Is ISO 27001 Worth It?

Uploaded on 2023-05-03 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

For many organisations, knowing whether to go for ISO 27001 can pose something of a dilemma. Motivations vary. There are those that decide they have to go for certification in order to meet contractual obligations, making it a means to an end. Others see it as a way to prove themselves in a crowded market so it’s a differentiator, while some see it as having merit in itself as a means to improve their security practices.

When the time comes, all weigh up the relative pros and cons of ISO 27001, so what are they and is ISO 27001 worth it?

The ISO 27001 standard is well known worldwide and has a reputation for demonstrating an organisational commitment to managing information security. It’s the only auditable international standard that defines the constituents of an ISMS (Information Security Management System), an approach that sets out the policies and procedures for systematically managing, controlling and improving the organisation’s information security.

It can be applied to all organisations, regardless of size or purpose. 

ISO 27001 confers numerous benefits. It can assure customers and partners that the business has done its due diligence with regards to its security, helps the business comply with other industry standards – including protecting personal data, and can lead to an improved security posture by providing focus. However, despite these obvious gains, uptake remains relatively low. 

Low levels Of Adoption

The latest Cybersecurity Longitudinal Survey (Wave 2) conducted by the UK Government in mid 2022 of medium to large businesses found that only 17% adhere to ISO 27001. Another report, the Cyber Security Breaches Survey found only 8% of businesses had adopted the standard, although this rose to 23% among large businesses. 

Quantitative research carried out by the Longitudinal survey revealed that it was often regarded as onerous and expensive. This is probably down to the fact that the standard also requires organisations to carry out internal audits (clause 9.2), in addition to an annual external audit, all of which can rack up costs. 

Many organisations also want the standard to add assurances against cyber-attack. But, as with any security framework, there are no guarantees it will protect you. Any organisation can suffer a breach and there are almost certainly ISO 27001 certified organisations out there that have done so. Rather, the standard assesses and enables improvement of the ISMS framework and in this way reduces the likelihood of breach, lessens the potential impact and protects the company’s reputation by virtue of the fact that it may not be accused of negligence (particularly if operating and maintaining the ISMS has not been neglected) with respect to its security practices. 

In fact, ISO 27001 can make the company’s reputation more resilient if it does suffer a breach. There’s direct evidence of this in the Ponemon Institute report on The Impact of Data Breaches on Reputation and Share Value. It found that those companies deemed to have a low security posture saw their share price drop 4% more on average than those with a high security posture, a gap that then widened over the course of the next 90 days to 5%. 

What’s more, the low security posture group didn’t regain their pre-breach share price during the course of the study whereas those with a high security posture exceeded their pre-breach share price.

So, they not only recovered but went on to make a gain, probably because they had the processes in place to expedite a quick recovery and communicate effectively when disclosing, thereby reassuring the market.

Turning The Tide

It's this business resilience where ISO 27001 really delivers but its highly intangible. However, other drivers are now slowly turning the tide.

Firstly, we’re seeing insurance companies offer checklists that align with the standard and this is seeing smaller companies put the framework in place. The Cyber Breaches Survey found the only thing stopping these companies from becoming fully certified were the audit costs but to all intents and purposes they’ve done the legwork required, making it trivial to then pursue certification. The larger businesses, for instance, said they found it easy to comply once they’d gone through the initial certification process. 

We’ve also seen ISO 27001 updated for the first time in nine years in 2022. Assessments against ISO/IEC 27001:2022 are now happening but organisations have the next three years to comply. The new version now covers information security, cybersecurity and privacy protection and there are three major changes to the standard itself. The standard structure has been consolidated from 14 down to four: Organisational, People, Physical and Technological. The list of controls has decreased from 114 to 93, with 11 new ones added while 57 have been merged and some removed. And finally, five new attributes have been introduced to align with digital security. 

The good news is that this rationalisation of the standard is likely to make it more appealing to SMEs and it’s now more relevant in focus, helping to address the risk associated with remote working for example.

These changes together with the clear evidence that certification can improve security posture and resilience all make for compelling arguments to adopt the standard. 

But perhaps further incentives are required in those sectors where certification isn’t mandatory. Whether that should take the form of additional regulation, financial incentives (ie tax breaks) or advice, guidance and support, as suggested in a recent Cyber Security Incentives and Regulations Review, remains to be seen.

Phil Robinson is Principal Consultant at Prism Infosec

You Might Also Read: 

US Defense Contractors Don't Meet Basic Cyber Security Standards:

____________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Why Zero Trust Is Fundamental In Today’s Economic Climate
Retrofixing The Remote Workforce »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CW Jobs

CW Jobs

CWJobs.co.uk is a leading specialist IT recruitment website covering all areas of IT including Cyber Security.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

French Expert Center Against Cybercrime (CECyF)

French Expert Center Against Cybercrime (CECyF)

CECyF is a centre of excellence for countering cybercrime in France.

qSkills

qSkills

QSkills is an independent training provider specialized high-quality IT and IT management training courses including IT security.

Lawley Insurance

Lawley Insurance

Lawley is a full-service, independent insurance agency. Specialty insurance products include Cyber Security.

Komodo Consulting (KomodoSec)

Komodo Consulting (KomodoSec)

Komodo Consulting specializes in Penetration Testing and Red-Team Excercises, Cyber Threat Intelligence, Incident Response and Application Security.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Communications & Information Technology Regulatory Authority (CITRA)

Communications & Information Technology Regulatory Authority (CITRA)

CITRA is responsible for overseeing the telecommunications sector, monitoring and protecting the interests of users and service providers, and regulating the services of telecomms networks in Kuwait.

Intelequia

Intelequia

Intelequia SOC is the Security Operations Center your company needs. 24x7 monitoring, protection and automated response to cyber threats.

Moonsense

Moonsense

Moonsense is on a mission to level the playing field in the fight against online fraud.

HTL Support

HTL Support

HTL Support, your trusted partner for comprehensive IT support in London. We specialize in delivering top-tier IT solutions tailored to both large enterprises and small businesses.

Mediatech

Mediatech

Mediatech, specialized in managed Cybersecurity and Cloud services, a single point of contact for your company's IT and infrastructure.

Options Technology

Options Technology

Options is a global leader in financial technology, specialising in Capital Markets technology and enterprise-grade solutions.

Evolve Business Group

Evolve Business Group

Evolve is an independently-owned managed network solutions provider, creating bespoke packages for customers globally since 2005.

GAM Tech

GAM Tech

GAM Tech is a Managed IT Service Provider that serves small and medium sized businesses in Alberta, British Columbia, Ontario and Quebec.

Efex

Efex

Efex is one of Australia’s leading Managed Technology Solutions providers. We service local companies across Australia, providing accessible, fast and straightforward IT.