It’s a right royal pain to get audited. So why bother?
Here are some reasons why your business should invest:
- Certificate on the wall. Certification is bid candy and supports the bid process. It helps provide credibility in the company to stakeholders.
- Customer perception. Some customers audit the company; having a set of policies and formal certification helps the audit process.
- Raise the bar internally. Forcing external certification helps to ensure that some of the basic information security controls are present. While a 27001-compliant framework could be followed, having an external audit helps to encourage senior management support.
- Raise the bar with suppliers. Formal certification is a useful lever to ensure that suppliers comply with good security practice, particularly where the contract is weak in this area.
- Reputation protection. If something goes wrong and information is inappropriately compromised ISO 27001 certification can be one of the mitigation factors to demonstrate proper governance was in place.
All parties recognise that compliance is not security and that simply obtaining certification does not mean that all risks are managed or that information systems are secure. The position taken is that certification is a small step in the overall information security strategy.
The company does not have a dedicated budget to secure information systems; its business priorities are not to secure information systems and senior management do not see information security as a top business risk. The company management has agreed to this certification budget:
- Annual external audit £5,000
- Internal resource Half FTE
- Management time One meeting every two months