Q. “I have heard that ISO 27001 information security is a complex and fearsome beast of a Standard! Why on earth would any company put themselves through the pain and agony of achieving ISO 27001 certification?!”
A. “Well, because maybe their clients request it?”Q. “Ok, but isn’t that more of a quality requirement?”
A. “Well yes, but ISO defines “quality” as meeting all relevant requirements.”Q. “Oh, I see what you mean. Clients are important, don’t get me wrong, but won’t 9001 be enough?”
A. “Possibly! Depends on the rewards – for instance you might get a high-value contract after achieving it?”Q. “Yes but how many hours and how much money would that cost us?”
A. “Well, how much could you end up paying if you were fined by the ICO for a data protection breach?”
The achievement of ISO 27001 may just keep you out of court and bolster your commercial ambitions at the same time. It is a tall order and if the external certification body is accredited by UKAS, you can bet you will experience a very thorough audit! If we look at implementation using a “process approach”, some of the inputs are hard work, investment in time, investment in knowledge and high levels of commitment; the output is a more robust risk and information management system, a higher degree of awareness of legal requirements, a greater resilience against potential legal breaches, greater client confidence and increased likelihood of securing larger contracts. Not a bad trade-off.
Like any other initiatives (for want of a better word) getting started is a challenge and sustaining the momentum even bigger. When you are ready to make a start, we can teach you the knowledge and skills required to manage an ISO 27001 management system.