ISO27001: security as a business enabler

As I alluded to in a previous post, my organisation has been working to gain ISO27001 compliance for the last year and a half. I’m pleased to report that in early December we finally achieved our first compliance certificate, and this represents the culmination of a lot of hard work, some by people who have now moved on to new things.

So why did we do it and what was involved? Well, ISO27001 is about how information security is organised. Basically you construct a dossier of all your policies, practices and standards in the ISO27001 arena and set up work packages to continuously improve in all areas. The next stage (which for us will come in December 2010) is “advanced compliance” when the auditor will want to see real improvements in all the areas you have identified.

This process has a lot going for it. Firstly, it raises awareness as we got individual practitioners to write their own policies and standards: a much larger number of people than before are now engaged with improving security. Secondly, it makes compliance easier: the “controls” in ISO27002 (basically a list of good practices that you need to evaluate yourself against) are usually recycled for compliance projects like Government Connect, PCI DSS or the NHS N3 code of connection.

In the future as organisations try to work more seamlessly with each other, we will have to go through ever more compliance processes: ISO27001 provides us with some reusable compliance material to make this process cheaper and quicker.

And this is the core reason why I’m so pleased we did it. Organisations in all sectors waste far too much time ticking security boxes and not enough time making real security happen: this allows us to direct our energies to the latter while simultaneously making partnership working quicker, cheaper and more effective. I believe that in the not too distant future it will be impossible to do business without adopting standards like ISO27001.

Our compliance certificate does not mean we will never have a data security breach, and it doesn’t mean we are doing everything we should in the security area, but it shows we have taken the first steps on our journey to becoming a fully security-enabled organisation.


2 Responses to ISO27001: security as a business enabler

  1. Brian Honan says:

    Excellent post on the benefits of implementing ISO 27001. Too often people just focus on the security benefits that ISO 27001 brings to an organisation and miss out on the other benefits such as;
    – Improved processes
    – Improved quality in the ISMS (ISO is after all a quality standard)
    – Better management overview and engagement
    – Cost savings

    I wrote an article for the Knowledge Ireland magazine on the benefits of ISO 27001. It is available for free download from my site at (PDF File).


  2. martinhowitt says:

    Thanks Brian. A good summary paper by yourself too. I didn’t explicitly make the link to risk management (I wrote about it in an earlier post) but it is well worth making and summarised nicely in your paper.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: