5 ISO 27001 myths that make the Standard seem expensive and difficult
Ben Chewins, Head of Information Assurance
ISO 27001, the gold standard of information security management best practice, or a royal pain in the neck?
Let’s be honest; more often than not, organisations don’t implement ISO 27001 for fun, it’s because they don’t have a choice.
Accordingly, for many organisations, establishing and maintaining an ISO 27001 compliant ISMS is seen as a hindrance; a complex and difficult task that requires significant investment in time and money and tends to bring about increased bureaucracy, process for the sake of process, and numerous security controls, including the need to deploy more technical measures that require management by IT teams who are already stretched.
So, considering all of that, why go through the process? Is it worth it for that piece of paper to hang on the wall in reception or the ‘ISO 27001 certified’ logo that you can proudly display on your company website to show your clients and customers that you manage information properly? Maybe…..maybe not.
I have been implementing—and helping organisations to implement—ISO 27001 for more than a decade and there are a few myths that I think stop organisations from getting the most from the standard. Obviously, as an Information Security consultant, I’m a little biased, but I believe that if you must have an ISO 27001 compliant Information Security Management System, you may as well make use of the benefits it can deliver.
MYTH 1: ISO 27001 needs to cover every aspect of your organisation
This is a misconception I come across often. The truth is, what ISO 27001 covers is limited by the scope, which is down to the organisation’s specific operations. That’s where having strong risk assessment and risk management processes come into play. By understanding the following you can narrow down the scope:
- The things that matter most to the business (e.g. its most valuable information assets);
- The security aims and objectives of your organisation;
- Who the stakeholders are and how they would be affected by a security breach; and
- The legislation and regulations that apply to your organisation.
I’ve worked in huge multi-national companies with a certification that was scoped purely to focus on one element of a manufacturing process. Conversely, as a consultant, I’ve worked with SMEs where the certificate scope is focused on several key departments within the organisation across multiple sites. Despite being markedly different, both approaches are equally valid – the key is that the scope should be appropriate and proportionate for the organisation. Having strong risk assessment and risk management processes is also pivotal and helps you concentrate on the things that are most important to your organisation. Taking a risk-based approach, as encouraged by ISO 27001, means that you prioritise your most significant risks by implementing only proportional and cost-effective control measures, suitable to your organisation.
If businesses identify which parts of their operations need to be covered by the Standard and concentrate on reducing the most significant risks, they won’t be attempting to tackle a mountain when they only need to climb a small hill.
MYTH 2: ISO 27001 involves implementing lots of policies and procedures; it’s an administrative headache!
I’ve noticed that this myth tends to go hand-in-hand with Myth 1 because the idea of developing policies, processes and procedures for a whole organisation can be very daunting. And, if you are attempting to apply the standard across your whole operation, it may well be.
In reality, adopting any kind of best practice standard is likely to require the development of new policies and processes, but often these are just to formalise existing operations to ensure risk and security are managed consistently. There’s bit of a misconception around information security in general in that it’s ‘only about writing documents’ (and I won’t lie, there are certainly documents involved), but it’s important to remember that one of the aims of ISO 27001 is to ensure that the organisation implements an Information Security Management System (ISMS) from which it can derive real benefit, such as increasing the visibility and accountability around what happens within the IT department, or ensuring that all employees maintain an adequate level of information security awareness; which, in turn, decreases the likelihood of someone clicking a malicious link in an email for example.
MYTH 3: ISO 27001 is a prescriptive standard and every organisation must implement everything in the same way
As a consultant, I’ve come across companies trying to implement the Standard using a template pack and pulling their hair out because some of the artefacts they need to develop make no sense in the context of their operations. Some things are mandatory, certainly, but because every company is different there is no point applying a blanket approach because not only is that time consuming, it’s unnecessarily expensive. And I genuinely believe that you should only be spending what you absolutely must. It’s also worth remembering that the standard is non-prescriptive – it tells you what you need to do, but not necessarily the approach that you should take. This should be determined by the organisation and not dictated by an inflexible set of template documentation.
MYTH 4: Maintaining compliance is too hard
I think this myth came about because organisations were implementing ISO 27001 in ways that didn’t actually benefit them—like applying the Standard to the whole business when it would have been better to just focus on one element of the operations. After a while, word gets around that it’s painful and cumbersome and it gets a bad reputation.
The truth is: like anything that’s good for you, some effort will be required. But if you’re finding that your ISMS is overbearing, inefficient or even making business more difficult, maybe that’s not because of the standard, but because some of the key principles have been overlooked, such as correct scoping and effective risk management.
Imagine you take up running to get fit but after a few weeks you don’t see much evidence of improvement, so you feel less inspired to continue. Without the positive reinforcement of seeing results, it’s difficult to stay motivated. So, much like running, for a risk-based approach to security to be successful it requires commitment. And before you know it, it becomes embedded in the business and culture and you won’t be able to imagine a time when it wasn’t there.
MYTH 5: ISO 27001 is an IT issue
Your IT team or supplier absolutely has a big part to play in implementing and maintaining an ISO 27001 certification, if only because they will be responsible for keeping IT infrastructure running—a vital element of operations. However, ISO 27001 is not an IT security standard, it’s an information security standard. The Standard recognises the importance of IT, but its main goal is to keep information secure and it achieves this by promoting good information security practice across the organisation. Information security does not begin and end at the door to IT support. Indeed, the frameworks that the standard advocates work best when implemented in conjunction with IT to ensure a complete, end to end system of strong security governance, controls and awareness.
The mindset that ISO is the IT department’s problem starts if you don’t have buy-in from the Board or senior leadership. By educating the Board about cyber risks and the implications to the business, they will become interested in hearing from information security specialists.
Looking at ISO 27001 with fresh eyes
The first thing to consider when thinking about whether to go ahead with ISO 27001 certification is to look at the value the Standard will provide to your team, your organisation and your stakeholders and clients. It sounds simple but I think that, too often, we default to viewing security negatively, as something that’s always telling us what we can’t do, rather than an enabling set of activities and behaviours. It’s demonstrably true that improving security and standardising processes almost always end up saving organisations time and money, and that a management system that keeps your data secure and organised is therefore important in keeping your customers and stakeholders happy. The Standard provides one of the best and most universally acknowledged ways to calibrate and demonstrate your security stance against international best practice.
How PGI can help
Over the past year, we have seen an increase in the number of organisations looking to achieve the ISO 27001 certification and more companies demanding this level of assurance from their key suppliers. If your organisation is required to be ISO 27001 certified for contractual purposes, then you might as well commit to it fully, entrench it as much as possible and reap the benefits from an effective ISMS that fits your organisation and supports your business to be more resilient, organised and stronger.
Contact us to talk about how we can help you achieve ISO 27001 compliance, cost-effectively: firstname.lastname@example.org or +44 (0)845 600 4403