ISO 27001 is money in the bank
Why ISO 27001 certification makes commercial sense
Estimated reading time: 4 minutes
When it comes to standards for information security it is rarely at the top of any ones agenda for spend. People rarely think, I have all this lovely profit let me spank some of it on a security standard. We have to face facts that there are competing demands on those precious financial resources. The time will come though when it makes very real commercial sense to invest in ISO 27001 certification and associated certificates and they will make you money. That time comes as a business matures and the clients that it seeks to on board become more established clients.
The pressures on more established businesses are the management of their own risk and their own legal and regulatory obligations. To mitigate that risk they will seek from you some assurance that you are doing the right thing. The quickest and easiest way to do that is to pass the cost and the effort on to you. Faced with performing an audit of you and spending time and resources to establish if you are doing the right thing it is easier and cheaper for them to ask you for certifications to established standards. In that way they know that qualified, professional auditors have reviewed your processes and solution and they have established if you are doing the right thing. Bingo, time and money saved for them.
It is also rare that you will be the only person that does what you do and any business worth its sourcing salt is going to look to do some kind of market evaluation to compare costs and services and ideally get the best deal it can for its own financial resources. How do they choose a supplier? A quick leveller is to ask all potential suppliers to provide copies of certificates. It is a hygiene factor. For those that don’t have it they then have to way up the risk you pose and in all likely hood will discount you. Take for example banks, or any public sector body – they just won’t do business with you unless you can tick the certifications boxes.
I am not saying you have to or should wait until you get that first contract that asks you for it. There is a lot of good best practice in ISO 27001 and starting the journey and operating TO the standard will reap some quick wins and dividends without the cost of going through certification. A real benefit is meeting the requirements of the GDPR Principle 6 maintain adequate security. If you do it right. Add to which when the time is right, the road to certification will be quicker and easier. Consider that the average time form engaging the certification body to gaining the certificate is 6 months with a range from 3 to 12 months depending on the scheduling and availability of the certifiers then leaving it to last minute is clearly not going to help you win that contract.
My advice is to have ISO 27001 on your radar and when the time is right for you be sure to go for certification.