ISO 27001 is a specification for Information Security Management systems – frameworks of procedures and policies that include all of the legal, technical and physical controls that are involved in a company’s information risk management process. It contains 172 requirements and 114 controls, and studies suggest it can take 12 months for a single IT manager in an average sized organisation to fully implement it.
So is it worth all that work? The immediate value to the business, of course, is knowing that your cyber security risks are being appropriately and cost-effectively managed and mitigated. It also gives your organisation a clear framework for approaching fulfilment of cyber-related commercial, legal and contractual responsibilities. Beyond that though you should also consider how customers view the specification.
Globally, ISO 27001 is recognised as the highest possible accreditation of information security and protection. It’s officially recommended by the NYSE and Google, Microsoft, Amazon, Citibank and IBM all hold ISO 27001 registrations. More than any other type of accreditation or certification, it clearly shows to customers (and potential customers) that your organisation is committed to protecting them and their data.
The question I think companies should be asking now isn’t “can we afford to implement 27001” but rather “can we afford not to” – what would the consequences be should the worst happen and your company faces the kind of cyber attack that we’ve recently seen hit many high profile cyber attacks? And if you think your company is too small for that to be a realistic possibility, remember that 60% of UK SMEs have been targeted by cyber criminals and recent years have seen roughly 50% of UK cyber attacks aimed at smaller businesses.
Are you concerned about implementing ISO 27001 in your business? Do you need extra resource to achieve it? Kind Consultancy specialises in providing highly qualified infosec professionals on interim contracts who can quickly and efficiently bring your company in line with ISO 27001. Get in touch on 0121 643 2100 or firstname.lastname@example.org for a confidential discussion of your needs.