A new report from IT Governance reveals that ISO 27001 delivers direct benefits that improve an organisation’s information security posture. Despite this, there is an ongoing struggle to convince boards of the importance of information security, and to secure the necessary budget and resources to implement ISO 27001.
The ISO 27001 Global Report 2016 is based on a study of 250 information security professionals worldwide who have implemented, are implementing, or intend to implement an information security management system (ISMS) that complies with the international best-practice standard, ISO 27001.
According to the report, the main driver for implementing ISO 27001 is improved information security posture (69%), alongside competitive advantage (56%), legal and regulatory compliance (56%), and new business requirements (35%).
Meanwhile, more than half of the respondents reported difficulties convincing the board about the importance of information security, or securing the necessary budget and resources to implement ISO 27001 information security management systems (ISMS).
Alan Calder, the founder and chief executive officer of IT Governance, said: “Information security teams need to emphasise more than ever the value and benefits an ISO 27001 ISMS brings to an organisation’s information security. Although justifying the return on investment (ROI) can be a challenging task for information security teams, improved security posture, competitive advantage, client and stakeholder credibility, and legal and regulatory compliance are pertinent and convincing arguments for the board to support an ISO 27001 implementation project.”
A significant majority of respondents reported regular or occasional requests to provide evidence of ISO 27001 certification from clients or when tendering for new business. This proves that ISO 27001 plays a critical role in customer and supply chain demands, and helps organisations create new business opportunities.
Alan Calder continued: “The increasing number of cyber attacks on organisations of all sizes has made ISO 27001 certification a regular tender or contract requirement. Organisations certified to ISO 27001 demonstrate to clients and stakeholders that they have implemented best-practice information security processes and policies to avoid persistent and evolving threats.”
The survey’s findings also show that only 16% of companies employ a full-time ISMS manager. The responsibility for managing the ISMS in most organisations falls to the IT manager (19%), the CISO (18%), the compliance manager/risk manager (15%) or the CIO (6%). The research also reveals that “the ISMS manager has a prominent role to play in organisations that are certified or considering certification to ISO 27001”, the individual requiring both the technical experience and a wide understanding of all areas of the business.
To read the full ISO 27001 Global Report 2016, click here >>