The Benefits of ISO/IEC 27001 Implementation
News and information from the Advent IM team.
One of the toughest parts of implementing ISO/IEC 27001 is getting your senior management to buy into the benefits. If you have ever tried to convince your management to fund the implementation of information security, you probably know how it feels – they will ask you how much it costs, and if it sounds too expensive they will probably say no.
Actually, you can sympathise with their decision – after all, their ultimate responsibility is the profitability of the company and you need to have a good business case that argues well the balance between investment and benefit, or as it is more widely known ROI (return on investment).
So to build that good business case you need to do your homework first before trying to propose the investment in ISO/IEC 27001 – think carefully about how to present the benefits, using language the management will understand and will endorse.
To help you we have put together some pointers. The benefits of information security, especially the implementation of ISO/IEC 27001:2013 are numerous, but then that’s easy for us to say as we see those benefits in practice within companies like yours every day. But experience has taught us that the following four are often the most important:
This might seem an obvious benefit and an odd one to list, but it often shows the quickest ROI – if a company must comply with various regulations regarding data protection, privacy and IT governance, then ISO/IEC 27001 can bring all of these requirements under one process making compliance more efficient.
In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO/IEC 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information and can also open doors to new markets especially the public sector.
Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower the costs associated with managing security incidents such as interruption in service, data leakage or disgruntled employees. The Annual Study by the Ponemon Institute in 2011 revealed that data breaches cost companies an average of £79 per compromised record – of which £37 pertains to indirect costs such as lost business, reputational damage or churn of existing customers. With data protection fines from the ICO and credit card companies (PCI-DSS) increasing, the lack of effective information security management can be a costly business – and a sure way of getting management’s attention.
This one is probably the most underrated – if you are a company which has been growing quickly for the last few years, or one that has been operating the same way for the last 20 years you might experience process problems with staff not understanding their security responsibilities, who is responsible for certain information assets, who authorises access to information systems, how different types of information should be handled etc….
Implementing an ISO/IEC 27001 compliant information security management system that people are trained to use will not only reduce the risk of security breaches and associated fines but improve the efficiency of the organisation – its that ROI again.
To conclude – ISO/IEC 27001 could bring your company many benefits besides being just another certificate on your wall. In most cases, if you present those benefits in a clear way, management will start listening to you.
The critics of certification say it requires a lot of useless and time-consuming documentation work. Certainly, a management system requires some documentation, but it is important to realise that the standard is there for guidance and is flexible to meet your company’s needs. Once the business is certified, improvements are easier to make in the business. Regular certification audits help managers find opportunities for improvements. In the end, the certification pays back in better management and better performance.
The biggest pitfall in achieving compliance is often lack of experience in implementing and understanding the standard. That’s where we come in. We live and breathe the standard and it is often much more cost-effective for us to come in and guide you then you trying to gain compliance in ISO/IEC 27001:2013. What takes you 10 days may take us 5 and our unique style of providing mentoring as we go means you are also receive ‘training on the job’. (It’s that ROI again).