Achieving ISO/IEC 27001 certification can feel like a daunting task, especially for businesses new to cybersecurity compliance. However, this internationally recognised standard isn’t just about ticking boxes—it’s about building a strong foundation for protecting your organisation’s information assets and earning the trust of clients, stakeholders, and regulators. Whether you’re wondering if your business is too small for certification, how it impacts insurance, or what the process actually involves, this guide breaks down the most common questions about ISO 27001 in a straightforward and practical way.
Why would I want ISO 27001 certification?
An ISO/IEC 27001 certification is a confirmation of cyber resilience. In the worst case scenario, you need to be guaranteed that your business has a defence system for any security risks that have a direct connection with compromising your internal processes. The criticality here is paramount and can be the difference between a structurally sound cyber defence strategy vs a total collapse of the business within a day let alone minutes. An ISO/IEC 27001 certification is a merit of reliability.
Key points of consideration:
- Having ISO/IEC 27001 instils confidence in stakeholders, investors, and clients that security is a priority and their affiliation with your business will not be jeopardised due to a lack of sensitive data protection. If you provide them a service, you’re not only protecting them, but the processes around those services as well.
- This certification is a competitive advantage within your market, especially whilst the trend of security consciousness is on the rise. Security is a prerequisite for customers and potential stakeholders, and they need to be guarantee they are not compromised by getting involved with you.
- Organisations have many compliance requirements and these extend to 3rd party suppliers; a lack of certification will likely plummet your chances of a tender, request for quote (RFQ) or request for proposal (RFP).
- Insurance agencies are rejecting organisations due to lack of controls, or their premiums being priced beyond justification. Lloyds of London is an example as they have directed all underwriters to exclude losses from “state backed cyber-attacks”. Meaning, insurance agencies will evaluate the risk of your business for a security breach/cyber-attack and will determine whether they will insure you. There are many determinants however it must be considered, at the minimum, your business has invested in security to mitigate risks or at least reduce the likelihood of attacks, making it easier for you to be insured at a much more reasonable price.
- Having insurance to cover cyber-attacks/breaches is not a defence strategy.
- This is not a box ticking process or a one size fits all solution. It’s a holistic assessment of relevant compliance based off what the necessary preventative measures for your business and 3rd parties are.
When and how often am I audited?
Am I too small for ISO 27001?
ISO/IEC 27001 is a flexible standard that can be implemented by organisations of any size, from small businesses to large corporations.
As for too expensive, not if you engage the right people. Morrisec specialise in SMBs and have supported very small organisations gaining certifications in very short time frames.
Can I offload my security requirements?
You can use cloud and third party suppliers however this is still your responsibility, and you have to ensure that they are still within compliance. Having too many external contributors can also be messy, unaligned, and not resolve your issue as security compliance needs to be a consistent practise across the board and all parties must be on the same page with what needs to be done. When your data is breached due to a 3rd party, it’s your own reputation that is compromised due to that association, not theirs.
Do all my risks have to be remediated to get certified?
Not if you have identified your risks and there are remediation plans in place!
Can you certify a product or Service?
No, that doesn’t exist. ISO certification is in relation to the offerings and security of the process around that service or product, not the product or service itself. For example, a SaaS solution cannot be ISO certified, only the processes used to provide that solution.
If you need more information or would like to discuss these topics further, get in touch!
0 Comments