Who needs ISO 27001?

Find out the true importance of ISO 27001 and who can benefit from its implementation

In this article, you’ll find out who needs ISO 27001 and understand the true extent of the international standards wide-reaching benefits.

Reading time: 5 minutes

In this article we will cover:

What is ISO 27001?

If you are unfamiliar with ISO 27001, it is a widely accepted security framework that specifies the standards for keeping your organisation’s information safe. ISO 27001 requires organisations to build and maintain an effective Information Security Management System, ISMS, which outlines data security policies and procedures to follow in the event of a significant incident. The International Organization for Standardisation, ISO, and the International Electoral Commission, IEC, have collaborated to issue ISO 27001.

What are the benefits of ISO 27001 to my organisation?

There are a plethora of benefits to implementing ISO 27001 in your organisation. Certification at a base level helps to reduce information security, privacy risks, and breaches from occurring in the first place or drastically reduce the fallout of any information security breach. Furthermore, ISO 27001 accreditation demonstrates a commitment to compliance with regulation and continually improving information security practices in our ever-developing world.

From a financial perspective, ISO 27001 certification helps you to save money and time down the line. Investing in information security before breaches or risks become critical will keep you from growing fines from the Information Commissioner’s Office or other costs related to repairing or improving existing systems. Aside from saving time and expenses, certification boosts your organisation’s reputation with clients and other organisations by showing them you have a solid commitment to upholding information security practices and protecting any information of theirs you may hold. In turn, this helps to increase your competitive edge.

What are the benefits of ISO 27001?

If you’re just now looking at ISO 27001 certification for your organisation, you may benefit from reading our “What are the ISO 27001 benefits” article prior to reading the rest of this page

Is ISO 27001 best for my business?

One question larger organisations should ask when considering ISO 27001 certification is which regions your organisation primarily works in. Organisations mainly working out of the United Kingdom and Europe are well-suited to pursuing ISO 27001 certification for their business, clients, and partners. Whereas organisations primarily working in North America may achieve just SOC 2 certification better. SOC2 is a well-known U.S security standard that has established itself as a pretty common business practice. Organisations only performing business with U.S.-based businesses and customers should find a SOC2 sufficient.

The more significant benefit of ISO 27001 in this regard is that the standard is internationally accepted, and the number of organisations adopting the standard is constantly growing at an exponential rate. According to the ISO Survey 2020, 44,486 organisations were certified for the standard, 8,124 more organisations than in 2019 and 12,576 more than in 2018 – a clear trend of greater adoption.

If your organisation is internationally operating, you will need to consider the demands of your customer base and who they are. If you are conducting business to business, you should consider whether they require ISO 27001 or SOC2 or even both in the case of a variety due to a more extensive customer base.

Does ISO 27001 matter to my industry?

When researching ISO 27001 certification, you may have noticed that the standard is generally applied and used by organisations in almost every industry. Typically you would think ISO 27001 only applies to IT-based companies, but this is the opposite of the truth. Most companies in this day and age already have plenty of information security technologies, such as firewalls, antiviruses, backups, and access control. But often, organisations fail to do enough to uphold these measures. For example, they do not teach their employees how to properly use the technology at their disposal and ensure they approach the technologies used with a secure and data-sensitive approach.

From this point of view, any organisation actively handling sensitive information should consider ISO 27001. Whether non-profit or for-profit, a small business or multinational corporation, government or private group, any business entity can benefit from ISO 27001 certification.

IT companies

All manner of IT-based companies benefit from ISO 27001 certification, and most are already likely better prepared to certify due to the technologies they have in place. For example, software development, cloud, and tech support companies probably have many of the technologies in place and likely have an employee base that is much more aware of how to interact with the systems and follow proper data handling procedures.

IT-based companies may also use ISO 27001 to comply with contractual security requirements or Service Level Agreements (SLAs) with their clients due to the amount and sensitivity of all the data they may be handling.

Financial companies

Financial companies, including banks, insurance handlers, brokerages, and other financial institutions, may thoroughly obtain ISO 27001 certification to comply with industry laws and regulations. Data protection legislation faces some of the strictest rules in the financial sector due to the nature of the data they handle, i.e., money. Luckily for financial institutes, however, regulators have based a great deal of ISO 27001 around the financial industry due to the sensitivity and intricacies of some of the finer details. This makes ISO 27001 implementation easy to follow and apply.

Furthermore, ISO 27001 certification for financial institutions is essential for preventing fines and extra costs from data security incidents. Risk management in finance is critical and relates directly to data security. It is, therefore, cheaper to approach the risks before they evolve into an incident.

Telecommunications companies

ISO 27001 certification can also greatly benefit telecommunications companies. These organisations operating in telecommunications are responsible for protecting and handling a vast amount of data and, most importantly, preventing and minimising the number of outages in their networks that can inherently affect all their customers. This, therefore, makes the implementation and eventual certification of ISO 27001 extremely attractive to these organisations. It helps them to prevent risks and minimise the fallout of any incidents that pass the state of danger. Furthermore, there is an ever-growing amount of laws and regulations imposed on telecommunications organisations, and ISO 27001 can ensure the implementation and continual management of all common information security factors.

Any organisation with sensitive information..

Ultimately we could continue listing different industries and why they could benefit from ISO 27001 implementation and certification for a long while. But it should have become clear to you now that there is one common theme along the certificate. Any company handling sensitive information can find ISO 27001 helpful.

When considering ISO 27001, you shouldn’t consider it a purely IT-based project; you should look at it as a tool for achieving vital organisational benefits and continual improvement.

Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.

Adam Pope

Adam Pope

Adam is a systems administrator for Digital Octopii and the ISO 27001 certification toolkit. Adam handles the information security and consistency of the ISO 27001 toolkit, setting an example for how data and information should be handled under ISO 27001 guidelines.

Use our ISO 27001 Toolkit and get ready for certification in 5 weeks