ISO 27001 has become the standard of choice to create an Information Security Management System that is robust enough but at the same flexible to tackle the growing number of potential cyber threats that organisations now face.
With the recent introduction of EU General Data Protection Regulation (GDPR) which will be enforced by May 2018, will ensure organisations that collect or process personal data of EU residents are implementing an ISMS that provide security measures to protect personal data from potential breaches.
According to a survey from IT Governance which reviewed organisations implementing ISO 27001 across 53 countries revealed 98% surveyed say that the most important benefit of ISO 27001 was improved information security, while 11% said it improved company reputation and further 8% saw ISO 27001 as a method to be more competitive in their respective markets. The key findings from this report also revealed that 69% surveyed that the main factor for implementing ISO 27001 was to improve their organisations security procedures.
The survey revealed that 36% reported they had no concerns about management buy-in about implementing ISO 27001. 51% of respondents had problems either convincing the board about the importance of information security or securing the necessary budget and resources to implement ISO 27001.
The biggest challenge respondents had about implementing ISO 27001 was obtaining employee buy-in and awareness of the information security standard which came at 41%.
People & Training
Bringing in the right people or upskilling current workforce to effectively implement ISO 27001 proved to be a big challenge in 2016. 39% found it difficult to bring the right level of competence to manage the implementation process.
54% of respondents use external providers of penetration testing providers, while 51% rely on external consultants to help them implement the ISMS. Only 16% of companies employ a dedicated full-time ISMS manager. 19% of IT managers are responsible for the ISMS, while the CISO was responsible in 18% of cases.
Training in implementation and assessing your organisation against the standard proved vital to successful implementation. 51% of individuals managing the ISMS have a formal qualification (e.g. ISO 27001 Lead Implementation/Lead Auditor)
Cost, Time & ROI
Cost and time management are big factors for organisations that decide to go for ISO certification and ISO 27001 is no different. According to the report the average time it took an organisation to complete a project was 6-12 months. In relation to cost it revealed that many organisations did not track implementation costs but where other costs have been tracked the average cost is between €6000 and €25000. These figures vary based on company size and structure.
52% of companies felt that the cost of achieving ISO 27001 certification was fully justified by the benefits it delivers, while 21% felt it was in line with other management system standard implementations. The report highlights how ISO 27001 becomes a factor in acquiring new business. 71% of respondents said they regularly received requests to provide evidence of ISO 27001 certification when tendering for new business.
Based on these findings it is clear 2017 will be another huge year for ISO 27001. Organisations now have less than 18 months to have ISO 27001 in place before GDPR comes into effect. Training will be crucial for your implementation team to fully understand how ISO 27001 will adapt to your organisation and how best to integrate into your management system. The good news is that management are more aware of the dangers of not implementing a ISMS now more than ever so getting the green light is easy. The hard word is actually bringing your fellow colleagues in line with ISO 27001 to make it a success. If you wish to learn more about how you can begin your journey to ISO 27001 and becoming compliant to GDPR contact our team today.