At CertiKit we deal with many organizations who have taken the decision to go for certification to the ISO/IEC 27001 standard and we thought it might be interesting to give you our view of the main reasons they mention for doing so. Implementing all of the requirements of ISO/IEC 27001 can take a while (even with our toolkit!) and is a serious commitment of time and resources for any company so no-one does it lightly. So starting from the bottom, here are the top 5 reasons we hear most often.
The individuals that buy our toolkits are at all levels within the organization, from the CEO to the technician and particularly at the more technical end we often hear that the direction has been received from on high that certification is needed, so you’d better get on with it! Obviously we suspect that the real reason is one of the ones below but sometimes this is not fully communicated to all levels so the guy at the sharp end is simply focussed on the task he or she has been given.
You can’t look at the news nowadays without coming across an example of some form of cyber-crime so many organizations appreciate the need to get their house in order when it comes to information security. Adopting the ISO27001 standard is generally accepted as one of the best ways to address as many security issues as possible in a controlled way so an organization’s general desire to protect itself is a common reason for implementation, even if they don’t go as far as certification.
In industries where there is some form of regulatory body the insistence on adopting the ISO/IEC 27001 standard either in full or in part is an increasing trend. Rather than come up with their own list of security requirements, many regulators understandably specify ISO27001 as the default approach to information security. Recent examples we have come across here are the online gambling industry and domain name registration services.
Many organizations are realizing that good information security is becoming a prerequisite to do business in some (if not all) industries. Even if specific customers are not asking for it, there is an increasing acceptance that having ISO27001 certification provides a good degree of assurance to potential customers that the issue is on the agenda and is taken seriously. We’re seeing a lot of cloud service providers going down this route for obvious reasons.
And finally, the number one reason we hear from our customers why they believe ISO27001 certification is the way to go? Because their customers are telling them so. In many cases companies are missing out on tenders and deals because they can’t demonstrate the level of protection that their customers want. Most organisations exist to satisfy their customers’ wants; it’s the key to business success. There’s an increasing realization that your own organisation can have the best security in the world, but if you share your information with third parties then that represents a weak link that can be exploited by those that would do you harm. So many companies insist that their suppliers show their commitment to good information security by obtaining ISO27001 certification.
So these are some of the reasons we hear from our customers on a regular basis. But whatever the reason for doing it, the effect is always the same – better information security.
And that is always good.