Misconceptions and Benefits of ISO 27001
Hello Mrs. ISO 27001, long time no see, always a pleasure! We've talked a lot about your large ISO 27k family over the past few weeks, but what's on YOUR mind right now? The rumors that are circulating? - "YES, please help me clear things up and maybe bring my benefits back to light?" - For sure, my dear, let's start!
Common misconceptions about ISO 27001 keep popping up. Some see it as a sticker on the gas pipe in the basement of their apartment building (which, by the way, is actually a label by the German Institute for Standardization (DIN), but isothermal is so close, okay...).
Others think that these ISO certifications are more about some elite family clan, supported by some governments, that wants to make money with it. However, the second approach is not even sooo wrong. Except that this ominous elite clan does not make money, but its certified companies do. Sounds very humanitarian and future-oriented!
But first, let's clear up some real misconceptions about ISO 27001 certification!
This blog is actually intended for the responsible employees who have been given the honor to bring this corporate project to life! But since everyone in a company is involved in achieving this certification, these misconceptions might be of interest to everyone!
1. Only the IT department is responsible
Information security is limited to the IT department only. NO! After all, every "IT problem" is their fault, right? Not so fast. As mentioned in other blogs, top management attention is also especially important. Yes, even mandatory! When a "problem" turns into a disaster, the first „victim" - the CEO - should fear his second residence.
In other words: If the company is at stake because of information security or if there are fundamental risks, then the circle of responsible persons expands accordingly! By the way, ISO 27001 itself requires this! No gimmicks, this is not a sideshow dragged to the finish line by a "topic-fitting" company unit. Top management must be involved!
The fact that information security is ultimately even a driving factor in business decisions is demonstrated by the increasing number of customers. Security of customer data is booming. Who doesn't want their data secured? And which management is not happy about increasing revenues :)!
And clearly, not only the "project officers" have to submit to the rules and preparations of an ISO certification! Also the supposed "we only TALK to the customers" departments! The sales employee does not necessarily deal with firewall rules or discuss code implementation methods with her marketing colleague in their weekly call. These two have completely different concerns! Nevertheless, they also have to make their contribution (e.g. security awareness training, comply with policies etc.). And since that's where names and numbers fly through the air, it only makes sense!
Keyword policies..
2. ISO 27001 consists only of tons of policies
Let's stay with the marketing and sales teams for a moment. These teams are a good example, as they are actually straightforwardly focused on business acquisition and therefore also represent a risk for too much information sharing. This is why the ISO 27001 responsible person needs to actively apply pressure here when everything else seems to be becoming more important.
After all, there are policies that must be read and followed, otherwise it will end up looking like there are no policies at all.
"Yeah well, do your thing in IT, we need to interact with customers now, no time to read your checklist or whatever. Ciaoiii. Where's my flat white? I need some more caffeine before we meet at the potential client's fancy office! That's more important to the company, right? Selling the products and building a good relationship!"
Well, that's exactly the point! The standard protects in-house data and information, but also that of customers (and vendors in between)! And yes, the customer is king or queen and needs a warm handshake now and then to know they are in good hands, as well as their data and information! That's why it's important that all employees take the time to contribute to the success of ISO 27001 certification.
It already seems like ISO 27001 is on fire for documentation. It is THE lifeblood for this international, powerful standard!
But ISO 27001 is not just a set of policies sent to the office as a complete package on paper to be filled out.
The policies are tailor-made for each company, as they need to be adapted to the current processes. Missing information security processes must be completed and, above all, signed off by those responsible and then addressed to the rest of the workforce concerned. The latter must get to grips with the policies: read them, accept them and - most importantly - comply with them! Only then can you afford a Flat White with oat milk and a dash of vanilla for the rest of your life! Wednesdays maybe Hazelnut…
Otherwise, (thinking in the analog world) the pile of paper might as well be thrown in the trash immediately. This is where Secfix comes in: environmentally friendly and intuitive, no paper waste! For employees, reading and accepting policies on our platform becomes more attractive! You simply have a better user experience and above all you see that the documents are important, "they are so nicely displayed on my employee page. Finally I have an overview myself! :)"
By the way, no corporate departments are being roasted here, let alone made ridiculous. I would make a fool of myself as the author.
But it is simply typical that departments that are not directly involved in implementing ISO 27001 certification are not sufficiently aware of what this can bring to the company and, above all, what it can protect!
But they should urgently bring this awareness to life! Because an ISO 27001 certification opens new doors for the entire company and gives especially sales-oriented departments additional momentum! And if this certification is achieved (and maintained), then the marketing and sales teams will be happy to complain that they need more staff because more new customers are coming in! Wonderful!
So: Do not make stacks of papers! The ones in binders gathering dust in filing cabinets, in the basement. At least until next year... And then... well... "What was the state of things now? Get those files out of the basement!" Poor IT employee who has only been with the company for two months and is now expected to jump into the ongoing project.
Put an end to this mess! Make an appointment with us and let us convince you of the massive benefits of an automated solution from Secfix.
3. An organization must complete all Annex A controls to receive certification
To clear things up! An organization does not need to have every single control implemented. Not every home has a guest room or a wine cellar where temperatures need to be adjusted for both wine inventory and the weird aunt! Actually, you could put both in one place. But then the safety of the alcoholic specialties would no longer be guaranteed.
Basically, the grande dame ISO 27001 is all about proving that organizations are demonstrating their commitment to continuous improvement in security and thus, as mentioned so many times in previous blogs, building TRUST.
This is her biggest business objective! Because growing business is the result of this!
For example, "This is a company that handles data and information securely and does so continuously and diligently!" Period. The fact that companies are also making money off of Grandma's desire only makes her happier!
She was never a college professor who was wild about the fact that everyone must know every detail and all knowledge must be housed in one brain. So no, in no case all controls must be done if they are not needed for the scope!
Conversely, this also means that you cannot get certified if you have numerous major control gaps.
The same applies to maintaining certification - if non-conformities suddenly appear during the annual audit, the certification will also crumble if no corrective action is taken afterwards. 👉 ISO 27005
So you use the daughter of ISO 27001, also known as ISO 27002. She provides guidance and also includes the required controls in its Annex A. So she provides best practices for selecting and implementing the controls listed in ISO 27001.
Before an external auditor comes around the corner, action plans (by using ISO 27002 and ISO 27005) should be created and preliminary work done. Secfix is happy to help with this!
Let's immediately remind ourselves of the poor IT employee who now has to deal with old paperwork. This just screams automation of this ISO 27001 certification process, which is so rewarding in more ways than one.
With ISO 27001, you can build your information security management system from scratch! This way you can reduce business and management risks, gain the trust of your potential customers, win these deals, increase your revenue and grow your business. And not to forget that costs are also saved at the same time.
This is not only a win-win situation, but THE jackpot!