Why get ISO 27001 certified?

If you have designed and implemented an Information Security Management System based on ISO/IEC 27001, you should be realising a variety of business benefits through improved information risk and information security management. 

Fantastic!

The international standard specifies a framework, a rational structure with which to identify, evaluate and treat the organisation's information risks systematically. The framework is a tool that enables senior management to govern and manage the information risk and security activities in ways that align with and support the achievement of business objectives, plus obligations to or expectations of third parties.

Through strategies, policies and procedures, plus measurement and assurance processes, management has the levers to direct, organise and oversee a more efficient and effective approach to information risk and security. Information risks are systematically prioritised for treatment using suitable security controls (technological, physical, procedural and others). With appropriate controls in place, incidents grow less frequent and are identified and resolved sooner causing less disruptive and costly consequences. Appropriate security metrics, reviews and audits enable management to direct corporate resources effectively, gaining confidence in the organisation's ability to handle information risks.

Whereas some other information security frameworks and conformity/compliance requirements are narrowly focused on particular types of information (such as personal, financial or medical data, intellectual property) and controls (cybersecurity, assurance or governance), '27001's broader perspective concerns the confidentiality, integrity and availability of all types and forms of information that are relevant to the business. It is not limited to computer systems, networks and digital data, for instance, nor even security controls. Its comprehensive approach to information risk management in the context of the business helps integrate and satisfy numerous requirements with less duplication and fewer coverage gaps.

So, given all that, is there any advantage in also being certified conformant?

Additional benefits of ISO/IEC 27001 certification, above and beyond conformity, include:
  • Lock-in: the information risk and security management improvements already achieved are less likely to stall or decay. Along with the management control processes (such as ISMS change management and internal audits), the surveillance and recertification audits required to maintain certification keep up the pressure. Continual improvement is a bonus, driving the organisation inexorably towards greater security maturity.

  • Increased credibility and improved reputation: the '27001 certificate tells third parties such as customers, owners and other stakeholders that the organisation takes information risk and security seriously, engendering their trust. Joining the global club of certified organisations confirms the organisation's intent, commitment and capability towards information risk, security, privacy etc.

  • Attracts talent: '27001 certification attracts talented candidates to apply for open positions, whether they are already qualified and experienced in '27001 or seeking opportunities for career development. '27001 is widely used and respected in the information risk and security profession, so candidates have a common basis for understanding the organisation's commitment and approach to information risk and security management. Given the shortage of skilled professionals, this may be a valuable supplement to the salary and benefits on offer.

  • Demonstrable conformity and compliance: whereas the organisation may claim to have fulfilled the standard's requirements, certification by a properly accredited certification body substantially increases assurance. It involves an independent conformity assessment by competent professionals. Certification may even be a prerequisite for certain types of business, for example some organisations insist that their suppliers and partners are certified. Certification can reduce the amount of time and effort required to respond to supplier security audits. 

  • Plausible deniability: management being able to demonstrate, convincingly, that they have implemented a widely-accepted standard of good practice, and responded appropriately, is a robust response to claims that they negligently failed to prevent or minimise incidents such as privacy breaches. It may not be sufficient to avoid being held to account, but it may just take the outrage down a notch or two.

  • Competitive advantage: certification positions the organisation as a leader in the field. The certificate is a badge of honour. Furthermore, with its information risks in hand, management can engage more confidently in business that might otherwise be too risky. It is a business enabler, too. 
There is a further, darker reason for '27001 conformant organisations being certified. Management claiming conformity yet declining to be certified hints at their fear of failing, despite any genuine business reasons such as the certification costs or other priorities and certifications. This constitutes an information risk with an obvious treatment: go ahead, get the standard, knuckle-down and get certified!