Myths & Legends Buster - ISO 27001
We spend a lot of time researching and listening to our clients and so called 'experts' in the field of ISO Standards and thought, well hoped that we could clarify a few things and help dispel many common miss-conceptions associated with the ISO Standards.
"ISO 27001 will require thousands of mandates, lots of money to invest in IT equipment and systems, and would take forever to get implemented.”
The Standard is not as complicated as you might think and that you may not have to buy new security systems to comply with it, a lot of the technical controls in ISO 27001 can be addressed with the inbuilt functionality and tools in Microsoft Windows.
"It's a job for the IT department."
Although a large proportion of ISO 27001 certification will be the responsibility of your organisation’s IT department, the project is likely to fail without proper support from senior management and teams across your organisation.
In addition to IT measures, information security covers organisational and legal issues, human resource management and physical security controls. It’s important that both the IT and business sides of your organisation understand the key aspects of ISO 27001 and are fully on board with certification.
The CEO should be the driving force behind your ISO 27001 project, and certification to the Standard should be laid out in your organisation’s business plan.
"Large organisations can implement ISO 27001 in a few months."
ISO 27001 is a big project for most organisations and achieving certification in only a few months is unlikely for larger organisations, Implementation takes time and can involve making major changes across your organisation.
"The standard requires passwords to be changed every 3 months." "The standard requires that multiple suppliers must exist.” “The standard requires the disaster recovery site to be at least 50 km distant from the main site.”
The standard doesn’t say anything like that. Unfortunately, this kind of false information we hear rather often – people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organisations. And the people who claim this is prescribed by the standard have probably never read the standard.
"This standard is all about documentation."
Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it. Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that under perform.
"The only benefit of the standard is for marketing purposes."
We are doing this only to get the certificate, aren’t we?” Well, this is (unfortunately) the way 80 percent of the companies think. I’m not trying to argue here that ISO 27001 shouldn’t be used in promotional and sales purposes, but you can also achieve many other benefits.
Four key benefits of ISO 27001 are;
It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.
2. Marketing edge
In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.
3. Lowering the expenses
Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.
The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.
4. Putting your business in order
This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.
ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organisation.