Digital Threat Digest Insights Careers Let's talk

How to get buy-in for ISO 27001

Double circle designsmore10

Cyber security; when everything is going well, it’s easy for non-tech and non-risk people to underestimate the value of the services they’re paying for and the controls that have been put in place. That often means, when there are budget constraints, it’s one of the first places they will trim to keep costs down.

So how do you convince whomever holds the purse strings that ISO 27001 is worth investing in, especially when they are comparing it to cheaper options, even though they’re likely to mean your organisation is less secure?

We’ve got four reasons that you can keep in your arsenal:

Comparing apples and oranges

Let’s say they are looking at other frameworks such as Cyber Essentials/+. While they are definitely a good starting point, they are more a basic set of controls with a set of yes/no answers, best suited to small organisations. Cyber Essentials should be a foundational approach or a first step to securing your organisation.

On the other hand, ISO 27001 is a more holistic framework which covers a much broader range of areas, such as risk management, policies, people, and processes; and actively encourages the organisation to continually improve their management system (proactively). It also takes into consideration areas such as privacy, leadership, training and awareness. As a framework it sets out a much more thorough assessment of your organisation’s information security.

We actually wrote a whole blog post comparing the two a while ago, you can read it here.

We hear it all too often about the changing landscape of the security of information without really thinking about what that means. It shouldn’t take a data leak to realise that the information you collect and store should have been handled with more care. It is by putting processes in place and changing the culture of security in your organisation to a way of life for your employees, leadership, and interested parties, you can ensure important information will be protected should the worst happen. ISO 27001 does this incredibly well, as it ensures that everyone within your organisation is involved in the process at some point.

Two birds, one stone

The beauty of implementing ISO 27001 is that to achieve certification, you’re implementing processes and policies that will actually improve your security posture, not just make more work where the outputs only get pulled out once a year for audit purposes. As an example, implementing the ongoing education and training of employees to ensure they are risk aware, decreases the likelihood of phishing campaigns being successful or the accidental leakage of data. This is in addition to implementing adequate technological controls, like Identity and Access Management that limit what attackers can access should they break through your defences. ISO 27001 will help you frame specific policies, depending on the needs of your organisation, enabling you to have the most effective processes and training possible which, in turn, will keep the risks involved with cyber attacks and non-malicious data breaches to a minimum.

Keeping things running when things go wrong

No one can give you a 100% guarantee that you will never face information security incidents (unless, of course, you’re not connected to the internet or you don’t actually collect and store any data – two unlikely scenarios if you’re reading this). However, ISO 27001 is the impetus to design a recovery plan to minimise impact, both to the data itself and to your organisation through reputational and financial damage. Having a plan in place is vital for operational resilience; should you have a crisis, you will know what to do to get back to business as usual in the quickest time.

Reassuring your clients

Having the ISO 27001 certificate easily signifies to your clients, customers, and stakeholders that you treat their data with the utmost care, and that you are actively involved in keeping that data secure. The framework is designed to provide flexibility in the processes you create, so you can tailor them to fit the specific needs of your organisation, and those of your stakeholders, customers, and clients.

And given the increase in supply chain attacks, this is going to be more and more important. More organisations will be undertaking supplier due diligence and supply chain assessments to ensure they minimise the risk of being either a target or collateral damage. Providing evidence like ISO 27001 highlights your best practices.

Ready to get started with ISO 27001?

Once you’ve succeeded in selling in the many benefits of ISO 27001, you may want to speak to an expert who can answer any questions you may have, and help you implement the framework in a way that is tailored to suit your organisation. Our information security experts would be happy to chat about what you need, so get in touch.