ISO27001 is generally regarded as the de facto international best practice standard for an Information Security Management System (ISMS). However, achieving certification against the Standard is by no means an easy process. It takes considerable investment of time and money, but most importantly requires executive management commitment. So why even bother? We looked at some of our current clients to determine their key drivers for embarking on their ISO27001 journey.
Our most recent engagement is with a medical equipment supplier who works closely with a number of NHS and private health providers. The organisation realised that alignment to the Standard would allow it to more readily demonstrate adherence with a variety of compliance requirements, as well as assure patients that it handles their sensitive personal data responsibly.
Another client, an intergovernmental organisation recognised that its reputation is closely linked to a unique archive of public records and determined ISO27001 certification as the best way provide assurance, both internally and externally, that this valuable asset is properly protected.
Finally, we are working with a travel company and a law firm who have both determined that certification would give them competitive advantage and attract more clients, especially from regulated industries and the public sector.
Compliance and provision of client assurance are undoubtedly the most common reasons for pursuing ISO27001 certification amongst service-sector organisations, who are increasingly being asked to demonstrate how they protect their clients’ data. This is especially the case for service providers acting as Data Processors, processing personal data on behalf of Data Controllers, who require assurance that processing is undertaken securely, in accordance with the seventh principle of the Data Protection Act.
Whilst each of our clients has their own reasons for wanting to attain ISO27001 certification, there is one thing that has to be established from the outset and maintained up to, and beyond, certification; Commitment from the highest level of management.
Executive support is required for providing overall direction and allocating the resource required to support the implementation and continued operation of the ISMS. Consequently, it is vital that they endorse the business case and, therefore, understand that winning new business, simplifying compliance requirements and maintaining their business’ reputation are all good reasons to aim for such high standards!