The ISO 27001 standard is now becoming the de facto standard for information security management. It offers a well-known framework to implement industry best practices in areas such as physical and technical security as well as security incident management. But is ISO 27001 certification worth the trouble? Will it make a difference for your organisation?
ISO 27001 certification will take up resources and can be very complex, depending on the organisation. ISO 27001 will make you consider 114 specific controls across your entire organisation, from HR and legal to networking and encryption. It is already challenging to manage an organisation, how can you be expected to manage these additional controls as well?
To assess whether certification makes sense for your organisation, we can look at three types of security objectives you might have and see if ISO 27001 will help you reach then.
Objective 1: Reduce the frequency and impact of security incidents
Your organisation may have specific security issues that need to be addressed, such as data breach prevention, denial-of-service attacks or malware. If this is the case, the question you need to answer is whether these incidents are easily fixable by a few additional procedures and technical security solutions.
If they can, certification may be more than you need. An ISO 27001 implementation will capture these issues but probably involves much more than you need in order to deal with your immediate problems. Instead, work on improving your defensive security posture, review your technical incident response procedures and do more penetration testing.
Objective 2: Uncontrolled IT Assets and Documentation
Can you show a list of IT assets and installed software? Do all you follow the corporate policies for patching and passwords on all your systems?
If not, you should consider implementing ISO 27001. The process forces you to implement basic generic IT controls, such as incident management, access control, change management and archival and backup. In addition, Annex A of the standard provides a checklist of specific measures against which to review your information security posture.
Objective 3: Requirement to demonstrate compliance
Does your organisation need to demonstrate to customers, regulators or other stakeholders, that it takes security seriously? Do you need to provide evidence in the form of certifications and external audit reports that your organisation is protected?
If you do, ISO 27001 Certification is just what you need. ISO 27001 certification means your Information Security Management System will be verified against industry best practice and your certificate and audit results can be shared with your stakeholders.
KRYPSYS security consultants have many years of experience with the ISO 27001 standard and have completed successful implementations in organisations of all types and sizes. If you would like to discuss whether ISO 27001 certification is for you, please feel free to contact us via our contact page