Last Updated on October 29, 2015
According to ISO’s annual surveys, the popularity of ISO 27001 certification has been growing steadily in recent years at between 7% and 14% annually. With its non-prescriptive, risk-based focus, ISO 27001 is meant to be applicable to any organization, making it among the most (if not the most) widely accepted information security standards globally, as well as in the US.
Many companies understand the benefits of aligning their information security management system (ISMS) with ISO 27001—but is it really necessary to become ISO 27001 certified? “Can’t we just implement the controls?” is a question we hear often.
To become certified, a company needs to:
- Based on a risk-based analysis, determine which controls are “in scope” for your organization
- Design and implement them in compliance with the ISO 27001 standard
- Demonstrate compliance to an independent certifier or auditor
- Perhaps most importantly, maintain monitoring and documentation to substantiate ongoing compliance and continuous improvement
Why take these extra steps? Because certification against the standard offers tangible benefits across the board that are well worth any additional time and expense for most organizations.
Nearly every organization wants to implement ISO 27001 for most or all of these three reasons:
- Improve its information security posture and ensure good practice
- Improve its compliance posture, and
- Gain a competitive edge through a stronger reputation and the ability to get and keep more clients.
Achieving ISO 27001 certification increases the value you get in all these areas—especially the latter. You can talk all you want to prospects about ISO 27001, but without an up-to-date certification it will carry little weight. Similarly, the ability to show ongoing documentation of your controls’ operation to regulatory bodies or the courts will be invaluable in relation to any audit, investigation or incident.
Last but certainly not least, the exercise of scoping, designing and implementing controls at a level that will pass muster with an auditor is likely to improve your ISMS significantly, thus further reducing risk. Keeping a focus on continuous improvement will, by definition, improve it even more. Few organizations are likely to maintain the same level of oversight on their own as when they’ve invested in certification and must maintain preparedness for ongoing audits.
So whether you justify it on the basis of risk reduction or increased revenue, ISO 27001 certification is worth it. Especially given the effort and expense of implementing good practice information security controls in the first place, why not take the extra step of verifying that you’ve done so?
To talk over what it will take for your business to prepare for an ISO 27001 Stage 1 or Stage 2 certification audit, contact Pivot Point Security.