96% say ISO 27001 is important for improving security defenses

Already established as international best practice, the information security management standard ISO 27001 has become an effective weapon in the fight against cyber crime. It is therefore unsurprising that 96% of respondents to a new survey say that ISO 27001 plays an important role in improving their company’s cyber security defenses.

Nearly 70% of respondents say that improving information security was the biggest driver for implementing ISO 27001, followed by the requirement “to align with information security best practice” (62%) and “gaining a competitive advantage” (57%). Improved information security is also seen as the single most important benefit of ISO 27001 implementation (51%).

The critical role ISO 27001 plays in customer and supply chain assurance has also been highlighted by the report. Two-thirds (66%) of organizations have been asked by their clients about their ISO 27001 status in the past 12 months. More than half of those reveal that ISO 27001 is a regular requirement for contracts and tendering for new business, while the others state that they have been asked occasionally.

Alan Calder, executive chairman of IT Governance, says: “Considering that ISO 27001 is now a regular tender and contract requirement, it is unsurprising that certification to the Standard is popular, as our survey has revealed. An ISO 27001 certificate is a simple and credible way of demonstrating to clients and stakeholders that an organization has implemented best-practice information security processes and can be trusted.”

According to the report, 40% of organizations have achieved ISO 27001 certification and 44% are working towards achieving certification. Only 16% are not planning to certify their information security management system (ISMS). 68% of respondents would characterize achieving certification to ISO 27001 as “an investment that is fully justified by the benefits.”

CEOs in general are supportive of ISO 27001 implementation – a fact that demonstrates the growing popularity of this management standard not only with practitioners, but also with C-level executives. 38% of respondents state that they had no challenge securing their CEO’s buy-in when it came to implementing ISO 27001, but 20% found it most challenging to convince the board that information security is a critical business issue.

ISO 27001 sets out the requirements for the establishment, implementation, management and continual improvement of an ISMS. Its value to any business lies in the fact that it is, first, a management standard and, second, that it looks at information security from a holistic point of view by taking into account people, processes and technology.

Calder says: “The evidence that more than one-third of the boards support ISO 27001 implementation suggests growing awareness of the benefits of the Standard. However, this positive result is overshadowed by the fact that 23% of respondents admit that securing sufficient budget for their ISO 27001 project remains their biggest challenge, and a further 13% struggled to secure permission to employ sufficient human resources to deliver the project.

“A top-down approach to ISO 27001 implementation is fundamental to the success of the project and the effectiveness of the ISMS. Information security is expensive, but so is information insecurity. Boards must ensure they allocate the appropriate budget and resources to be able to truly protect their organization using ISO 27001.”

Raising staff awareness (45%) and ensuring they have the right level of competence (44%) are the two biggest challenges for businesses when implementing ISO 27001.

There may be a correlation between the lack of adequate expertise and the fact that only 23% of organizations employ a dedicated, full-time ISMS manager. The rest delegate this activity to their IT manager (22%), CISO (14%), compliance manager (10%), CIO (8%) or other roles within the organization.

Calder says, “Our research suggests that more than two-thirds of organizations are stretching their internal resources by expecting their ISMS to be managed by someone in addition to their core duties.”

Worryingly, 44% of respondents admit that the person managing their ISMS doesn’t have a formal ISO 27001 ISMS qualification. Despite this lack of relevant training, 28% are not planning to train their ISMS manager, while 35% do not have control over that decision. Only 37% are planning to train their existing ISMS managers.

Calder adds, “The lack of relevant skills can affect the effectiveness and performance of the ISMS. Given the current shortage of cyber security skills, it is essential that businesses support professional staff in acquiring the necessary qualifications.”

Asked if they used external consultants to help them prepare for certification, 40% of respondents answered “yes’. The absence of a full-time ISMS manager as well as a shortage of formal training for those tasked with ISMS management may contribute to this trend.