3 myths about ISO 27001 certification

ISO 27001 is the international standard for an ISMS (information security management system), a best-practice approach to security that helps organisations achieve all of their data privacy compliance objectives.

If you are currently weighing up your options for ISO 27001 certification, you might be interested in three of the most common misconceptions about ISO 27001:

  1. It’s complicated and expensive

It may come as a surprise to you, but ISO 27001 implementation is not as complicated or expensive as you might think.

The information security expert and author Brian Honan recently said in a podcast that it really struck him how complicated people seemed to think ISO 27001 was and that many people thought ISO 27001 would “require thousands of mandates, lots of money to invest in IT equipment and systems, and would take forever to get implemented”.

During the podcast, Brian highlighted that a lot of the technical controls in ISO 27001 can be addressed with the built-in functionality and tools in Microsoft® Windows®. You may not have to buy new systems or security systems to comply with the Standard.

ISO 27001 certification can start from as little as £2,000,1 which isn’t a huge amount when you remember that the average cost of a data breach reached $4 million in 2016.2 The cost of certification does, however, depend on your organisation’s size and the certification body you appoint.

  1. It’s a job for the IT Department

It should go without saying that a large part of ISO 27001 certification will fall to the IT department. However, without proper support from senior management and teams across the organisation, your ISO 27001 project is likely to fail.

Information security not only covers IT measures, but also includes organisational issues, legal issues, human resource management and physical security controls. It’s important that both the IT and business sides of the organisation are fully on board with ISO 27001 and understand key aspects of the security policy.

Ideally, the CEO should be the driving force behind an ISO 27001 project, and certification to the Standard should be laid out in the organisation’s business plan.

  1. It can be implemented in a few months

ISO 27001 is a big project for most organisations, so it is important to remember that achieving certification in only a few months is unlikely.

It takes time to implement ISO 27001 properly. Implementing changes across your organisation is not a task that can happen quickly.

There are tools that can help speed up the ISO 27001 certification process, however.

vsRisk™ allows you to produce stress-free ISO 27001 risk assessments and saves 80% of your time. The information security software tool provides accurate and auditable results, and can produce reliable risk assessments year-on-year.

Time-consuming tasks in your ISO 27001 project can be streamlined with vsRisk. For example, vsRisk produces an audit-ready ISO 27001 Statement of Applicability as you go through your risk assessment, saving you time and money while improving the efficiency of your risk assessment process.

For more information on vsRisk, please book a one-to-one demonstration with one of our support executives >>

1 IT Governance ISO 27001 Certification Costs

2 IBM 2016 Ponemon Cost of Data Breach Study

Leave a Reply

Your email address will not be published. Required fields are marked *