Sergey Nivens - Fotolia
More than 70% of 120 global professionals who have implemented ISO27001, or plan to do so, reported that improving information security was the biggest driver, according to the survey by IT Governance.
With a 25% increase in the number of reported data breaches in 2017, according to European cyber security agency Enisa, cyber security is fast becoming a top priority for organisations, the report said.
However, nearly 60% of those implementing ISO 27001 believe that a cyber attack is either very likely (14.85%) or likely (44.55%), underlining the standard’s focus on risk management.
The report notes that ISO 27001 is designed to identify, mitigate and minimise risks, and so, in recognition of the fact that cyber attacks are increasingly likely, organisations are using the standard to ensure they are well prepared to fend off an attack and limit the damage.
The report also notes that as the only auditable international standard that defines the requirements of an ISMS, ISO 27001 certification demonstrates that an organisation’s information security is managed in line with international best practice.
“Unfortunately, as long as cyber crime remains a lucrative trade, risks will continue to escalate and attackers will continue to proliferate,” said Alan Calder, founder and executive chairman of IT Governance. “To counter this, organisations need to be fully prepared. ISO 27001, an information security standard designed to minimise risks and mitigate damage, offers the preparedness that organisations need.”
Other top reasons for implementing ISO 27001 include gaining a competitive advantage (57%), ensuring legal and regulatory compliance (52%) and achieving compliance with the EU’s General Data Protection Regulation (GDPR), which was cited by 48% of respondents.
According to IT Governance, ISO 27001 provides an excellent starting point for achieving the technical and operational measures required by the GDPR to help mitigate data breaches.
Closely in line with the drivers for implementing ISO 27001, improved information security was by far the greatest advantage afforded by achieving certification, according to 89% of respondents. And two-thirds of organisations said ISO 27001 improves their security posture – up 3% compared with the 2016 survey.
Other ISO 27001 benefits cited included meeting increasing client demands for greater data security (81%), improved internal processes (67%), improved staff awareness of information security (62%), and improved company image or reputation (58%).
Asked about the main challenges to implementing ISO 27001, 51% of respondents cited obtaining employee buy-in and raising staff awareness, followed by ensuring the right level of competence and expertise (45%), understanding the requirements of the standard (43%), conducting the information security risk assessment (37%), and securing sufficient budget to implement an ISMS (34%).
The report notes that supplier-specified security controls can vary from supplier to supplier, but with ISO 27001, all suppliers are audited using the same set of controls.
“By allowing organisations to assure clients and suppliers that they have implemented best-practice information security processes, ISO 27001 certification plays a critical role in supply chain assurance and helps organisations win new business and create opportunities,” the report said.
The latest survey revealed that 41% of respondents reported that customers had inquired about their ISO 27001 status in the past year, which is a 4% increase from 2016, while 33% said customers “occasionally” enquired about their ISO 27001 status.
Conversely, 36% of respondents said they expect ISO 217001 compliance from certain high-risk suppliers, 10% said they expect ISO 217001 compliance for all suppliers, and 22% said they request information security audits from their suppliers, highlighting a growing focus on supply chain security.
In addition to ISO 27001, the survey revealed that the most popular control sets used for ISMS were the UK government’s Cyber Essentials Scheme (39%), followed by the Payment Card Industry Data Security Standard (PCI DSS) (34%) and guidelines set by the US National Institute of Standards and Technology (Nist) (29%), while 30% of respondents also reported using country or industry-specific or other corporate controls.