What are the ‘Real World’ Benefits of Implementing ISO 27001?

We have produced a number of client case studies focussing on the real-world ISO 27001 experiences (challenges, issues, successes etc) of organisations of all sizes and from a wide variety of industry sectors.

Here, we will be looking at the key recurring benefits actually experienced and have split them broadly into external and internal.

External Benefits

‍Winning New Business

When trying to convince top management of the reasons why the business should invest in ISO 27001, any clear relationship between achieving certification and winning new business is going to be well received.

A large number of the case study organisations talked about the benefits of getting on to tender lists and being “perceived as a more attractive supplier” and “ISO 27001 has already opened a number of doors “, but others went further, i.e., “we have categorically won business on the back of achieving registration to ISO 27001 and there is an absolute direct correlation.’’

‍

Gaining Competitive Advantage

A common benefit experienced was ISO 27001 acting as a significant market differentiator, particularly in tender situations.

“Without doubt, ISO 27001 registration is a key differentiator and significantly adds to our status in the marketplace.”

“Holding an ISO 27001 certificate has been beneficial to our sales team in converting prospective clients, as well as completing tenders.”

‍

Providing Reassurance and Instilling Trust

Having achieved certification to ISO 27001, virtually all of the case study organisations commented on greater levels of trust and reassurance being generated.

A typical response from clients was that ISO 27001 certification was the most effective means of demonstrating to their clients and other interested parties, the organisation’s commitment to best practice information security and continuous improvement.

“For those potential customers who need tangible evidence of a supplier’s commitment to information security, there is nothing to compare with ISO 27001.”

‍

Internal Benefits

What was clear from the case studies was that benefits were not limited to winning new business and obtaining competitive advantage. Here are the key internal ones:

‍

Improvement in Security-Related Working Practices

All of our case study clients talked about the impact that implementing ISO 27001 had on internal systems and procedures. Naturally, these varied between organisations depending on the risks identified, but consistent responses included:

• Formalisation and documentation of key working practices
• Improved information security incident management
• Better Information classification
• Strengthening of physical security
• Raising awareness of likelihood and impact of threats.

‍

Changes in Culture and Awareness

This is a big one, with many respondents commenting on how ISO 27001 had led to a discernible shift towards a more open, no-blame culture where information security was truly embedded.  ISO 27001 certification for a number was more “far-reaching than anticipated and touched all areas, including support functions such as HR, IT and Finance.”

Another response was “the creation of an information security forum has already helped team working, improved communication and local accountability.”

Others have commented on a heightened awareness culture which has led to “the company now having greater visibility of events, incidents and emerging trends.”

‍

Improvement in Morale and Sense of Pride

This is one benefit that doesn’t receive a lot of attention. Obtaining ISO 27001 certification was a source of great pride and achievement to many respondents, particularly some of the SME organisations.

It was often seen as a morale booster and provided reassurance to employees that the company was prepared to invest in quality and protecting information, including their own!

A sense of pride reflects that this is a standard that touches everyone in the business and by their actions (maintaining a clear desk, reporting incidents classifying information, challenging visitors) they are contributing to that improvement.

‍

Cost-Saving and Improved Efficiencies

A significant operational benefit from achieving certification is the reduction in time and resources needed to complete tenders and pre-qualification questionnaires. A number of respondents observed a reduction in audit preparation time and face-to-face contact time with auditors.

The other cost-benefit reported was the identification of specific controls to implement, following the risk assessment, rather than the random and reactive implementation of controls carried out by many organisations.

‍

Supplier Management

In certifying to ISO 27001, case study organisations were not only able to identify what controls they need to implement internally, but also clarified the security-related expectations of services provided by key suppliers e.g. in terms of information encryption, transmission and back up.

‍

Investment in Protecting Reputation

Whilst being difficult to pinpoint exactly, the ultimate benefit of certifying to ISO 27001 reported by case study organisations was in protecting the company’s reputation.

Whether it was developing an awareness programme for staff, or improving supplier management, by reducing the likelihood or impact of a risk materialising, all actions contribute to saving money (including avoiding financial penalties and fines) and safeguarding the organisation’s brand and status.

‍