The benefits of Certification to ISO 27001 Information Security Management Systems

Hi all,

There are many benefits to certification to a known standard in business but first of all where do standards originate? Standards are formed by National and International Institutions like the British Standards Institution (BSI) or the International Organisation for Standardization (ISO). These organisations get people from all kinds of sectors together, preferably professionals in their industry and discuss how the sector is moving, what will help to continually improve the sector and what hurdles must be overcome to ensure these exacting standards are fulfilled.

We talk about sectors, like quality, information security, health and safety, the environment and data privacy, to name but a few, but today we'll concentrate on ISO 27001, Information Security Management Systems. So what are the obvious benefits of certification and application of standards relating to information security?
  • A credible application of standards inside your organisation, using a standard that has been developed by forward thinking and pioneering organisations and people whose lessons that we can all learn from;
  • Recognition by investors and consumers that you are doing all that you can in minimising the impacts on them as individuals and businesses;
  • Recognition from National Authorities that you are aiming to meet an International Standard and one that they recognise as important, credible and above all, helps you to be ever more secure;
  • A systemised method of doing things in your organisation which help to control the risks to your organisation and help with continuous improvement;
  • Help you to deal with threats and vulnerabilities posed by criminals, especially online;
  • Support you in applying National legislation and regulation;
  • Align with industry best practice;
  • Be recognised as a forward thinking business, dedicated to reducing risk to all involved, an extremely responsible attitude.
The reasons above serve as good reasons to implement standards, not only do they improve the viability of the business as a whole, they also help to reduce the risks to all involved, including suppliers, customers, consumers, directors and potential investors.

The only thing is, very often in business standards implementation is overseen by one person when it needs to involve more than one person. Much of my life consulting have I seen one person being tasked with the job of information security or quality manager, and being left to their own devices. The information security standard at clause 5 asks for leadership to get involved. Information security should be on the agenda at least once a month in organisations, the reason is you should keep ahead of the curve and preempt any issues before they happen.

The Data Protection Act and GDPR are used to prosecute organisations; when you fall foul of these information laws and you need to be ready if you have a data breach, even if its not reportable under the GDPR. Standards - when properly implemented, taken seriously and through a team, lessen the chances of prosecution because:
  • You dedicated yourselves to continuous improvement and didn't leave it to chance;
  • You showed that you were always willing to comply with the law, which standards help you to do;
  • You co-operated with National enforcement agencies - which means reduced fines, if any.
  • You mitigated the chances of information breaches by getting ahead with technology and through people's great ideas;
Standards are a force for good, let's keep them high on the agenda in business.

Hope this helps.

Regards

SteveB

Steven Burgess is a Consultant and Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.