Why your ISO 27001 is failing and what you can do about it
So, you are trying to onboard a new customer, a customer who you have been going after for a while, a customer who can bring good fortune to the organization and then when you are almost certain that the deal is yours, they asks if you are ISO 27001 certified or not. You are not expecting this but you also don’t want to lose the customer. So what you do, you assure them of the said certification and start looking for the best consultant you can find or if your organization is lucky, then they find someone within to help them get the customer on board. Yes, you heard it right. It is not really about the standard yet.
You implement all the policies and procedures. You ask your employees in a very subtle yet very sharp way to follow the documentation. You pass the audit and yes, you get the customer. The story should end here, right?
It does not. Why, you ask? Because up until now it was all about winning the customer. Of all the customers for whom we have implemented ISO 27001, 80% of the clients were interested in implementing ISO or any other standard because their client could not trust the posture of security until they got the certificate of compliance.
Honestly, there is nothing wrong with the reason. But, if it is the only thing that is driving your decision, then it is time to take a hard look at the incidents happening outside and then at your organization to see how equipped it is to survive any cyber-attack be it from within or outside.
ISO 27001 will only be effective if you diligently follow all the good practices and not in just the first year to pass the audit but also incessantly. We have seen organizations being so strict and sincere with the security practices just to get the certificate and then be so negligent.
ISO 27001 is such an effective standard if implemented and followed religiously. Let’s see, why.
- It covers all the factors of information security.
- It not only protects information but it ensures that the people are protected too.
- The standard gives you enough room to set up a control in way that suits your business.
- It lets you set your own objectives and review them as you go on.
- It lets you address and identify all the risks and helps you treat them with the wide variety of controls it offers.
But to reap the benefits of the standard, we need to make sure that it is being implemented for all the right reasons and not just to satisfy customer needs.
The motivation that got you going with the implementation has to persist. Security is not a one-time thing but it is a continuous and collective effort on everyone’s part, right from management to the lowest entity in hierarchy.
It is important to for management to oversee the progress and continuously contribute by providing whatever it is that is needed to strengthen the security.
One thing the most organizations lack is the awareness among employees. The organizations have to make it a point to spread maximum level of awareness and ignite a sense of responsibility among everyone.
You have to remember one good security practice can save your organization from a lot of trouble and if you meticulously follow what has already been implemented then you will soon start to see what a good execution can unleash.