial organisations, retailers and government departments. In some cases where the organisation does not meet these standards you cannot win the business.

External Audit Requirements

Organisations are audited for various reasons and some of these are directly from customers. These customers have requirements which they expect their suppliers to follow. An unprepared company will go through significant turmoil, time and cost to meet these customer requirements. Business has been removed from businesses because they fail to meet the standard. ISO27001 allows an organisation to meet a level which satisfies these audits.

Control risk within the organisation

Security risk is difficult to quantify within the organisation, and ISO27001 ensures that an organisation manages risk in an structured and appropriate manner to the business.

Major Incidents

Many organisations have suffered major security incidents and often react incorrectly as well as suffering financial loss. Avoiding incidents maintains confidence with customers and other organisations. ISO27001 operation includes managing incidents, and being aware of the risks of an organisation and in many cases prevent the incidents occurring in the first place.

Understand the weaknesses of the business

Businesses have areas of strength in relation to security, however they also have weaknesses. Understanding and mitigating these allow the organisation to have more control over its activities and to put controls in place to strengthen those weaknesses.

Improve Process

Not only do inconsistently applied processes cause security risks and potential breaches, they are often inefficient and costly to maintain. Putting in place standard and appropriate processes means that activities are repeatable, manageable and cost effective within the organisation.

Maintain existing business

Clients tend to change their requirements over time and when they change them they often increase the security requirements. Organisations that have achieved ISO27001 certification are significantly less affected by these changes.

Competitive Advantage or Catch Up

A key question is often what is the value of the certification and how do we value it. All organisations aim to win business over their competitors and in some situations this can be a key factor in deciding who wins business. Early adopters within an industry have an advantage over those that haven’t got it and catching up is essential in others if you are behind.

Implement continuous improvement

Built into the ISO27001 management system is a continuous improvement cycle. (Plan, Do, Check, Act) Following this cycle allows an organisation to continuously improve their security practices. This can also apply to the wider business.

Understand the key assets of the business

One of the core requirements of ISO27001 is to ensure an organisation manages key assets in a way that is appropriate to the business. Many organisations are not clear on what their key assets are and how best to protect them and this provides a framework for managing them.

Implement consistent control and process

ISO 27002 contains a control framework and a baseline can be set for the organisations assets ensuring that a minimum level of control is in place. This applies to processes as well as assets and allows activities to be repeatable and maintainable.

Sleep better at night, worry less

In many organisations the information held is of critical importance to them and their clients. ISO27001 allows you to put a framework in place for managing this information. It’s not fully prescriptive allowing security to be implemented that is appropriate to your business, however it forces control to be improved within the business thus allowing you to worry less and sleep better.