Is ISO 27001 the right thing for my business?
We know that every business faces unique security challenges, and there is no ‘one shoe fits all’
approach when it comes to being secure online.
This is why we believe that ISO 27001 implementation is a solid investment for each company as it doesn't attempt to impose a generic online security approach.
Instead, it encourages you to put into place the appropriate processes and policies that support information security specifically for your business.
Our team of experts has worked with a range of clients - from small boutique consultancy firms to international services businesses - so we know that there are several misconceptions around ISO 27001.
So we’re going to shine some light on those, and give you more information so that you can make an educated decision on what’s right for your business.
Common Misconceptions About the ISO 27001 Framework
1. We must change our business.
Perhaps the most frequent misconception we encounter is that the business must change and mould itself to meet all requirements (Annex A Controls) of the Standard to achieve certification.
The truth is that the Standard is a framework that provides the requirements of each control, allowing you to identify and select the controls which are relevant to
your business. Not only does this make the Standard fit your business, but it also provides a consistent framework for continuous improvement and commitment to the development of information security.
It is essential that each control that has been identified is relevant and truly reflects your business. This will make them relatable to and adoptable by staff, and they will appreciate the importance of their role in the project, which in turn will ease implementation.
The Standard does not make any mandates as to how you meet the requirements, but it does provide requirements that your ISMS needs to meet.
2. Risk assessments and control gap assessments are the same things.
It is vital to understand the current information security position of your business at the start of the implementation process. We arrive at this baseline by reviewing the current state of your information security program – existing policies and documentation and also conduct a risk assessment.
By bringing this information together we can identify where things are already being done well, where things could be improved, and any gaps that need to be addressed.
This gives us a starting block from which we can develop your implementation plan – including applicable controls, required resources (people and facilities), and time to implement.
3. Security is limited to the IT department.
Your IT department is important in implementing ISO 27001 - but they shouldn’t be the only ones involved. When discussing ﬁrewall, DNS, and router conﬁgurations and rules, the audience is typically limited to select individuals in the IT department; however, when discussing information security controls and budgets, and organisational risks, the audience should be much broader.
ISO 27001 requires that top-level management be involved in information security, which should ultimately become a driving factor in business decisions. The most important aspects of information security include not only IT measures but also organisational issues and human resource management, which are usually out of reach of the IT department.
4. We can do this with policy templates.
ISO 27001 places a strong emphasis on documentation, as this details how things are done to the business and provides the evidence required during the audit. Although documentation is an important part, it is not an end in itself. The main point is that you perform your business activities securely, and the documentation is here to help you do it.
The records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.
We can provide policy templates to aid in this process and are always happy to help you refine them to suit your business and maintain them to ensure compliance with the Standard.
But at the end of the day, having a policy that is never read or followed is like not having a policy at all.
5. We will implement it in a few months.
You could implement your ISO 27001 in 2 or 3 months, but it will not work – you would only get a bunch of policies and procedures which no one cares about nor understands. Implementation of information security means you have to implement changes, and it takes time for changes to take place and become effective.
As outlined, implementation requires resources from across the business, and commitment from top management to ensure it happens. This takes time and effort and given that everyone has a day job, the time has to be found to review documentation, agree on processes and timescales, and implement these.
6. The only benefit of the Standard is for marketing purposes
“We are doing this only to get the certificate, aren’t we?”
Unfortunately, this is the way that a significant percentage of companies looking to implement ISO 27001 think. We are not trying to argue that ISO 27001 should not be used for promotional and sales purposes, but you can also achieve other very important benefits – like increasing customer confidence, supporting business continuity and growth, protection from financial and reputational damage, and perhaps the most topical, support remote working.
The point here is – read ISO 27001 first before you form your opinion about it; or, if it’s too boring for you to read it (which we admit it is), consult with someone who has some real knowledge about it.
Emphasise the benefits to your business, other than marketing. In other words, increase your chances to make a profitable investment in information security.
ISO 27001 implementation can seem like a daunting task, but we are happy to help you on your journey to improve your information security program. If you have any questions or would like to speak to an expert, contact us here.