ISO 27001 is growing – here’s why

12/12/2016

ISO 27001 is growing - here's why

Cybercrime is a hot topic. News on data breaches compromising global brands is unrelenting, whilst Government plans to tackle the issue by pumping £1.9bn into cyber security.

Whilst it may seem like a relatively new issue, the truth is Information Security has always been a threat. The change is that the threat has become ever more real:

  • 8m people were victims of online fraud across England and Wales in 2015
  • 44% of consumers worry about how their personal data is handled
  • 60% of small businesses are victims of a cyber breach
  • Cyber crime costs UK businesses £34bn a year

It comes as no surprise that businesses are becoming wearier of dealing with suppliers given our personal experiences. Consumers are hearing about more and more security breaches, and there is a certain degree of cynicism regarding corporate motives around the collection of data. As we entrust more information to be stored online in the ‘cloud’, we may be gaining convenience and accessibility, but are we losing control of our personal data?

Risks will only intensify as businesses focus more investment in the digital world. More than ever, not only do businesses need to protect themselves, they must also ensure they protect the trust of their customers. Demonstrating Information Security isn’t just about mitigating risk then; becoming a trusted supplier will lead to competitive advantage.

Introducing ISO 27001

The International Organization of Standardization tackled Information Security by publishing ISO 27001 – a standard for creating an Information Security Management System – in 2005.

The standard gained popularity in no small part due to the fact it is generic, and therefore applicable to all organisations regardless of industry or size. The standard’s requirements ask you to assess and plan against any information risks that affect your organisation.

ISO 27001 is an ideal approach to deal with Information Security because its requirements cover a crucial element – management buy-in. ISO 27001 expects organisations to demonstrate that they link overall business objectives to security priorities. Moreover, the standard recognises the importance of communication; everyone in the organisation needs to understand their role in preventing Information Security threats and communication needs to be in a common language.

WHITEPAPER:  Read or download our Ultimate Guide for ISO 27001.

The right culture

Information Security is not just the IT team’s responsibility, which is why ISO 27001 recognises the approach has to be led by the Board Room in order to develop a security-conscious culture.

In reality, most data breaches are nothing to do with new technology or advanced viruses, and everything to do with a lack of policy and education.

  • 60% of security events are the result of an inside attack
  • 39% of IT staff can get unauthorised access to sensitive information
  • 11% could take sensitive information with them if laid off tomorrow
  • 42% of confidential data loss is through staff

Whilst outside attacks may get the attention, it’s actually the inside threat that businesses should be more concerned by. The good news is that it is straight-forward, and costs little to protect a business from the majority of threats.

Independent research commissioned by Fellowes illustrates how slack businesses can be – they found 32% of employees admit to always throwing sensitive documents directly into a bin. No surprise then that 64% of employees believe that bins are a bigger risk to customer details than computer systems or document theft.

Physical security planning is therefore just as important as cyber security. Likewise, appropriate training for personnel should be provided, together with a review of access rights. Even HR will have a role, as they control what happens when employment ceases. After all, what would happen to your business if a member of the sales team leaves for a competitor with all of your leads?

Jump before you’re pushed

ISO 27001 may be popular because it’s well recognised and accessible, but its growth is really down to it becoming an expected norm. Government departments seek to mitigate their risk by raising expectations of suppliers – ISO 27001 is more often required than not for contracts that have potential Information Security risks.

That’s not to say the private sector isn’t concerned. No-one wants to risk their reputation being undermined by a supplier, and the simple answer is to ask more of the supply chain. As a result of this pressure being put on suppliers, the UK is amongst the top countries for adoption of ISO 27001, with certificates issued growing by 24% last year.

So, implementing ISO 27001 is therefore a win-win. Not only does it help protect you and your customers from costly, distracting and damaging breaches, certification to the standard can help you stand out from the competition.


See how iQuida found implementing ISO 27001 in their case study. Alternatively, quiz our award-winning team by calling free on 0800 404 7007.