Implementing ISO 27001 – What are the benefits?

In a previous blog, we looked at ‘ISO 27001 – What is it and why should you implement it?’  
In this blog, we want to dig a bit deeper on the benefits that are gained from implementing
the standard and from achieving certification. We could come up with a hypothetical list of benefits, but we thought it more beneficial to share with you some of the experiences of ISO 27001 organisations we have worked with over the last 10 years to achieve certification.

We have produced a number of client case studies focussing on the real-world ISO 27001 experiences (challenges, issues, successes etc) of organisations of all sizes and from a wide variety of industry sectors.

Here, we will be looking at the key recurring benefits actually experienced and have split them broadly into external and internal.

External benefits

Winning new business

This is one benefit that doesn’t receive a lot of attention.  Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.  It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!  A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

Gaining competitive advantage

This is one benefit that doesn’t receive a lot of attention.  Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.  It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!  A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

Providing reassurance and instilling trust

This is one benefit that doesn’t receive a lot of attention.  Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.  It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!  A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

Internal benefits

What was clear from the case studies was that benefits were not limited to winning new business and obtaining competitive advantage.  Here are the key ones:

Improvement in security-related working practices

All of our case study clients talked about the impact that implementing ISO 27001 had on internal systems and procedures.  Naturally, these varied between organisations depending on the risks identified, but consistent responses included:
• Formalisation and documentation of key working practices • Improved information security incident management
• Better Information classification • Strengthening of physical security • Raising awareness of likelihood and impact of threats

Changes in culture and awareness

This is a big one with many respondents commenting on how ISO 27001 had led to a discernible shift towards a more open, no blame culture where information security was truly embedded.  ISO 27001 certification for a number was more “far-reaching than anticipated and touched all areas, including support functions such as HR, IT and Finance”.  Another response was “the creation of an information security forum has already helped team working, improved communication and local accountability”. Others have commented on a heightened awareness culture which has led to “the company now having greater visibility of events, incidents  and emerging trends.”

Improvement in morale and sense of pride

This is one benefit that doesn’t receive a lot of attention.  Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.  It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!  A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

Cost saving and improved efficiencies

A significant operational benefit from achieving certification is the reduction in time and resources needed to complete tenders and pre-qualification questionnaires.  A number of respondents observed a reduction in audit preparation time and face-to-face contact time with auditors.  The other cost-benefit reported was the identification of specific controls to implement, following the risk assessment, rather than the random and reactive implementation of controls carried out by many organisations.

Supplier management

In certifying to ISO 27001, case study organisations were not only able to identify what controls they need to implement internally but also clarified the security related expectations of services provided by key suppliers e.g. in terms of information encryption, transmission and back up.

Investment in protecting reputation

Whilst being difficult to pinpoint exactly, the ultimate benefit of certifying to ISO 27001 reported by case study organisations was in protecting the company’s reputation.  Whether it was developing an awareness programme for staff, or improving supplier management, by reducing the likelihood or impact of a risk materialising, all actions undertaken by clients contribute to saving money (including avoiding financial penalties and fines) and safeguarding the client’s brand and status.

So, given the numerous benefits ISO 27001 brings, shouldn’t you start your implementation journey?

A great starting point is to attend our half day  ISO 27001 seminar in London where URM is combining together with BSI (UK’s No. 1 certification Body) to provide some real-world insights on pitfalls to avoid and hints and top tips for ensuring a successful ISO 27001 implementation and certification.