What are the Benefits of Implementing ISO 27001?
Previously, we looked at ‘ISO 27001 – What is it?’ Here, we want to dig a bit deeper on the benefits that are gained from implementing the standard and from achieving certification.
We could come up with a hypothetical list of benefits, but we thought it more beneficial to share with you some of the experiences of ISO 27001 organisations we have worked with over the last 10 years to achieve certification.
We have produced a number of client case studies focussing on the real-world ISO 27001 experiences (challenges, issues, successes etc) of organisations of all sizes and from a wide variety of industry sectors.
Here, we will be looking at the key recurring benefits actually experienced and have split them broadly into external and internal.
Winning New Business
When trying to convince top management of the reasons why the business should invest in ISO 27001 any clear relationship between achieving certification and winning new business is going to be well received.
A large number of the case study organisations talked about the benefits of getting on to tender lists and being “perceived as a more attractive supplier” and “ISO 27001 has already opened a number of doors “, but others went further, i.e. “we have categorically won business on the back of achieving registration to ISO 27001 and there is an absolute direct correlation.
Gaining Competitive Advantage
A common benefit experienced was ISO 27001 acting as a significant market differentiator, particularly in tender situations.
“Holding an ISO 27001 certificate has been beneficial to our sales team in converting prospective clients, as well as completing tenders.”
Providing Reassurance and Instilling Trust
Having achieved certification to ISO 27001, virtually all of the case study organisations commented on greater levels of trust and reassurance being generated.
A typical response from clients was that ISO 27001 certification was the most effective means of demonstrating to their clients and other interested parties, the organisation’s commitment to best practice information security and continuous improvement.
“For those potential customers who need tangible evidence of a supplier’s commitment to information security, there is nothing to compare with ISO 27001”.
Improvement in Security-Related Working Practices
All of our case study clients talked about the impact that implementing ISO 27001 had on internal systems and procedures. Naturally, these varied between organisations depending on the risks identified, but consistent responses included:
- Formalisation and documentation of key working practices
- Improved information security incident management
- Better Information classification
- Strengthening of physical security
- Raising awareness of likelihood and impact of threats
Changes in Culture and Awareness
This is a big one with many respondents commenting on how ISO 27001 had led to a discernible shift towards a more open, no-blame culture where information security was truly embedded. ISO 27001 certification for a number was more “far-reaching than anticipated and touched all areas, including support functions such as HR, IT and Finance”.
Another response was “the creation of an information security forum has already helped team working, improved communication and local accountability”.
Others have commented on a heightened awareness culture which has led to “the company now having greater visibility of events, incidents and emerging trends.”
Improvement in Morale and Sense of Pride
This is one benefit that doesn’t receive a lot of attention. Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.
It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!
A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.
Cost-Saving and Improved Efficiencies
A significant operational benefit from achieving certification is the reduction in time and resources needed to complete tenders and pre-qualification questionnaires. A number of respondents observed a reduction in audit preparation time and face-to-face contact time with auditors.
The other cost-benefit reported was the identification of specific controls to implement, following the risk assessment, rather than the random and reactive implementation of controls carried out by many organisations.
In certifying to ISO 27001, case study organisations were not only able to identify what controls they need to implement internally but also clarified the security-related expectations of services provided by key suppliers e.g. in terms of information encryption, transmission and back up.
Investment in Protecting Reputation
Whilst being difficult to pinpoint exactly, the ultimate benefit of certifying to ISO 27001 reported by case study organisations was in protecting the company’s reputation.
Whether it was developing an awareness programme for staff, or improving supplier management, by reducing the likelihood or impact of a risk materialising, all actions contribute to saving money (including avoiding financial penalties and fines) and safeguarding the organisation’s brand and status.
"Without doubt, ISO 27001 registration is a key differentiator and significantly adds to our status in the marketplace"
A key role of risk management is helping organisations decide how limited resources can be most effectively used to address the most pressing business issues, e.g. threats to information security.