Benefits of Implementing ISO 27001

|
|
PUBLISHED on
25
May
2022

What are the Benefits of Implementing ISO 27001?
Previously, we looked at ‘ISO 27001 – What is it?’ Here, we want to dig a bit deeper on the benefits that are gained from implementing the standard and from achieving certification.

We could come up with a hypothetical list of benefits, but we thought it more beneficial to share with you some of the experiences of ISO 27001 organisations we have worked with over the last 10 years to achieve certification.

We have produced a number of client case studies focussing on the real-world ISO 27001 experiences (challenges, issues, successes etc) of organisations of all sizes and from a wide variety of industry sectors.

Here, we will be looking at the key recurring benefits actually experienced and have split them broadly into external and internal.

Winning New Business

When trying to convince top management of the reasons why the business should invest in ISO 27001 any clear relationship between achieving certification and winning new business is going to be well received.

A large number of the case study organisations talked about the benefits of getting on to tender lists and being “perceived as a more attractive supplier” and “ISO 27001 has already opened a number of doors “, but others went further, i.e. “we have categorically won business on the back of achieving registration to ISO 27001 and there is an absolute direct correlation.

Gaining Competitive Advantage

A common benefit experienced was ISO 27001 acting as a significant market differentiator, particularly in tender situations.

“Holding an ISO 27001 certificate has been beneficial to our sales team in converting prospective clients, as well as completing tenders.”

Providing Reassurance and Instilling Trust

Having achieved certification to ISO 27001, virtually all of the case study organisations commented on greater levels of trust and reassurance being generated.

A typical response from clients was that ISO 27001 certification was the most effective means of demonstrating to their clients and other interested parties, the organisation’s commitment to best practice information security and continuous improvement.

“For those potential customers who need tangible evidence of a supplier’s commitment to information security, there is nothing to compare with ISO 27001”.

Improvement in Security-Related Working Practices

All of our case study clients talked about the impact that implementing ISO 27001 had on internal systems and procedures. Naturally, these varied between organisations depending on the risks identified, but consistent responses included:

  • Formalisation and documentation of key working practices
  • Improved information security incident management
  • Better Information classification
  • Strengthening of physical security
  • Raising awareness of likelihood and impact of threats


Changes in Culture and Awareness

This is a big one with many respondents commenting on how ISO 27001 had led to a discernible shift towards a more open, no-blame culture where information security was truly embedded. ISO 27001 certification for a number was more “far-reaching than anticipated and touched all areas, including support functions such as HR, IT and Finance”.

Another response was “the creation of an information security forum has already helped team working, improved communication and local accountability”.

Others have commented on a heightened awareness culture which has led to “the company now having greater visibility of events, incidents and emerging trends.”

Improvement in Morale and Sense of Pride

This is one benefit that doesn’t receive a lot of attention. Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.

It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!

A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

Cost-Saving and Improved Efficiencies

A significant operational benefit from achieving certification is the reduction in time and resources needed to complete tenders and pre-qualification questionnaires. A number of respondents observed a reduction in audit preparation time and face-to-face contact time with auditors.

The other cost-benefit reported was the identification of specific controls to implement, following the risk assessment, rather than the random and reactive implementation of controls carried out by many organisations.

Supplier Management

In certifying to ISO 27001, case study organisations were not only able to identify what controls they need to implement internally but also clarified the security-related expectations of services provided by key suppliers e.g. in terms of information encryption, transmission and back up.

Investment in Protecting Reputation

Whilst being difficult to pinpoint exactly, the ultimate benefit of certifying to ISO 27001 reported by case study organisations was in protecting the company’s reputation.

Whether it was developing an awareness programme for staff, or improving supplier management, by reducing the likelihood or impact of a risk materialising, all actions contribute to saving money (including avoiding financial penalties and fines) and safeguarding the organisation’s brand and status.

Are you looking to implement ISO 27001? Or certify against the Standard?

URM offers a host of consultancy services to assist you implement and maintain ISO 27001, including gap analyses, risk assessments, policy development, auditing and training.
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?

The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
21/6/2023
ISO 27001 vs SOC 2 - Part 1

URM delivered a question and answer session where it compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Internal Audit
Published on
18/10/2024
Internal Auditing of Management Systems

URM’s blog explains how to plan and execute effective and conformant internal audits of management systems at each stage of the internal audit process.

Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.