October 7, 2022

Last Updated on January 18, 2024

Some orgs hesitate to pursue cybersecurity, quality and/or other certifications because of the disruption imposed by activities like internal and external audits.

Or can achieving certifications actually save time, improve productivity and reduce interruptions to your business processes—in addition to other established benefits like reducing risk, improving customer loyalty and helping to acquire new business?

On a recent episode of The Virtual CISO Podcast, Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance, SGS, makes a compelling argument that third-party attestations do, indeed, save time and effort when you consider more of the factors involved.

Assurance as a time-saver

Third-party audits may be time-consuming. But so is continually backfilling with stakeholders because you don’t have the trust that independent assurance provides.

“This interruption that happens once per year is still less than having to answer the very same questions to your customers 53 times a year,” offers Willy. “Because you have questionnaires coming from your customers every single week, asking ‘Do you have a password policy?’ ‘Do you have this, do you have that?’ And this external certification provides assurance not just to you and your executive management but also to your customers that yes, you are fulfilling international best practice.”

Willy continues: “I know this is a selling thing. But at the same time, I’m totally convinced, having been in this business for 25 or 30 years, about what we see more and more companies realizing. Certification is definitely an investment, but it’s an investment that is worthwhile to entertain because there’s a huge return on investment in a very, very short period of time.”

Assurance as risk reduction

John concurs that a certification like ISO 27001 is a sales enablement tool. But it also greatly reduces risk.

“I don’t have a formal quantification of that through our 200-plus ISO 27001 certified client base,” concedes John. “But if you look at traditional metrics, depending on whose you believe, somewhere between one-third and two-thirds of companies have some type of fairly significant security incident [annually]. I can count the number of security incidents from ISO 27001 certified customers of ours on less than one hand in any given year.”

“So you can be disrupted once a year by an auditor, but that auditor is giving you assurance that the likelihood of you being interrupted by a malicious entity during that year—and that costing you hundreds of thousands to millions of dollars—is significantly limited,” John asserts.

In case of emergency

Willy shares a story about one of his customers who cut his thumb off with a table saw. But the man was mentally prepared and knew what to do, which saved precious minutes and enabled emergency room surgeons to reattach his thumb and preserve most of its function.

“Part of being prepared is being prepared, and part of an ISO 27001 or ISO 22301 certification is answering that stupid question, ‘In case something happens, what are you going to do?’” relates Willy. “And the organization really needs to have an answer for that. Just the thinking process that is involved in creating that response is already invaluable and will help the organization when it actually does happen.”

In other words, in an emergency such as a ransomware attack or natural disaster you want to be prepared so you can go on autopilot. Saving time and limiting damage when it counts most is another potential benefit of achieving third-party certification.

What’s next?

To hear this episode all the way through, click here.

Does your small business need formal continuity planning? Yes, and here’s why: Does Your SMB Need a Business Continuity Plan?

Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!