Information security is the biggest driver for companies to apply for certification in complying with the ISO 27001 standard, a global survey shows.
ISO 21001 plays an important role in improving a company's cyber security defences, according to 96% of more than 200 senior executives polled by risk consultancy IT Governance.
Nearly 70% of respondents said that improving information security was the biggest driver for implementing ISO 27001, according to the ISO 27001 Global Report 2015.
Other top reasons for adopting the standard were to align with information security best practice (62%) and to gain a competitive advantage (57%).
Improved information security is also seen as the single most important benefit of ISO 27001 implementation (51%).
The report highlights the critical role ISO 27001 plays in customer and supply chain assurance.
Two-thirds of respondents said their clients had asked them about their ISO 27001 status in the past 12 months. More than half of those reveal that ISO 27001 is a regular requirement for contracts and tendering for new business.
READ MORE ABOUT ISO 27001
ISO 27001 certification
“Considering that ISO 27001 is now a regular tender and contract requirement, it is unsurprising that certification to the standard is popular,” said Alan Calder, founder and executive chairman of IT Governance.
“An ISO 27001 certificate is a simple and credible way of demonstrating to clients and stakeholders that an organisation has implemented best-practice information security processes and can be trusted.”
According to the report, 40% of organisations have achieved ISO 27001 certification and 44% are working towards achieving certification. Only 16% are not planning to certify their information security management system (ISMS).
More than two-thirds of respondents said achieving certification to ISO 27001 is “an investment that is fully justified by the benefits”.
The survey shows that chief executives are supportive of ISO 27001 implementation, with 38% of respondents saying they had no challenge in securing their CEO’s buy-in when it came to implementing ISO 27001. But 20% found it most challenging to convince the board that information security is a critical business issue.
ISO 27001 sets out the requirements for the establishment, implementation, management and continual improvement of an ISMS.
According to IT Governance, the value of ISO 27001 lies in the fact that it is a management standard and that it looks at information security from a comprehensive point of view, taking into account people, processes and technology.
“The evidence that more than one-third of the boards support ISO 27001 implementation suggests growing awareness of the benefits of the standard. However, this positive result is overshadowed by the fact that 23% of respondents admit that securing sufficient budget for their ISO 27001 project remains their biggest challenge, and a further 13% struggled to secure permission to employ sufficient human resources to deliver the project,” said Calder.
“A top-down approach to ISO 27001 implementation is fundamental to the success of the project and the effectiveness of the ISMS. Information security is expensive, but so is information insecurity. Boards must ensure they allocate the appropriate budget and resources to be able to truly protect their organisation using ISO 27001,” he said.
Staff awareness and competence
The report also reveals that raising staff awareness (45%) and ensuring they have the right level of competence (44%) are the two biggest challenges for businesses when implementing ISO 27001.
According to the report, there may be a correlation between the lack of adequate expertise and the fact that only 23% of organisations employ a dedicated, full-time ISMS manager. The rest delegate this activity to their IT manager (22%), CISO (14%), compliance manager (10%), CIO (8%) or other roles in the organisation.
“Our research suggests that more than two-thirds of organisations are stretching their internal resources by expecting their ISMS to be managed by someone in addition to their core duties,” said Calder.
The report said it is worrying that 44% of respondents admit that the person managing their ISMS does not have a formal ISO 27001 ISMS qualification. “Despite this lack of relevant training, 28% are not planning to train their ISMS manager, while 35% do not have control over that decision,” the report said. Only 37% said they are planning to train their existing ISMS managers.
Calder said the lack of relevant skills can affect the effectiveness and performance of the ISMS. “Given the current shortage of cyber security skills, it is essential that businesses support professional staff in acquiring the necessary qualifications,” he said.
Asked if they used external consultants to help them prepare for certification, 40% of respondents said they did. “The absence of a full-time ISMS manager as well as a shortage of formal training for those tasked with ISMS management may contribute to this trend,” the report said.