Overcoming the barriers to ISO 27001 adoption for success on G-Cloud

A recent attention grabbing headline that was just too controversial to ignore: “Sloppy SaaS firms lose out on G-Cloud deals, research suggests”. In the article, former EuroCloud secretary general Lindsay Smith stated that the majority of SaaS providers on the UK G-Cloud were failing to win business there because their listings are not up to scratch. His research into Digital Marketplace buying trends suggests three-quarters (77%) of SaaS suppliers recorded zero sales during the 12 months to January 2016.

Whilst the critique appeared harsh, Smith’s points were valid. Amongst them were poor security credentials. His detailed research revealed that there are at least 400 suppliers who can not hope to make a sale as they do not possess the basic security credentials such as ISO 27001.

The fact is that whilst ISO 27001 certification is not a prerequisite to working with the public sector, there is little doubt that a UKAS accredited ISMS is an important differentiator.

What’s holding SaaS SMBs back?

Yes, ISO 27001 is a major undertaking and one often associated with endless paper policies and manuals. And, by their very nature, many SMBs are lean, agile and more technologically innovative than they are bureaucratic.

The size and complexity of an ISO 27001 implementation can be overwhelming and the fear of addressing and documenting over 140 separate activities can seem like a huge administrative task on top of the input demanded from senior management.

However, the size and agility of many SMB’s make them far more capable of treating an ISO 27001 implementation as a project, and embedding it deeply within their organisation in order to gain maximum benefit.

And now, with ISO 27001 management software available, it is a matter of choosing the right solution that will complement their modern approach to business. One that will provide the tools and frameworks to eliminate the administrative and communication burden but that will also provide decision support tools for effective ongoing management and improvement of the ISMS far beyond initial implementation.

Cost and ROI

An ISO 27001 implementation is no insignificant investment. Taking into consideration the cost of gaining in-house expertise, or buying it in from external consultants, audit visits and certification, all on top of the anticipated management resource can result in a hefty budget being needed.

That’s why it’s important to adopt solutions and tools to help, ensuring that if consultancy help is indeed needed, their time is spent on delivering ISO 27001 expertise rather than on how to administer and manage the ISMS both during and after implementation.

Cost savings can also be made by choosing a cloud solution that accommodates the entire ISMS. That way the first stage audit can be carried out remotely rather than incurring an auditor’s unnecessary travel time and expenses.

Of course, there are firms that will promise to ‘deliver’ an ISMS to minimise disruption to business and eliminate the need for in-house expertise. Some will even guarantee UKAS certification. However, the costs are high and without an organisation’s active involvement, understanding and ownership, there is a danger this becomes a ‘manual’ to be dusted-off prior to each annual audit.

If merely putting a tick in the box is the aim then this could suit but it comes with warnings of pre-audit panics and re-curring consultancy fees to stay on track and administer ongoing training as natural staff churn occurs.

The opposing approach would be a successful implementation process that will bring focus, clarity and structure to securing the organisation’s valuable information assets. One where a budget would be better spent on tools to simplify and speed up the implementation. This approach frees up critical management resource to concentrate on adopting policies and controls that work for the organisation’s own unique set of risk criteria and methods of working.

Finally for that important ROI question. There are no shortage of stats and facts on the potential cost of breaches, including damage to brand and reputation, and possible fines in the future from EU GDPR non-compliance. Add in the possibility of winning new business through G-Cloud and the private sector and you have a compelling argument for implementing a cost-effective and well managed ISMS for ISO 27001 certification.

Why there is no time like the present

• If you are on G-Cloud presumably you want to do business with government. More and more firms are recognising they’ll stand a far better chance with ISO 27001. But, keep in mind that a UKAS accredited ISO 27001:2013 certification is the only one they will recognise so, whilst arguably more rigorous and expensive, choosing a non-UKAS accredited certification could be a false economy. Because it is the only independently audited ISMS it demonstrates the competence, impartiality and performance capability of certification bodies. This reduces the need to be assessed by customers and supply chain partners and will differentiate you amongst knowledgeable buyers and procurement departments.
• The sooner you start the less painful it will be. New start companies may be tempted to leave it until they are more established but, addressed early it will act as the basis from which to build an effective information security management system and embed it deep in their culture so that they are well equipped for successful growth.
• In an ever expanding threat landscape, adopting information security best practice standards will minimise the exposure to risk and ensure a clear strategy for handling incidents whilst maintaining a process for continual improvement. If nothing else, the TalkTalk breach that lost them 100,000 customers and approx £40m in costs, has taught us that customers vote with their feet and are pretty unforgiving of those that get it wrong.
• EU GDPR – by May 2018 all organisations engaging with EU citizens must be compliant. Implementing ISO 27001 now, with EU GDPR requirements clearly in mind, gives you the opportunity to build an ISMS where you can demonstrate compliance to both.
• It’s now easier and more cost effective than ever before with the proper ISO 27001 management software to get the job done quickly and efficiently.
• It can be done, we know because we did it and we’re mighty glad we did!