When we talk about ISO 27001 compliance (ISMS Implementation), the general thought which everyone get is that it is the responsibility of the CISO or CXO of the organization to put things in place. They feel that security team of an organization needs to own up the implementation and are responsible & accountable for getting the organization certified. Though Information security team plays the front ending role of putting perspective in place, one needs to understand that ISMS Implementation is more of a top management driven initiative and it's a top down approach. Unless the management intends to put security in place through policy, procedures, standards and guidelines it cannot be advocated across and driven by the information security team to achieve this compliance. One needs to understand that the real success of ISMS Implementation is not about having the policies, guidelines and procedures formulated for the auditors or certifying body to verify during audit, but it's more of a day to day routine which needs to involuntarily get into the DNA of any organization's operating culture.
One mammoth task is to convince the organization's top management to have the ISO 27001 ISMS Implementation taken up by citing its benefits and results, on the other hand to convince the management for necessary funding to take it up. They would question about its cost, time period of implementation, its ROI etc. They are right in their own sense, because organization and top management talk and understand the language of profits and losses and not about security and compliance. The very decision of ISMS Implementation will come down to balance between the investment and corresponding business benefit. Achieving compliance with ISO 27001 standards is a daunting process. It can take months and require extensive resources. As a result, it is indeed a major business decision whether to launch such a project or not. Before committing to the implementation process, it's critical to know how these standards help the enterprise and if the organization has the prerequisites in place to achieve the compliance with the standards.
ISO 27001 compliance standards have been popular for quite a while in Europe, particularly with financial institutions. They started becoming popular in the U.S., and other countries especially among companies that do a lot of business overseas, where customers expect compliance with these standards. There is a common perception that only highly mature organizations are capable of achieving ISO compliance, thus making it a competitive advantage among its security conscious customers. Also, given the difficulty of becoming certified, continuing compliance with the standard may save time and money on customer mandated audits or reviews; these audits could be replaced by providing the documentation establishing compliance, much like a SAS70 is used today. But one needs to understand that ISO 27001 ISMS Implementation is more holistic and can be easily adhered to once the policy and standards are in place in accordance to the business perspective.
There are certain questions which will help the organizations decide for themselves to pursue the ISO 27001 compliance.
1) What will it cost the company to achieve the ISO compliance in both hard and soft currency? For example, consider dollars spent on new tools and consultants, as well as the cost of not doing other projects, and time lost performing processes you wouldn't normally do.
2) Will achieving the ISO compliance give the enterprise a significant competitive edge over its peers & competitors? (i.e., "We're more secure than they are."). How much new or retained business can one gain through by being ISO compliant?
3) Is ISO 27001 compliance a competitive requirement, to stay ahead of the peers and gain more business?
4) Will achieving and maintaining certification save money, time and effort in the long run by aiding other compliance efforts
5) Do the customers need certification in order to do business with us?
All the questions mentioned above needs to be addressed by the management fraternity of the organization and need to get thoroughly convinced prior to taking up the compliance certification.
Achieving ISO 27001 compliance can give business direct and indirect benefits. Let's discuss a few of them below
a) Increased reliability and security of the systems. The presence of ISO controls improve the information systems availability and reduce the risk of vulnerabilities being exploited. Periodic audits and re-certification process helps the business to keep up to date with patches to latest vulnerabilities and best practices
b) Increased profits. The ISO compliance ensures the organization that they can be trusted to secure customer's data as well as their own.
c) Cost effective solutions and consistent information security policies, procedures and practices helps organizations to baseline, stabilize and evolve as per industry standards
d) Information systems rationalization, prioritization and appropriate channelizing of money to fund the prioritized business requirements
e) Compliance with legislations
f) Putting the business in order. ISO 27001 is particularly good in sorting these things out Ôö£├ÂÔö£├éÔö¼├║öÔö£├ÂÔö£├éÔö¼├║çÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.
Some of the indirect benefits include
a) Better human relations. The clear policies, procedures and guidelines makes things easier for the staff and reduces the company attrition. The ISO controls brings in a flavor of increased professionalism at work.
b) Enhances customer and trading partner confidence. Presence of ISO 27001 certification acts as a continual reminder to potential and existing customers that a company is professionally run and cares for the confidentiality, integrity and availability of the critical business information seriously.
c) Improved management control.
d) Improved risk management and contingency planning. The ISO 27001 compliance provides a more structured approach to risk management. This risk assessment identifies the assets which are critical to business. This enables to have a better business continuity plan which prioritizes the assets and reduces the potential exposure to financial loss or negative publicity
While the road to ISO certification standard compliance can be a long one involving many steps, the payoff will be worthwhile not only in augmenting security processes and controls, but also by opening doors to business opportunities in new markets and raising customer confidence.