ISO 27001 delivers direct benefits that improve an organisation’s information security posture, despite the ongoing struggle to convince boards of the importance of information security, and to secure the necessary budget and resources to implement ISO 27001, according to a new report from IT Governance.
Nearly 70% of the respondents said that improved information security is the main driver for implementing the standard, alongside competitive advantage (56%), legal and regulatory compliance (56%), and new business requirements (35%).
More than half of the respondents reported to struggle convincing the board of the importance of information security, or securing the necessary budget and resources to implement ISO 27001.
41% of the respondents faced challenges such as obtaining employee buy-in and raising staff awareness when implementing ISO 27001. The research suggests that ensuring the right level of competence and expertise (39%), understanding the requirements of the standard (31%), and creating and managing the ISMS documentation (31%) are the top concerns teams face when implementing ISO 27001.
“This is always one of the hardest parts of an implementation project and we know from other readily available statistics, one of the most important for maintaining information security. Certainly, this goes back to Board support and their decisions are based on not just ROI but whether they will be able to measure success and improvements. Convince them by demonstrating you have the right tools to achieve that and you have a good chance of building and embedding an information security culture right across the organization,” Julia Heron, Project Manager for ISMS.Online told Help Net Security.
ISO 27001 also plays a critical role in customer and supply chain demands. 71% of respondents reported regular or occasional requests to provide evidence of ISO 27001 certification from clients or when tendering for new business.
The duration of an ISO 27001 certification project depends on the size of the organisation, the scope of the project and the resources available. The report suggests 6-12 months as the median length, according to 51% of the respondents to the survey, followed by 3-6 months (20%) and more than 12 months (20%). The findings also suggest that larger organisations with complex scopes tend to take longer to achieve certification, compared to small companies with fewer staff and that rely on external help.
Although the majority of the respondents who have implemented the standard did not track their total implementation costs, 82% of small businesses with turnover of less than £3.8 million who tracked costs reported an average cost of less than £20,000 to implement an ISO 27001-compliant ISMS.
“The true cost of an ISO 27001 implementation is seldom tracked as it is often difficult to quantify the full extent of internal resources involved in an implementation project. Without drilling down further into the responses we can’t be sure if these have been included in all cases or whether some are reporting on external consultants and training courses only which may, in fact, be bringing the average down. Certainly what is clear is that there is an increasing amount of free resources and support groups to help organisations with the technical aspects of implementation and, with the help of ISO 27001 management software, costs are certainly being driven down. This can only be good thing as it makes implementing a fully integrated ISO 27001 achievable for even the smallest of organizations,” said Heron.
The survey’s findings also show that only 16% of companies employ a full-time ISMS manager. The responsibility for managing the ISMS in most organisations falls to the IT manager (19%), the CISO (18%), the compliance manager/risk manager (15%) or the CIO (6%). The research also reveals that the ISMS manager has a prominent role to play in organisations that are certified or considering certification to ISO 27001, the individual requiring both the technical experience and a wide understanding of all areas of the business.
“With over 70 percent of respondents receiving requests to provide evidence of ISO 27001 certification, we are seeing more and more business leaders making ISMS and integrated processes a priority for their organizations. While only 16 percent have a dedicated ISMS manager, over 50 percent have some person dedicated to managing their ISO compliance. Best of breed companies achieve this top-down support of information security across the organization by implementing not only the processes found in ISO 27001, but also by having the appropriate resources in place. These resources include the right people managing the processes with the right tools, such as a GRC platform dedicated to managing security programs; all focused on achieving the company’s goals,” said Chris Goodwin, CTO at LockPath, a provider of GRC solutions.