ISO27001:2013 – The Importance and the Benefits

This post is a follow-on from my previous post: Information Security and Measures to Achieve it.

Over the last few years, there have been several high-profile businesses that have suffered data security problems. Tesco Bank, TalkTalk, eBay, and Carphone Warehouse to name a few. However, the impact on SMEs must also be considered; the average cost to a typical small business runs into hundreds of thousands of pounds.

As business operations evolve and become more connected, there is an increasing need to access information on multiple devices, at any time, both on-site and off. Consequently, the way in which businesses protect themselves from information security issues must be robustly managed. It can no longer be seen as an additional piece of technology or a singular change to the operating methods a business employs. Organisations need to embed a management system that enshrines all processes, procedures and policies. It must be forward-thinking, continually improved, and a key feature of governance.

ISO 27001:2013 is a standard that gives us the requirements for a system that will help protect the confidentiality, integrity and availability of information. Implementation is a difficult challenge which requires strategic planning, changes to operations and the way in which everyone in the organisation thinks. For a small business, it can take several months to implement, and quite often, management teams find it easy to prioritise other activities over addressing the risk that inadequate information security brings. Take a step back and think how just as easy hindsight is.

The benefits of implementing ISO 27001 go beyond protection and business preservation. Certification to the standard can help you demonstrate to others that you have excellent processes in place, enhancing your reputation and giving you a marketing advantage over your competitors. If you are a growing business, it can also help you avoid any confusion around who is responsible for different elements of risk associated with information.

The message is straightforward, don’t wait until it’s too late!

If you have any questions or would simply like some more information on this topic, please don’t hesitate to get in touch with Richard on