Five incorrect assumptions about ISO 27001

ISO 27001 is an internationally recognised standard for information security. Businesses work towards and achieve this certification by taking a holistic approach to all aspects of information security.

However, many incorrect assumptions about ISO 27001 may put business owners and leaders off the idea of pursuing certification. These myths aren’t always true.

This article takes five of the most widely believed incorrect assumptions about ISO 27001 and explains the truth behind them.

ISO 27001 is only for large corporations – FALSE

Although large corporations undeniably have more extensive IT networks, ISO 27001 applies to any organisation of any size. All businesses hold and process data to some extent, regardless of sector, number of employees and annual turnover. That makes information security relevant to everyone.

ISO 27001 is about taking your information security to the next level and proving it with an internationally recognised certificate. You’ll find its requirements are scalable and that it encourages your business to adopt a risk-based mindset. In other words, analyse which risks are most likely to severely impact your information security and take measures to protect your business against them.

So, while ISO 27001 is undoubtedly applicable to large corporations, it’s equally as valuable to smaller companies and organisations.

You must implement all controls in Annex A – FALSE

ISO 27001’s Annex A is a catalogue containing a wide range of security controls. People might be put off by the thought of implementing each and every one of them. However, this is completely unnecessary.

You aren’t expected to implement all the security measures in Annex A. Going back to what we mentioned above, ISO 27001 forces you to adopt a risk-based mindset. That means you don’t need to protect yourself against all potential threats. Rather, risk-based thinking means analysing the most likely threats to impact your business and how severely they could affect your operations. You’ll then use Annex A to select the most appropriate security controls for mitigating these specific risks.

From a certain point of view, the more security controls you have in place, the better. However, when these measures overlap or compete, you might end up with an overcomplicated, unnecessarily expensive setup. ISO 27001 doesn’t require implementing measures beyond your scope or outside your means.

ISO 27001 is solely focused on cybersecurity – FALSE

ISO 27001 covers a broader scope than cybersecurity. It details how to enhance and continually improve your information security, and this has many components.

Yes, cybersecurity is a critical part of information security. Firewalls, VPNs, password managers, antiviruses – they’re all vital, and ISO 27001 helps you decide which are most appropriate for your organisational setup and cyber protection.

But ISO 27001 also covers other aspects of information security, such as:

• Human resources – your systems are only as secure as the people who use them. Employ background checks, character reference and monitoring programs to keep your data safe.
• Physical security – your information security could be compromised by a physical break-in. Protect against trespassing, theft, unauthorised physical access, vandalism or disasters like floods and fires.
• Operational security – enhance your information security by making your operational processes more secure.

Achieving ISO 27001 means producing an information security management system (ISMS). This includes the various aspects of information security mentioned above. Compiling everything together in one place makes it easier to take a holistic approach to information security, making it more robust.

ISO 27001 certification guarantees impenetrable cyber defences – FALSE

We wish there were such a thing as an impenetrable cyber barrier. Unfortunately, there isn’t—not even at the highest levels. For any IT system to be effective, information must be sent and received from external sources. These days, vast amounts of data get copied and transferred every second, moving around the world at lightspeed. As a result, there are always multiple potential access points for criminals to get in.

ISO 27001 – and any good cybersecurity strategy – can’t offer 100% protection against cyber threats. However, they can significantly mitigate the risks associated with these attacks. A correctly applied ISMS will make you more likely to keep any malware or bad actors out. Even if something – or someone – gets in, you’ll have backups to minimise operational disruption and evidence to show that you followed all relevant compliance standards.

ISO 27001 is a one-time thing, not an ongoing process – FALSE

ISO 27001 isn’t a one-time thing. Unfortunately, nothing is in information security – or business in general.

The initial implementation is the most time-consuming aspect and may require the most significant financial investment. But once it’s in place, there’s no time to sit back and relax. Your staff will immediately switch focus to using pre-agreed KPIs to analyse your ISMS’s effectiveness, suggesting and making strategic adjustments as relevant.

Alongside monitoring the system for information silos and other inefficiencies, remember: the threats are constantly changing. The dangers to information security we face today significantly differ from those, say, five years ago. Thanks to the continually evolving threat landscape, the security measures to protect against them must also always change.

The value of effective information security management through ISO 27001

ISO 27001 certification demonstrates that your business has adopted a comprehensive, internationally recognised ISMS. It doesn’t matter how big your organisation is or what industry it works in. It’s applicable to everyone, scalable and accessible to enterprises of all sizes.

ISO 27001’s fundamental bedrock is how it forces a mindset change on its adoptees. Risk-based thinking and continuous improvement force your business and people to analyse themselves and adopt appropriate, cost-effective security measures that drive success.

Achieving ISO 27001 improves your information security and can significantly improve your brand reputation and customer relationships.

But how do you go about that? That’s where ISO Quality Services Ltd can help. With years of relevant industry experience, our dedicated team has helped countless organisations implement ISO 27001-compliant systems. Contact us today to be our next success story.