3 myths about ISO 27001 certification

ISO 27001 is the international standard for an ISMS (information security management system), a best-practice approach to security that helps organisations achieve all of their data privacy compliance objectives.

If you are currently weighing up your options for ISO 27001 certification, you might be interested in three of the most common misconceptions about the Standard.

1. It’s complicated and expensive

It may come as a surprise to you, but ISO 27001 implementation is not as complicated or expensive as you might think.

The information security expert and author Brian Honan said in a podcast that it really struck him how complicated people seemed to think ISO 27001 was.

According to Honan, people were under the impression that certification would “require thousands of mandates, lots of money to invest in IT equipment and systems, and would take forever to get implemented”.

During the podcast, Brian highlighted that a lot of the technical controls in ISO 27001 can be addressed with the built-in functionality and tools in Microsoft® Windows®. You may not have to buy new systems or security systems to comply with the Standard.

ISO 27001 certification can start from as little as £2,000,1 which isn’t a huge amount when you remember that the average cost of a data breach reached $4 million in 2016.2 The cost of certification does, however, depend on your organisation’s size and the certification body you appoint.

2. It’s a job for the IT department

It should go without saying that a large part of ISO 27001 certification will fall to the IT department. However, without proper support from senior management and teams across the organisation, your ISO 27001 project is likely to fail.

Information security not only covers IT measures, but also includes organisational issues, legal issues, human resource management and physical security controls.

It’s important that both the IT and business sides of the organisation are fully on board with ISO 27001 and understand key aspects of the security policy.

Ideally, the CEO should be the driving force behind an ISO 27001 project, and certification to the Standard should be laid out in the organisation’s business plan.

3. You can certify within a few months

ISO 27001 is a big project for most organisations, so it is important to remember that achieving certification in only a few months is unlikely.

It takes time to implement ISO 27001 properly. Implementing changes across your organisation is not a task that can happen quickly.

There are tools that can help speed up the ISO 27001 certification process, however.

For example, our vsRisk software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.


A version of this blog was originally published on 20 June 2017.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.