ISO 27001:2013 is a class apart when it comes to well-known regulations or standards related to information security. Companies are increasingly adopting ISO 27001:2013 in their overall security programs. After certification, they can demonstrate their prospective clients that they have implemented reasonable security practices. In many government contracts, this standard is an entry-level requirement.
Compliance with this standard shows that you identified risks and put in place sufficient measures to minimize the impact of those risks. Other benefits include reduced costs, consistent security practices and procedures, and compliance with legal, regulatory, and contractual requirements. While working with our clients across various industries in designing effective security programs, we have often come across many myths that do not exist in practice. To debunk these myths, our Compliance Advisory team has prepared this list to help your decision-making process.
LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX.
MYTH: ISO 27001 Compliance is Expensive
You would often come across statements that say compliance with ISO 27001 is expensive. However, this statement is not followed by any comparative information. IBM’s Cost of a Data Breach Report highlights that the average cost of a data breach is $3.86 million. For small and medium organizations, it is reasonable to presume that the average cost would be more than $100k. Further, a data breach also brings disruption in business operations, lost sales and market reputation, compensation, and regulatory fines. In the context of these numbers, having a mature security program that fulfills ISO 27001 requirements is certainly not expensive.
MYTH: It is Time-Consuming
Irrespective of the size of your organization, there are good chances that you are already meeting many ISO 27001 requirements. Implementation of this standard for your organization will formalize your existing information practices. This will help you in embracing a consistent approach towards your security operations. Initially, it is going to require time and efforts. However, as it becomes a part of your organizational culture, continual improvements will become a habit. You can also enlist the help of compliance advisors from vendors like LIFARS. Our proprietary systematic process has developed over a span of 20 years and has overseen some of the most high-profile engagements across the globe.
MYTH: ISO 27001 is the Sole Responsibility of the CTO/IT Director/CISO
Depending on the size of your organization, it will be the responsibility of CTO/IT Director/CISO to ensure your organization’s compliance with this global standard. However, without the top management’s support, ISO 27001 implementation will be toothless. Further, every individual must have a sense of their security responsibilities as information security is a shared responsibility. All the teams/departments of an organization need to come together to ensure that information security is cohesively integrated into their daily practices.
MYTH: For Smaller and Medium-Sized Organizations, ISO 27001 Complicates Security Processes
This is a common notion that we generally come across in our client engagements. After looking at 114 controls in Annex A of ISO 27001:2013, many small and medium enterprises (SMEs) are under the impression that ISO 27001 will complicate their existing processes and decrease the level of agility they have. This belief is incorrect as organizations of all size can adopt ISO 27001. It lays down requirements which are general in nature, and organizations have the flexibility to decide on the exact nature of security measures. However, organizations looking to implement ISO 27001 must exercise due caution in interpreting the standard and applicable controls.
MYTH: It is Only for Marketing Purposes
There is no denying that ISO 27001 certification is not going to be an attestation for your security practices. ISO 27001 certification gives you a competitive edge and may contribute to expanding your business operations. However, at the same time, it helps you in having a consistent approach to your security operations with continuous improvements. As a result, your security practices remain in line with evolving threat requirements.
MYTH: Achieving ISO 27001 Certification Makes Us Breach-Proof and We Cannot Get Hacked
Absolute security is a myth, and an ISO 27001 certificate is not going to make your organization breach-proof. However, it will minimize the investments required for your security program in the long term. Besides, it will continue to improve your security practices and aim for a higher maturity level.
It is not a hidden fact that the number of data breaches is increasing. As a modern-day organization, you must strive to achieve the best level of security possible. An information security management system is not just a set of policies; it is a governance tool for the top management. Results of management review and audits can also help the management in making informed decisions on security investments. So, whether your team consists of 10 or 100 or 1000 employees, you can start with the implementation of ISO 27001 right away and improve it over time.
IBM Security Cost of a Data Breach Report 2020
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements