Hey.
Today I’m diving into a topic that's been on my mind to write about for a while:
Is ISO 27001 still valuable?
Spoiler alert – I think it is, but it depends on what your organisation's goals are. Let’s break it down.
First off, why would a business even bother with ISO 27001?
Well, one of the main reasons is the good old certificate-waving. You know, when you can flash that shiny certificate at customers to show you’re compliant. This can be a huge business driver, and certainly one I see a lot of.
Sometimes, having ISO 27001 can open doors to bids and contracts that you wouldn’t even be considered for otherwise.
In some industries, it's practically a ticket to play.
But what if your goal is to boost your internal information security? Maybe you've realised your security maturity isn’t quite where it should be.
In that case, ISO 27001 brings a lot of value, particularly in the realm of policies and procedures and best practices; It’s like a handbook for your staff, laying out expectations and engagement protocols. The framework can help ensure everyone knows their role in keeping the company's data secure.
Now, let's look at the technical controls. ISO 27001 has these in Annex A, but here’s the thing – they’re not particuarly prescriptive.
For example, it might ask, “Do you have an Access Control Policy?” If you do, great – document it, and you’re done. It doesn't really say anything much about the content of such a policy. It’s more about having something in place rather than dictating exactly how it should be.
Contrast this with something like NIST 800-53, which is way more detailed. NIST doesn’t just ask what your approach to a control is, it lays out the detail of the expected standard. It’s like the difference between someone asking if you’ve got a security system at home versus giving you a list of the specific locks, alarms, and cameras you need. ISO asks, do you have cryptography? NIST tells you what level of cryptography you should have.
From what I’ve seen, most organisations push for ISO 27001 because it’s a business enabler; It opens up new opportunities and meets customer expectations, especially in sectors like finance, where due diligence is a big deal.
Some customers even expect ISO 27001 as part of their evaluation process when looking at potential suppliers.
Another point worth mentioning is Cyber Essentials+ here in the UK. It’s a great complement to ISO 27001 because it involves external pen testing, among other things, which aren’t mandated by ISO 27001. Having both can really bolster your security posture.
To sum up, ISO 27001 is more about setting up a framework and controls and asking, “What do you do here?” Other standards, like NIST, are more prescriptive, saying, “You must have multifactor authentication and a FIPS firewall,” and so on.
So, is ISO 27001 valuable?
Absolutely, but it hinges on why you want it - Whether it's to meet business requirements or to genuinely improve your security posture, it has a significant role to play.
Sometimes, though, you might need another certification alongside ISO 27001 or even instead of it. It’s all about finding the right fit for your organisation’s needs.
Comments