When people talk about the usefulness of ISO27001 as a security standard, compared to other control sets I have to ask if they’ve really understood what ISO27001 is.

So before we delve into this standard, let me ask you to ponder that question; What is ISO27001?

It’s not your standard, standard.

Of course, ISO27001 is a standard, but it’s more than this. It’s a management system that helps organisations implement a set of security controls based on internal and external factors (including risks).

When people talk about Cyber Essentials or NIST, I’m usually waiting long enough for them to allowme to remind them that one is a control set (Cyber essentials) and the other is a framework (NIST).  There are other standards, such as the Payment Card Industry Data Security Standard (PCIDSS), but in truth these ‘standards’ do not tell you how to implement security. They simply tell you what is required.

ISO27001 - Security Baked in

The analogy I always turn to here is that Cyber Essentials, NIST, PCIDSS and other ‘standards’ are simply a list of ingredients that you must implement in order to meet the needs of that standard.

They rarely (if ever) ask any questions about the risks related to your organisation. They arbitrarily dictate controls that must be implemented, without asking “Is this applicable?” or “Is this appropriate?”.

This is like being given a list of ingredients to bake a cake and told you must use them all – no options. Simply use them all, and to make it even harder you aren’t given any instructions on what is needed, or how you must approach it.

Contrast this with ISO27001, where Clauses 4 to 10 outline what is needed, and there is a list of 93 controls that you can select IF they are appropriate for your organisation.  We cover this in our “ISO27001 for beginners” if you want more information on what the standard contains.

But for now, all you need to remember is that ISO27001 is based on what is appropriate and applicable to you and your organisation. How much you add, or how little depends on your wants and needs.  You get to bake the cake that meets your needs, and your risk appetite. 

Not all standards are equal

It is little wonder then, that ISO27001 is fast becoming the standard that is being embraced the world over. It is flexible, and can be applied to any size of organisation irrespective of sector. 

The same can’t be said of the previously mentioned control sets, as each will have limits due to their inflexibility.

This is why, when someone tells me that they have Cyber Essentials, Cyber Essentials+, PCIDSS or other control sets I will ask why they haven’t gone for ISO27001.  The answer to this question can be quite telling.

If you don’t have;

·        A clear understanding of your internal and external risks and issues

·        A good understanding of risks (i.e. people, physical, organisational and technical risks)

·        An engaged leadership team

Then you’ll probably fail when it comes to implementing ISO27001.  Yes, your firewalls may be patched. Well done… but what about training your teams? What about clear policies? What about back-up plans and processes?

Are you up for IT?

If you’re up for IT, then you’re not ready for ISO27001. You won’t meet the standard. Sorry. It’s so about so much more than IT.

So are you up to ISO27001 standards?

If you think you are, but still you’re not sure and have more questions then get in touch, or go read our ISO27001 FAQs page to see how we can help, and look at the kind of services we provide and the questions we get asked about most.