Is ISO 27001 Certification worth it?

November 26, 2021

Is ISO 27001 Certification worth it?

Many things get easier with repetition, but one thing never does: audit day.

Last Tuesday was audit day and as CEO and Information Security Officer it’s the most anxious day of my year. You question whether it’s worth it. But looking back, the cause of this strife, implementing ISO 27001, has been one of the best decisions we’ve made as a company.

If you’re thinking about how to secure your organisation’s data, ISO 27001 (the Information Security ISO) is the gold standard and an ideal place to start. There are several core elements. An extensive set of clauses that cover everything to consider in the context of an organisation. A requirement for leadership, resources, risk assessments, internal audits, reporting, training and ongoing efforts to improve. And the terror of an annual external audit.

Audit day arrived and the ‘virtual’ format softened the blow. But when two auditors, not just one, popped up smartly on Teams at 9am, the day lengthened ahead of me. These two would not miss a thing.

When the call hung up, I knew they were off; digging for evidence, testing our policies and procedures, questioning our employees’ understanding and noticing anything we may have overlooked. Auditors identify areas for improvement or areas of non-compliance. Non-compliance means you’ve missed something the ISO standard considers essential. A major non-compliance is a serious failing that could affect certification and potentially lead to the loss of our valued certificate. That’s the ultimate fear as a security officer, especially when customer contracts depend on it.

The genius of the ISO standard is its focus on continual improvement, which is also why implementing it early is so useful. If you’re running a start-up, you may wonder why you need it, but the earlier you start, the easier it is to begin, and the more you’ll get from it. You get a frame for thinking about data security, even if you’re already confident about your operations.

As terrifying as audit day is, it’s also one of the best ways to get professional advice on your information security overall. Auditors are human and want to help your company succeed. They have unrivalled experience in information security and other related areas such as data protection, across various sectors and businesses of all kinds; advice that’s invaluable to a growing company. Sometimes they offer new thoughts on products and services that we could offer–a welcome bonus.

I learned the ISO 27001 framework when Legalesign was a company of two people. It was a long-haul. But we are now six years into our ISO 27001 certification with our second re-certification is behind. It’s hard to imagine how to build a good information security system without it. As a programmer myself, I had a good awareness of security in software, but the ISO covers the whole organisation not just software.

Data protection has changed so much in the last six years, not only in the opportunities it offers but also its threats, and the regulatory bite for getting it wrong. For any company with data at its core, ISO 27001 now seems as essential as a driving licence on a motorway. Start-ups may wonder whether they really need it as they plan great new features and exciting tech. If that’s you, then perhaps the ISO 27001 is more for you than anyone. Theodore Roosevelt once advised, “Keep your eyes on the stars but your feet on the ground”. I can attest, the ISO 27001 will keep your feet firmly affixed.

What does it mean to be ISO 27001 Certified?

ISO Certification means your organisation has an externally audited management system that meets a set of standards for information security.

What are the benefits of ISO 27001?

The main benefit of ISO 27001 is that you, as an organisation, get an externally verified system that helps you implement and improve your information security, and then prove that to your stakeholders, and especially your customers, too.

How difficult is ISO 27001 certification?

There’s nothing inherently difficult about ISO 27001 beyond what you need to maintain good information security. If you are already practise good information security, the ISO will help you frame and improve it over time. If you don’t then it will tell you how.

The difficulty of ISO 27001 reflects the nature and size of your organisation. If information security is critical to you then you will want to do more to secure it. You will have more risks to consider and more actions, mitigations, policies and procedures to manage those risks. If you are large, then you may have hundreds or thousands or policies and procedures to maintain and bigger jobs undertaking tasks involving many employees, such as ensuring everyone has good cyber security awareness.

News Product & Company