3 things people get wrong about ISO 27001

A version of this blog was originally published on 8 October 2018. 

Organisations are sometimes reluctant to implement ISO 27001, the international standard for information security, because of preconceived ideas that simply aren’t true. The Standard can be massively helpful for those looking for advice on ways to prevent data breaches, so it’s frustrating to hear things such as: 

  1. ‘Implementing ISO 27001 is expensive’

The most common reason for organisations to dismiss ISO 27001 is their belief that it’s too expensive to implement. However, it’s possible to do everything necessary to certify for the Standard for less than £2,000 (9,557 SAR). 

That might still be a reasonably big investment for your organisation, but it’s far more cost-effective than the alternative. Without effective information processes, you are more likely to suffer a large-scale breach, and that will cost 13.1 million SAR on average to address 

  1. ‘It’s too complicated’

Implementing information security processes is naturally going to be complicated, because it involves protecting your organisation from a near-endless list of threats. But that isn’t a reason to not implement ISO 27001. If anything, it proves the opposite. You need to tackle the issues head-on and accept that any solution will include complexities. 

  1. ‘Information security is the IT department’s responsibility’

Although the IT department does a lot of the work related to information security, it’s not their responsibility to initiate the adoption of frameworks such as ISO 27001. The framework affects the whole organisation, and as such the board need to sign off on and manage the process. 

Read our guide to implementing an ISO 27001-compliant ISMS 

You can find out more about the reality of ISO 27001 by reading our free green paper: Implementing an ISMS – The nine-step approach.  

This guide shows how you can create an ISMS (information security management system) that meets ISO 27001’s requirements while saving time and money. You’ll learn how an ISMS works and why you need one, as well as discovering our tried-and-tested implementation approach.