Recently I was asked by a prospective client, “Do I need ISO27001?”
This is an interesting question because, normally, I’m the one asking it! It’s a question that every organisation should ask themselves before embarking on the journey to certification.
If you’re not sure if there is a need, then chances are there are easier ways to demonstrate security is in place than paying money for something you simply don’t ‘need’.
Need vs Want
It may sound like we’re splitting hairs, but there is a world of difference between ‘need’ and ‘want’. If you’ve got children, you’ll know what I mean.
“I need the latest iPhone?!” actually means “I want the latest iPhone”.
We expect our kids to justify the need, and so we should be able to justify the need for something like ISO27001 in practical, business terms to business decision-makers.
Don’t get me wrong… I believe in the power of security standards like ISO27001, and we’ll come to the benefits shortly. But wanting to do ISO27001 is not the same as needing to do ISO27001.
The Need – Business Growth
Quite often, the first need comes from outside the organisation in the form of clients and prospective clients.
You are a supplier of services to your clients, and at some point, they may be looking to achieve ISO27001 certification. If this happens, you may be on the receiving end of a ‘Supplier Audit’, where they ask if you are ISO27001 certified or if you intend to become so.
Anecdote: I worked with a company that had been working with one of its biggest clients for over five years. Suddenly, the client contacted them and informed them they could no longer work with them unless they were ISO27001 certified. Why? Because their new Risk Manager had assessed them as a ‘high-risk supplier’.
Of course, when bidding for work with a new supplier, you want to present yourself as a credible and professional organisation, so you show the prospective client all your awards, your best salespeople and testimonials.
But what about the certificates? Those slips of paper tell the client you’ve reached a particular level of skills or expertise that an accreditation body has externally assessed.
If you’re hoping to work with the government, you won’t get past stage one unless you can state that you are ISO27001 certified, or at the very least that you are working towards it (and you will need evidence that you are doing this).
The simple fact is that ISO27001 can be a business differentiator. If your competitors are ISO27001, then you’re already at a disadvantage, so achieving ISO27001 makes good business sense.
To level the playing field, you will NEED ISO27001.
The Need – Business Improvement
Beyond the opportunity to grow your business, ISO27001 may also be needed to harmonise some of the security initiatives you have in place.
It’s a fact that many miss, but ISO27001 is an information security ‘management’ system. It brings order out of chaos (when done correctly). It looks at people, processes and technology and asks you to consider a series of controls and how they apply to your organisation.
It’s risk-based, so you’re expected to make risk decisions and validate them through audits and management reviews.
If used correctly, ISO27001 helps you improve your business by reducing wasted time, effort and money.
The Need – Compliance
Of course, with the rise of Cybercrime and data breaches, many organisations see ISO27001 as the antidote to all their compliance issues, but this is only partially correct.
Yes, ISO27001 can help evidence compliance to legislation like EU GDPR and UK DPA, or regulations like those by the Financial Conduct Authority (FCA), but it is only one mechanism. There are lots of other standards around, such as Cyber Essentials, PCIDSS, NIST, SANS, and CIS that can help demonstrate compliance.
Therefore I would suggest you don’t state that ISO27001 is needed for compliance to these areas – because it’s simply not true.
Nice to have? Yes.
Needed? No.
Any consultant/salespersonmisses telling you differently should be avoided.
Conclusion
As a child I recall how my mother always said to me “I want, never gets”.
I quickly learned that saying “I want…” didn’t reap any results. I had to explain what the ‘need’ was, in terms that made sense to her (I guess you could say she was the first CEO I had to convince! And she taught me well!).
When thinking about ISO27001, ask yourself why you need it. What are the business benefits? Do the benefits justify the cost?
Remember that ISO27001 isn’t a ‘fire and forget’ standard. You need to maintain it and nurture it.
As my CEO/Mom would say “If you really need it, you’ll take care of it, right?“
Give me a call
If this article has given you some ideas around ISO27001 you'd like to explore, or have questions about the standard, please get in touch.