ISO/IEC 27001 sets out the requirements for implementing information security management systems (ISMS) on a global scale. This certification was established in 2013 to help maintain and improve the information security infrastructure many organisations around the world have in place.
It’s all about managing the threats a business could face and making sure that information is secure. As legislation becomes tighter and organisations become more scrutinised when it comes to data protection, this is not something you want to skip out on. Despite all of this, there are still some companies today who have not implemented an ISMS – and therefore have not become ISO 27001 certified.
Our team of experts here at Hicomply look at some of the myths around ISO 27001 and explain why it is not as daunting as it may seem.
1. It’s too expensive for my business
Something that we hear every day is that having an ISMS in place is too expensive. However, all our clients have been pleasantly surprised by its affordability and have seen a greater return on their investment across many areas. In a world where data is the most valuable resource in the world, protecting it does come at a price, but it is not as much as you think. Especially when you consider that organisations spent around £2.9 million recovering from data incidents in 2020 alone.
The cost of actual ISO 27001 certification does depend on your organisations size but offers something invaluable. With Hicomply, our out of the box ISMS implementation starts at £3000, going to £9000 when including the external auditor costs needed to achieve ISO/IEC 27001 certification. Most importantly as soon as you log in you have a fully functioning ISMS preparing your business for audit.
Not only does having an ISO 27001 certification in place prove to your customers that you take information security seriously, but it also gives you an advantage of your competitors and ensures you are compliant
2. It’s too time-consuming and a big change for my company
With a digital ISMS solution, you’ll be reducing internal senior management and external consultancy time, and have a clear overview of your ISMS set-up.
Having the right processes will help bring your information security policies and procedures to life meaning ISO 27001 certification can be done in as little as 4-6 months which is ½ the time it can take; and while you prepare for audit, it is a very strong statement to customers to say you are working towards ISO 27001 helping you win business in the meantime.
3. We are too small a company
It is much easier and much cheaper to implement ISO 27001, when you are small, lean and adapt it as you grow, than wait until you grow to a specific size.
If you want to grow your business quickly, look like a serious contender and compete with those bigger players, this is the best place to start. More and more enterprise-level customers are asking for ISO 27001 certification from all their suppliers. Can you afford not to compete for their business?
We see 10 or less employee businesses regularly implement ISO 27001 for the advantages it brings. You can read more about the commercial impact of implementing ISO 27001.
4. I must make sure my processes are perfect first
One of the first steps in implementing ISO 27001 is to identify where you are and what steps are needed to achieve ISO 27001 compliant processes and policies. Don’t waste time guessing or making small improvements that won’t have any impact. There is no time like the present when it comes to implementing an ISMS and becoming ISO 27001 certified. The certification itself is all about showing that you have the right processes in place to manage security risks when they occur within your business.
Data protection is not something that can be delayed, and you should be taking every step possible to show that you are doing everything you can do to manage it. Identify what your risks are and be upfront on how you handle them.
Every organisation that handles customer data should be implementing an ISMS. Data is too valuable and it is too damaging to your organisation should it be lost or stolen.