ISO 27001 – Not (Quite) As Dull As Expected

We are about to receive our ISO 27001 (Information Security Management System) certification. Like, I suspect, most companies that seek certification, our reasons were initially around marketing and satisfying clients’ procurement requirements. However, as we have moved through the process, I have realised that we will gain some tangible benefits that will make us a better company.

As an information business, there is nothing more important to us than our clients’ data. We have therefore always done everything that we can to secure that data and to deal with it in a way that will keep it secure. With that in mind, I had my doubts about what would be added by gaining a piece of paper with an ISO number on it.

A large part of the ISO 27001 process involves considering everything from physical security of offices to the risks around employees leaving the business and ensuring that appropriate controls are in place to minimise and mitigate information security risks. So far, so dull.

What I didn’t realise is that ISO27001 certification is not just about trying to find security weaknesses to fix – it is about putting systems in place that will prevent security weaknesses from occurring in the first place.  This stuff is never going to be truly exciting but it is important and ISO 27001 provides a good framework for getting it right.

As a consequence of the certification process, we have sharpened up our Business Continuity Plan, documented a lot of security information that was in people’s heads and established the ongoing processes that will keep everything up to date. We are now in a position where we are not only confident that we are secure but we know what we need to do in order to stay secure.

I now see ISO 27001 as an important indicator that security is at the heart of a business, built into the way that it operates. Having certification is not a guarantee that nothing can go wrong but it does mean that a supplier has the right plans and procedures in place to keep information secure. Crucially, it also means that those plans and procedures are reviewed regularly so that they don’t become stale.