One question that comes up repeatedly in relation to the security standard ISO27001 is, “Who cares about it?”
It’s a great question because of its simplicity, and it gets to the heart of the issue surrounding Security in general. So let's take a closer look at this deceptively simple question.
Clients and Customers
Your clients and customers want to know that you’re looking after their data securely. They may not ask questions about it, or they may ask very detailed questions about it. For example, when you’re shopping on Amazon, you might not ask about their approach to Patch Management because you’ll assume someone else has already asked. You’ll make assumptions about security because you have social proof that they’re secure – Amazon wouldn’t be trusted if it hadn’t invested heavily in security. Right?
But unless you’re Amazon, or someone similar, then the likelihood is that your clients and customers are asking questions about your security – and usually a LOT of questions!
Bids, tenders and contracts will ask questions about the level of security you have put in place or will state precisely what is required.
If you can’t answer questions comprehensively about physical, people, and technical security or produce policies and procedures quickly, will you win the business or retain the customer?
At best, you put yourself at risk of losing that client or customer.
Clients want to trust you – ISO27001 helps evidence that this trust is not misplaced.
The Board
Everyone sitting around your Board table wants to know that nothing will threaten the future of the organisation they’re leading. Knowing that the organisation is secure is vital from the CTO to the CFO and all the other ‘Heads’.
When viewed through the lens of ISO27001, it’s clear to see that;
The CEO wants to protect the brand value – ISO27001 reduces the likelihood of a breach.
The CFO wants to save money – ISO27001 focuses budgets on what is needed
The CTO wants to keep data flowing – ISO27001 reduces ‘friction’ while keeping IT secure
The COO wants to be operationally efficient – ISO27001 identifies single points of failure
The Head of Risk wants to manage risk effectively – Risk management is central to ISO27001
The Head of HR wants to hire and retain the best people – ISO27001 provides structure and ‘certainty’ to our lives, which increases morale and job security
Head of Sales wants to sell more of your products – ISO27001 can be a business differentiator
Head of Marketing want to talk about your services – ISO27001 provides ample opportunity to talk about why you can be trusted
Every person around the Board table cares about ISO27001, even if they don’t say it every day.
Your team
If you employ more than one person, you’ll know that keeping them engaged and believing in your product or service is vitally important. Perhaps your mission statement talks about how customers come first or that you act with integrity and responsibility.
Just as a child looks to a parent for evidence that they are true to their word, an employee seems to their leaders and co-workers for proof that the mission and values aren’t just empty words.
If ‘Trust’ is in the mission statement or one of the values, but the organisation abuses the trust of its clients by repeatedly having breaches or does not invest in security, then your team member will quickly become disenfranchised.
Having ISO27001 in your business demonstrates that the leadership team care about security and hasn’t just written a few policies and tossed them out for others to follow(!)
Having ISO27001 shows a commitment and dedication to the care of data, and it's something that the entire business can get behind and believe in. They can be proud of the achievement of attaining and retaining the certificate.
On a more tangible basis, a business that has invested in ISO27001 (and done it well!) is less likely to have an outage or breach. Outages and breaches lead to stress and frustration.
Would you want to work at an organisation that repeatedly had outages or breaches which you were subsequently blamed for? Or where you had to face the wrath of angry customers because breaches and outages affected them?! Your staff would likely hang around for one or two incidents, but as it becomes increasingly apparent that you don’t care about the client or customer, they will leave for someone who does care.
Conclusion
“Who cares about ISO27001?” is a simple question, and I’ve answered it in part here for your consideration. But there are other groups who also care, such as the Government (GDPR and DPA are the law!), regulators, shareholders and the general public.
We (the general public) care about Security and care that our data is being managed and cared for responsibly. ISO27001 provides evidence that your organisation has invested time and money into that protection.
Perhaps then isn’t “Who cares about ISO27001?” but should be “Who DOESN’T?”
Give me a call
If you'd like to talk to an ISO27001 consultant about building trust with your clients, give me a call today, and we’ll discuss how easy it can be to implement when approached practically and in a structured way.
PS: Why not answer the ‘Who cares’ question yourself. Sit with a piece of paper and a pen and write down all the stakeholders and groups that might have an interest in the topic. Once this is done, write down why they might be interested.