Implementing ISO 27001 – What are the benefits?

In a previous blog, we looked at ‘ISO 27001 – What is it and why should you implement it?’  
In this blog, we want to dig a bit deeper on the benefits that are gained from implementing
the standard and from achieving certification. We could come up with a hypothetical list of benefits, but we thought it more beneficial to share with you some of the experiences of ISO 27001 organisations we have worked with over the last 10 years to achieve certification.

We have produced a number of client case studies focussing on the real-world ISO 27001 experiences (challenges, issues, successes etc) of organisations of all sizes and from a wide variety of industry sectors.

Here, we will be looking at the key recurring benefits actually experienced and have split them broadly into external and internal.

External benefits

When trying to convince top management of the reasons why the business should invest in ISO 27001 any clear relationship between achieving certification and winning new business is going to be well received. A large number of the case study organisations talked about the benefits of getting on to tender lists and being “perceived as a more attractive supplier” and “ISO 27001 has already opened a number of doors “, but others went further, i.e. “we have categorically won business on the back of achieving registration to ISO 27001 and there is an absolute direct.

A common benefit experienced was ISO 27001 acting as a significant market differentiator, particularly in tender situations. Here’s a couple of quotes “Without doubt, ISO 27001 registration is a key differentiator and significantly adds to our status in the marketplace” “Holding an ISO 27001 certificate has been beneficial to our sales team in converting prospective clients, as well as completing.

Having achieved certification to ISO 27001, virtually all of the case study organisations commented on greater levels of trust and reassurance being generated. A typical response from clients was that ISO 27001 certification was the most effective means of demonstrating to their clients and other interested parties, the organisation’s commitment to best practice information security and continuous improvement. “For those potential customers who need tangible evidence of a supplier’s commitment to information security, there is nothing to compare with ISO 27001”.

Internal benefits

What was clear from the case studies was that benefits were not limited to winning new business and obtaining competitive advantage.  Here are the key ones:

All of our case study clients talked about the impact that implementing ISO 27001 had on internal systems and procedures.  Naturally, these varied between organisations depending on the risks identified, but consistent responses included:

• Formalisation and documentation of key working practices
• Improved information security incident management
• Better Information classification
• Strengthening of physical security
• Raising awareness of likelihood and impact of threats

This is a big one with many respondents commenting on how ISO 27001 had led to a discernible shift towards a more open, no-blame culture where information security was truly embedded.  ISO 27001 certification for a number was more “far-reaching than anticipated and touched all areas, including support functions such as HR, IT and Finance”.  Another response was “the creation of an information security forum has already helped team working, improved communication and local accountability”. Others have commented on a heightened awareness culture which has led to “the company now having greater visibility of events, incidents  and emerging trends.”

This is one benefit that doesn’t receive a lot of attention. Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations. It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own! A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

A significant operational benefit from achieving certification is the reduction in time and resources needed to complete tenders and pre-qualification questionnaires. A number of respondents observed a reduction in audit preparation time and face-to-face contact time with auditors. The other cost-benefit reported was the identification of specific controls to implement, following the risk assessment, rather than the random and reactive implementation of controls carried out by many organisations.

In certifying to ISO 27001, case study organisations were not only able to identify what controls they need to implement internally but also clarified the security-related expectations of services provided by key suppliers e.g. in terms of information encryption, transmission and back up.

Whilst being difficult to pinpoint exactly, the ultimate benefit of certifying to ISO 27001 reported by case study organisations was in protecting the company’s reputation. Whether it was developing an awareness programme for staff, or improving supplier management, by reducing the likelihood or impact of a risk materialising, all actions undertaken by clients contribute to saving money (including avoiding financial penalties and fines) and safeguarding the client’s brand and status.

So, given the numerous benefits ISO 27001 brings, shouldn’t you start your implementation journey?

A great starting point is to attend our half-day  ISO 27001 seminar in London where URM is combining together with BSI (UK’s No. 1 Certification Body) to provide some real-world insights on pitfalls to avoid and hints and top tips for ensuring a successful ISO 27001 implementation and certification.