It's not exactly the start of the year, but having recovered from Christmas, many businesses are now considering ISO 27001 in 2019.
...and they should!
With the rapid and sustained rise in Cyber Crime in recent years taking it to the UKs most common type of crime, improving and being able to demonstrate Information Security has never been more important for businesses.
In case you're undecided, here are our 3 argument winners for doing ISO 27001 in 2019
The introduction of the GDPR in May 2018 has raised the profile of Information Security significantly. Most businesses have now been asked for, or are asking for, some reassurance from suppliers and/or Data Processors around their information security posture.
For anyone who has had to respond to enquiries about how you manage data securely, they will testify that demonstrating how you protect your data is tricky.
That's where standards come in handy. Many tenders and supplier agreements will provide a check-box for various standards that demonstrate relevant data protection efforts, and usually at the top of that list is ISO 27001.
Whilst the standard is not aimed directly at solving the GDPR, a lot of the work required to achieve the standard lends itself to supporting GDPR compliance.
2. Risk reduction
ISO 27001 is all about managing risk, and continual improvement. In a time where the "bad actors" are constantly pushing and discovering new ways to abuse, manipulate and steal from honest businesses and individual, failing to address that risk is, well, risky.
You can never account for what doesn't happen, but with the average cost of a cyber security incident rising by more than 25% year on year, avoiding the incident in the first place is increasingly appealing.
ISO 27001 makes you identify risk, plan for how to reduce that risk, and ensures that you follow through on your plans. The evolving nature of business and technology means that new risks are constantly being created, and the standard's continual improvement approach makes sure that you keep adopting new risk mitigation to cope.
3. Requirements for tender
There's been a sharp rise in information security requirements within tenders. Fuelled by the GDPR and cyber crime statistics, the requirement are increasingly onerous on the applicants.
Completing the information security section of tender documents tends to work a little like this:
Tick here to say you have ISO 27001, or fill in the next 14 pages telling us how you meet all of the ISO 27001 requirements.
Somewhat oversimplification, but not too distant from the truth! Ticking the box is a really nice way to go.
Are there other options
Sort of, yes. The requirements of ISO 27001 are fairly heavy, particularly for a small business. We think the sweet spot for introducing ISO 27001 to a business is 30-100 staff, and a turnover > £1m.
For smaller businesses who want some kind of benchmark on cyber security, Cyber Essentials is the way to go. The UK Government introduced the Cyber Essentials scheme back in 2014. The intention was 2-fold:
- To help business protect themselves from cyber threats; and
- To provide a benchmark for measuring cyber security efforts.
Within the industry, there is a love-hate relationship with the scheme. On the one hand, it is practical, and will improve the security of companies who haven't looked at cyber security before. On the other hand, it doesn't take into account risk. That means that whilst you might do a bunch of stuff, you could still be horribly exposed somewhere that Cyber Essentials doesn't cover.
On the plus side, a lot of insurance companies now recognise Cyber Essentials, and will offer discounts on premium, waiver on excess etc. on cyber policies where you can prove you hold the Cyber Essentials badge.
If you are wondering whether you should do ISO 27001 this year, the answer is yes, yes you should. BUT, don't take this lightly. You will probably be looking at 9-12 months of work to meet all of the requirements.
Thanks for reading - if you found this helpful, please consider sharing it!
If you'd like help with your ISO27001 project please
give us a call on: 01530 637 833
We look forward to speaking with you soon!