Digital Threat Digest Insights Careers Let's talk

Why choose ISO 27001 over other information security frameworks?

PGI's Information Assurance Team share the top reasons why they recommend ISO 27001 to our clients.


ISO 27001 is one of the best known and most recognised internationally agreed set of standards for the specification of information security management systems (ISMS).

With so much information being stored on IT systems and on the cloud, keeping it secure has never been as important as it is right now. Clients trust any organisation they deal with to securely hold their sensitive personal and financial data but the inherent value of this data means that it has become the target of cybercriminals and, occasionally, bad actors within companies themselves.

To prove to clients, suppliers, and regulators that your business is being vigilant and responsible with sensitive and personal data, you can choose to work towards for a number of different accreditations.

While SOC2, Cyber Essentials, NIST CSF, ISF Standard of Good Practice framework, and IASME have very considerable advantages in their favour, ISO 27001 is, in our experience, the best accreditation option currently available for businesses and here’s why:

1. Emphasis on continuous improvement

ISO 27001 requires ongoing evaluation and improvement of a company’s information security management system.

Companies in receipt of an ISO 27001 certification are expected to continually assess, test, review and measure their performance.

As well as committing to external auditing, companies integrate the following ongoing procedures into their general operations:

  • Compliance reviews
  • Human resource engagement and awareness
  • Internal audits
  • Management reviews
  • Nonconformities and corrective actions reviews
  • Objectives monitoring, measurement and evaluation reviews
  • Overall policy reviews
  • Risk assessment and treatment reviews
  • Security incidents, events and weaknesses reviews

These reviews allow organisations to constantly question the efficiency and veracity of their controls and working practices. By doing this, they gain the information needed to fine-tune both, on an ongoing basis against emerging and existent threats.

Companies must submit to ongoing supervisory reviews (referred to as surveillance audits) over a three-year period to ensure continued compliance.

Conversely, SOC2 Type 2 has a similar requirement but over just a six-month timespan and the Type 1 certification only requires that you prove adherence at the time of a particular audit.

2. Regulatory and reputational

Although Cyber Essentials Plus requires technical verification, the standard Cyber Essentials accreditation does not. This is why the Information Commissioner’s Office (ICO) recommends ISO 27001; because it requires initial and ongoing internal and external auditing to ensure compliance.

External auditing to ISO 27001 offers companies a higher level of protection in case of a data breach meaning that any punishment or fine given by the ICO is likely to be significantly less severe.

3. International acceptance

There is just a small difference between the security control protocols set out in ISO 27001 and SOC2.

These differences are important, however. ISO 27001 is focused on developing, maintaining, and managing top-down data protection controls specific to a particular business while SOC 2 only requires adherence to one of its five Security Trust Principals (security, but not privacy, confidentiality, processing integrity or availability).

To be awarded an ISO 27001 accreditation, you must be assessed by a recognised ISO 27001-accredited certification body. For a SOC 2 accreditation, an audit must be carried out by an independent CPA (Certified Public Accountant) who will judge compliance to the standards set out by the American Institute of Certified Public Accountants (AICPA).

If you wish to trade in North America, most organisations will be happy with either certificate (except for healthcare and government departments) however, across the rest of the world and in the UK, ISO 27001 is far more widely accepted.

4. Protection of key information assets

As part of the ISO 27001 certification process, organisations need to assemble and maintain a comprehensive inventory of its information assets.

Included in the inventory should be not only an organisation’s data but:

  • Their intangibles (including reputation, brand, and intellectual property)
  • Their people (including contractors and volunteers), and
  • Information on who ‘owns’ the data (or has responsibility for it).

By having a complete picture of the information assets your organisation has, who is responsible for it, and who needs it to carry out their day-to-day and strategic roles, you know what you have to protect and you can better identify specific threats and vulnerabilities.

In comparison, the purpose of SOC2 is to prove system security levels against a set of defined criteria and principles. While organisations with SOC2 are encouraged to continually monitor and improve, it is not as great a requirement as with ISO 27001.

Working with PGI

As the amount of data we hold increases, so will the regulations to protect these assets. The most effective way to deal with current and future requirements is to take a lead with building a risk-based approach for protecting all your important assets and adopt ISO 27001. In addition, ISO 27001 is much more widely recognised around the world than any of the other accreditations available, making any planned international expansion quicker and more cost-effective.

Contact us to talk about how we can help you achieve ISO 27001 compliance.