Running a small business is not easy, so when people ask me if a small business needs ISO27001, I reply, “No… But…”
ISO27001 is not mandatory, so the simple answer is ‘no, small businesses do not need ISO27001’. But having it could be a game changer for a number of reasons.
Let’s look at the pros and cons of implementing an information security management system (ISMS) and why I think ISO27001 is for everyone, no matter how big you are.
The Pros of ISO27001
As a small business you have many hats; You are the finance director, head of operations, sales AND marketing, and IT too! On top of this you need to comply with the law (obviously). This means you need to think about Data Protection, and in particular you need think about the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
You also need to think about keeping all that precious data secure. Your customer records, your financial data, and orders need to be protected.
Clients love it
Having ISO27001 in place helps you to structure your thinking around data security, which is not only useful for demonstrating compliance to data protection laws, it’s a great indicator to your clients that you take security seriously.
Having invested in ISO27001 means that you can easily demonstrate that you are a trusted partner which builds customer confidence in you.
Good for business growth
If you want to grow your business then you know you need to differentiate your business from your competitors, and building trust with your clients is a great way to do this. As you try and win bigger contracts, and collect those ‘big logos’ as customers, you’ll find that they ask more and more questions about your security.
Supplier Questionnaires will become increasingly difficult to answer if you haven’t thought about data protection and security. ISO27001 structures your thinking in this area and allows you to either point to your official ISO27001 certificate, or explain what you do more clearly.
Improved efficiency
As a small business you may find that your business grows up around you. This means that inefficiencies will creep into your business, and this may lead you to be a little less productive than you could be. ISO27001 requires that you look at how you process data, and therefore think about who uses it, how and why. Through this process you may find better ways to run your business and therefore save time and money in the process.
Reduce losses
With improved efficiency, you may also see areas that could result in errors or data breaches, so ISO27001 could actually save you money (and your reputation). ISO27001 is focused on Confidentiality, Integrity and Availability , and you should consider the risks to your business based on these areas. What could go wrong and could result in negative impact on you?
Ultimately ISO27001 is about ‘security’, which means that you’re trying to secure the information that has been entrusted to you. ISO27001 gives you confidence that you’re less likely to suffer the negative effects of a data breach or cyber attack.
If you are unlucky enough to suffer a breach, you’ll be better prepared to respond to the event because ISO27001 requires that you have developed an incident response plan (A5.24 Information security incident management planning and preparation).
Your clients will be happier in the knowledge that should the worse happen, you’ll notify them in timely fashion, thereby building further trust.
The cons of ISO27001 compliance
Before you get too excited about the idea of implementing ISO27001, let’s discuss some of the downsides.
Firstly, there is a cost and that cost is both in financial terms and time. If you are going for formal certification to ISO27001 the financial costs are not inconsiderable because you need to assign a certification body (CB) that is part of UKAS. Don’t waste your money (or time) with a CB that isn’t UKAS accredited.
For a small business you are looking at around a £4,000 cost, and that is just for the external audits you’ll need to complete.
The other cost you need to think about is your time. You have work to do, even if you bring in Consultants Like Us. The ISMS needs to reflect you. It needs to reflect truth, so we’re going to spend time with you going over everything, and then once we develop all the mandatory documents (policies and procedures), you’ll need to review them and sign them off. They are yours, and ultimately you are accountable for security.
Of course if you don’t use Consultants Like Us, then it will take even more time for you to create the framework, the policies and procedures and all the evidence needed to demonstrate compliance.
The question you have to ask is; Do I want to do it myself? Or should I get expert help?
Want to get started?
Before answering this question, let’s return to the original question – Does a small business need ISO27001?
The answer is “No because it’s not mandatory”. You don’t need to be certified to the standard, but we would recommend that every business needs to look at ISO27001 carefully and at the very least align to it.
But where do you start? I would suggest if you’re a small business, do away with the first part of ISO27001 (Clauses 4 to 10), and focus on the Annex A controls at the back. This may sound controversial but we’ve been where you are, and a lot of what is in the ISMS needs carefully unpacking to understand what’s needed and how to implement it. But Annex A is a little more directional, as it sets out very clear expectations on you.
In the Annex A controls you’ll find 93 controls which need to be considered for your organisation. This might sound onerous, but note the word considered. You don’t have to apply them all. What is applicable to you? What is of relevance?
ISO27001 is like a recipe for good security. It gives you a list of items that you should consider, but it’s up to you if you use them or not.
Once you are comfortable with the controls, return to the first part of the standard and work your way through it.
When you are happy with the approach you’re taking to the ISMS you can continue in that way until you feel you are ready (or required) to go for formal certification.
If you’re already at that stage, then get in touch and we will help you all we can.
Alternatively you can buy our book, The Real Easy Guide to ISO27001 which should help. If you have more questions, then our FAQ page might help, so check that out too as that might also help.