We explore business motivations & challenges through the ISO 27001 certification
When it comes to keeping information assets secure, the ISO 27001 certification can be considered one of the most popular standards.
Companies with an ISO 27001 certification get a worldwide recognition that their Information Security Management Systems is aligned with information security best practice.
We decided to explore business motivations and challenges when going through the ISO 27001 certification by interviewing IRM’s ISO 27001 guru Adam Charlton.
Adam is one of IRM’s Senior Risk Consultants. He has a wealth of experience in supporting companies to get and maintain the ISO 27001 certification.
Adam, in your view what is the main benefit of ISO 27001 certification for a business?
In my view there is no one main benefit of having ISO27001 certification. There is, in fact, a long list of benefits for both organisations and staff, these include but not limited to:
- Demonstrate that your organisation follows best practices to protect customer and client data.
- Provides the organisation with a competitive advantage when searching for new business
- Improved processes and strategies.
- Aligns with existing or new management systems.
- Avoiding large fines and impact to reputation.
Another interesting point to note, is that, if a business has a UKAS accredited 27001 certificate, this demonstrates that their ISMS has been reviewed by an appropriate assessment body against a standard benchmark, this provides interested parties (shareholders, customers, regulators, etc..) with a higher level of confidence.
In your experience does the need for an ISO27001 stem from customer/supplier pressure?
In most cases. I would say that this is probably the main reason companies opt to embark on an ISO27001 certification. Usually there is pressure being received from third parties
There is typically a contractual requirement or a business requirements from suppliers and customers that essentially dictates whether a business will or will not pursue ISO27001 certification.
There is normally a combined motivation – businesses do believe the certification is good practice and they want to be seen to be doing the right things. But their customers also want them to get it.
Do businesses normally view the ISO 27001 certification as a tick box exercise?
In my view it is in the companies’ best interest to pursue the certification. But I do come across a multitude of organisations where ISMS managers do refer to ISO 27001 as a tick box exercise.
If that is how they want to phrase it this is fine. But what organisations need to bear in mind is that ultimately this is a certification without an end. Continuous assessments and improvement is needed every year, there is also a recertification every three years. Hence if it is described as a tick box exercise it becomes a long box to be ticked. This tick box mind-set means that more work will be involved with the ever continuous ISO 27001 certification process.
The benefits mentioned before will certainly help organisations regardless of the tick box exercise outlook.
How long does the certification take on average?
It depends on the organisation. There are a variety of different factors that can affect the certification timeline, such as internal staff availability, certification scope and technology in place.
The main factors that can disrupt certification timescales are: organisation buy-in, staff availability and the initial certification driver.
For example, if a customer has pressure from a third party or to meet a contractual requirement they will be extremely keen to get certification as soon as possible. On the other hand if a company simply wants to tick a box and attempt certification that is typically an early warning sign that the drivers are not there.
The scope of the certification will also have a huge impact. As organisation’s size, numbers, location, services offered, and technology in scope will dictate the amount of days needed for certification. No two scopes will ever be the same.
Typically I would say the certification process will take anywhere from 6 months to 12 months leading up to stage 1. Any sooner than that and there is a risk the company will be put under pressure to provide more time on the implementation than initially planned. The aim with this is to complete certification without impacting BAU activities and minimising any business disruptions.
In your experience what are the main challenges companies normally face when trying to achieve the ISO 27001 certification?
Main challenges are time and staff availability; investment and executive buy in and also defining scope.
On the first challenge- time and staff availability- ultimately organisations going through the ISO 27001 certification need to continue to operate and perform their normal day to day tasks as well as implementing and maintaining their ISMS. This can be a challenge for most organisations if external help is not sought.
One problem I experience as a Senior Risk Consultant is staff availability. Some organisations do not have a security function. In this case the ISMS Manager’s role can be transferred to a Sales Director, IT Manager or Programme Manager for instance, due to their internal knowledge of the business. It is essential that this individual is trained and time is invested to become competent with the standard and its controls.
In addition however, a far less prevalent issue is organisations striving for perfect security, whilst ISO27001 mandates requirements for how the business must implement and operate their ISMS. The business must understand the term perfection does not exist within the Cyber/Infosec space, promoting continual improvement, assessing and identifying risks, objective planning and reviewing legal compliance is a positive starting point to any business ISO 27001 journey.
As a consultant how do you motivate the different stakeholders to get through the assessment?
The first part of any 27001 implementation is a GAP Analysis, and this is when I will meet with different company team members – head of HR, head of IT,head of Legal, head of Information Security, programme developers, etc.. This is when I have the chance to explain to them what I will be doing, how and why the certification is important to the organisation. So from the start of the project you have met each relevant stakeholder and built that rapport.
Organisations tend to feel more comfortable being supported by a consultant during an assessment. Assessors tend to speak a different language and having a buffer to translate questions can certainly be helpful.
Implementing the ISO process as BAU by embedding practices into day-to-day processes is also a way to motivate all team members involved in this process. This means stakeholders will only need to show what they do on a day to day basis during the assessment.
If you have more ISO 27001 related questions or would like to discuss your certification requirements you can contact our friendly team.
IRM’s Enterprise Risk team has over 20 years’ experience, across numerous industries, supporting them throughout and beyond their ISO Certification process.