Introduction
If you are a CEO or senior management looking to do ISO 27001 then this is everything you need to know. These are the facts no one else will tell you, and rather than the usual benefits and upsells we will cut straight to the nitty gritty and the reality of the ISO 27001 standard. Ready?
Table of contents
- Introduction
- ISO 27001 is not an information security standard
- What is ISO 27001?
- What is the minimum you need to do?
- I don’t understand – how can I be insecure and still certify?
- The standard is pointless then?
- Clients Need
- What does having it actually tell my clients?
- Why does it cost so much?
- Is it worth doing?
ISO 27001 is not an information security standard
The first shocking fact is that ISO 27001 is not an information security standard.
What it actually is: ISO 27001 is an information security management standard
And more than that: ISO 27001 is an information security risk management standard.
This is one of those facts that can blow your mind.
If the expectation is that this standard will tell you what security to put in place, set out some rules on what you need to do and make you more secure then you are sadly mistaken.
What is ISO 27001?
ISO 27001 is a very straightforward and easy to implement management system. It sets out how you manage information security in your organisation. At its heart is risk management and this is where it gets interesting.
If you are managing information security and you are managing risk, you will get your ISO 27001 certification.
Note here at no point have I referenced any technical requirements, or made reference to how you operate.
To be clear, this is about managing information security and managing risk.
If anyone says to you – we have to do X now because of ISO 27001 then they are probably mistaken.
It is very possible to have incredibly weak information security with little to no information security controls and still pass the audit and get certified.
I would not advise it, clearly. But it is possible.
What is the minimum you need to do?
The bare minimum you need to do is implement the basic ISO 27001 clauses from the standard – I even show you how to do it and give you step-by-step guides with videos, for free, in the ISO27001:2022 Reference Guide
In outline you are going to:
- Define some roles
- Allocate people
- Write some policies
- Do risk management
- Audit and review yourself
- Continually improve.
I have to re-state that it is not that hard.
I don’t understand – how can I be insecure and still certify?
The answer is simple, this is about risk management. The only requirement on your actual security is that you are managing risk. Risk management is a beautiful thing because it allows you and encourages you and wants you to implement security to a level that is appropriate to you and proportionate to you.
You identify your risks and you implement the level of security you need.
And guess what?
If it turns out you don’t need or want to implement some security, you don’t have to. You can just accept the risk.
There is a middle ground here, for sure, but to answer the question of what is the bare miniimum you can get away with and still ‘pass’, the answer is shockingly straightforward.
The standard is pointless then?
I can see your perspective and it is not without it’s challenges. The level of how pointless it is for you is really down to your context. Let’s explore.
Clients Need
The main focus of having this standard as a CEO is going to be client need and commercial benefit. If someone won’t do business with you unless you have it then you have a choice. Get it and do business. Or don’t get it and move on to the next client opportunity.
What does having it actually tell my clients?
When you get ISO 27001 certification the only thing that it is telling your clients is that you are managing information security and you are managing your risks and this has been independently assessed as being true.
That is it.
What this translates to in reality is that anyone that does what I do for a living will follow up with further questions, document requests and audits of you to assess the actual level of security that you have implemented.
Those clients questionnaires are never going to stop.
Why does it cost so much?
You want the truth? People will charge you what they can. There is an entire industry that comes together to make this look and sound so hard that your only option is to seek outside help and the silver bullet services they offer and the premium price point they offer them.
They have their place.
This is about market forces, supply and demand and no one in an industry wanting to break ranks, so you get charged what they think they can charge you. Simple.
Is it worth doing?
It is worth doing. When you understand what it is, it is worth doing. Effectively managing information security and information security risk is valuable and those benefits are what most people will lead with.
When you understand this about managing then the value comes from that management.
Of course, you also get a certificate to stick on the wall and share with people.