Cyber security has become a board level issue over the past decade, with breaches resulting in regulatory fines and customer loss and compromised supplier relationships. While around 1.2 million organisations now boast compliance with the ISO 9001 standard, just 45,000 have achieved accredited certification to the cyber security equivalent: ISO 27001. The problem is a lack of top level commitment.
“While management teams increasingly recognise that cyber security credentials are becoming a key business enabler, why are they failing to step up and make the commitment essential to achieve ISO 27001 certification,” asked Alan Calder, Founder and Executive Chairman, IT Governance.
Cyber security awareness and understanding is fast becoming a fundamental aspect of business differentiation, competitive position, even longevity. While many management teams retain an arms’ length ‘just fix it’ attitude, there is a fast growing band of organisations that now recognise the business value not only of a strong security posture but an accreditation such as ISO 27001 that enables the business to demonstrate its cyber security commitment to customers and business partners alike.
This shift has been driven in part by the arrival of GDPR. While the legal framework is likely to prompt multiple court room battles as companies seek to prove the quality of the technical provision deployed to reduce the likelihood of breach, the ability to demonstrate compliance to a global security standard such as ISO 27001 will be a huge asset.
For organisations that already have good information security processes in place, achieving certification can be fairly straightforward; it is simply a matter of applying the international standards to existing operations and filling in any gaps. For others, however, it will require a fundamental shift in approach, a willingness to not only build the right framework but also get new processes embedded within the business and improve people’s awareness and understanding of good information security behaviour and that can be time consuming.
However, there are also a large number of organisations claiming to follow the ISO 27001 standard without going through the cost of an external certification process – beware! More often than not, these organisations are just paying lip service. Undertake a robust gap analysis to determine how close the company’s security processes and practices are to the full ISO 27001 standard and the gaps will be significant – from management commitment, to the provision of training and the allocation of adequate resources and the quality of the assessment process. These are fundamental components of the ISO 27001 standard and failure to follow these principles reveals an essential lack of strategic understanding of cyber security and cyber resilience.
To be fair to the raft of CISOs keen to move forward and achieve compliance, the biggest stumbling block remains the board in the vast majority of cases. Clause 5 of ISO 27001 states that top management must be engaged in the information security management process; they must lead by example and provide clear guidance to the organisation on issues such as risk management. That means that security is not just a line on the budget and a chance to pass the buck to the tech team; the board must actively discuss and consider security policy if certification is to be achieved.
The world is changing and the ability to demonstrate a high-level of information security is fast becoming more important to organisations than the quality of the service offering. Avoiding regulatory fines is just one small aspect of the business risk; it is the ability to attract customers and safeguard information throughout a supply chain that will increasingly depend upon robust and, critically, certified security postures. ISO 27001 is becoming a baseline for information security – but achieving that standard will require top level commitment.