Protecting key information assets is of critical importance to the sustainability and competitiveness of businesses today. Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is.
Companies will always benefit from managing risks across their organisations – drawing effectively on senior management support, risk management policies and processes, a risk-aware culture and the assessment of risks against objectives.
Yet when discussing ISO27001 with your executive it can sometimes feel like pushing a grand piano up a steep hill and can be met with some of the following responses:
“Yes I think cyber security is important but we have no budget this year for ISO27001”
“Do we not have firewalls in place to do this?”
“Yes, I can see this is important but ISO27001 will costs quite a bit of money and take quite a bit of resource to implement, maybe next year”
The executive need to be cognisant that cyber security risk impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology, and finance…. Not an IT only issue!
Implementing an Information Security framework in your organisation will put Governance, Risk and Compliance at the heart of your business. So if you’re struggling getting executive buy in for ISO27001 we’ve listed 5 tips that might help your executive warm to the Idea (and not about buying more firewalls!!).
- Increased reliability and security in your business.
Perhaps your competitors boast stringent information security measures, comprehensive training for their staff, and regular internal audits to ensure their security is always the best it can be.
You can demonstrate this and more with your accredited ISO 27001 certification, while also demonstrating that your security processes are subject to regular review by an independent body, and that you can only hold your certification while you meet the high standards required by that body.
- Improved customer and stakeholder confidence.
Customers will want to know their personal information is safe, not only from external attack but also from employee error or malicious practices such as selling data. By sharing the news that you are ISO 27001 certified, you can reassure them that your internal practices are geared towards keeping their information safe.
Your certification can demonstrate to stakeholders that you are GDPR-compliant or prove to regulators that you meet the Data Protection Act (2018).
Also if you’re bidding for contracts with the UK Government, your accredited ISO 27001 certification will prove your compliance with its new Minimum Cyber Security Standard, without the need to submit extensive evidence that you comply with each individual requirement of the standard
- Increased business resilience.
Organisations are prepared for most eventualities, IS27001 ensures comprehensive business continuity plans are designed and implemented to ensure continuity of operations under abnormal conditions. ISO27001 promotes the readiness of organizations for rapid recovery in the face of adverse events or conditions, minimize the impact of such circumstances, and provide means to facilitate functioning during and after emergencies.
- Competitive advantage and alignment with customer requirements.
Companies that have a strong information security management system, such as one built on the internationally recognized ISO 27001 standard, are not only protecting their business against threats but also earning the respect of their customers and thereby gaining a competitive advantage
None of us enjoy our information being stolen. When a company is breached and customer’s information is taken, it leaves a bad impression. Customers no longer view the brand as they once did and are less likely to do business with that company.
Important Rule of thumb: It’s easier to retain existing customers than to gain new ones. Customers who see that you’ve worked hard to implement information security measures and commit to the highest standards of information security are more likely to stay with you that those who question how you will protect their data.
- Improved management processes and integration with corporate risk strategies.
The processes required to meet the ISO 27001 standard results in better documentation and means that all staff will have clear guidelines to follow, which helps to keep the organisation secure and free from attack.
Cyber-attacks and data breaches could always happen, but the forward planning that’s involved with ISO 27001 demonstrates that you have evaluated the risks, as well as your business continuity and breach reporting plan if things were to go wrong – hopefully reducing any costs incurred.
ISO 27001 risk assessment helps organisations identify, analyse and evaluate weaknesses in their information security processes.
Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organisation.
So, there you have it, all the rationale that should convince your executive that implementing ISO27001, the internationally recognised standard for information security in your business makes good business sense…. If after this, you still get push back then you are going to have to buy more firewalls.
Author : Gary O’Brien – Director Safe Harbour Security