As part of a series of frequently asked questions, we look at the classic – “is ISO 27001 certification worth it?” In order to answer this question, organisations need to determine whether the cost and effort required to obtain (and maintain) ISO 27001 certification outweighs the risks and potential costs of not doing it.
Let’s explore this further by looking at 3 reasons as to why an organisation may decide to obtain ISO 27001 certification.
1. Contractual Requirements
This is often the primary reason an organisation decides to obtain ISO 27001 certification. The driver for this may originate from a tender for a new multi-million pound contract that requires the organisation to be ISO 27001 certified in order to bid. In this instance, the organisation may conduct a cost/benefit exercise to offset the cost of achieving ISO 27001 certification with winning that particular contract. In reality, the organisation will know that this is likely to be a common requirement for the field they are in so is needed in order to compete to win contracts.
If this sounds familiar then the answer to is ISO 27001 certification worth it would be a firm yes. It is not likely this requirement is going to go away, with the amount of highly publicised data breaches in the news, organisations are looking for more assurances from their service providers and business partners. Alternatively, if your organisation does not, or is not likely to have, requirements from customers for information security best practices then it may not be worth the costs to implement.
2. Market Differentiate
Point 1 above describes a reactive approach to obtaining ISO 27001, in that a defined requirement has come from a customer for ISO 27001 certification. Some organisations may choose to gain certification without a defined requirement or in response to a contract. This will enable the organisation to stand out in the marketplace as ISO 27001 certified, a market differentiation for many businesses
The issue with committing to ISO 27001 certification without a defined customer requirement is demonstrating return of investment to the board. Most businesses do not have the capital to implement certifications unnecessarily, so if it is needed to win contracts it likely falls to the bottom of the pile.
If this is the case, it may be worth aligning with ISO 27001 rather than certifying against it, thus demonstrating to clients you can handle their data securely but with less costs than certification.
Demonstrating return on investment to the board can be difficult unless there is a defined contractual requirement
3. Improved Security and Reduced Compliance Fines
The final point, and unfortunately often bottom of the drivers for ISO 27001 a lot of the time, is simply to improve security and reduce the likelihood of having to pay any fines for non-compliance to legal/regulatory requirements. With the upcoming introduction of GDPR which can lead to fines of up to 7% of global turnover, organisations are wary of non-compliance and what this may mean financially and reputationally to the business.
Using ISO 27001 as a framework, organisations can implement industry best practice security controls and reduce their overall risk profile. But as point 2 describes, unless this return on investment can be communicated and understood by the board then gaining sign-off may be difficult. In this instance an organisation may wish to align with ISO 27001 rather than gaining certification.
Conclusion
There are numerous drivers for ISO 27001 certification, either as a result of a contractual requirements, obtaining industry best practice or acting as a market differentiator. In each case, the organisation must assess the costs of committing to ISO 27001 versus the cost of not.
If certification is as a direct result of a contractual requirement, and the contract would be lost were it not achieved, then it is relatively simple to perform a quantitative analysis of its benefits. If there is no direct requirement, then demonstrating return on investment to the board can be problematic. In this case, it is worth remembering the costs that data breaches can incur in monetary fines and reputational damage. You only need to turn the TV on now to see how these types of incidents have affected other organisations!
Please see our other post on how ISO 27001 and GDPR can work together, in addition to how much does ISO 27001 cost? and how long does ISO 27001 take?