Data security turned out to be a hot topic of discussion during our recent ISO 9001 audit. As we look to add further rigor around our data security processes, we’ve been investigating ISO 27001.
We realise that many of our clients will be in the same boat, so we’ve put together an overview of our findings.
In a world where cybercrime is on the rise and data breaches are rampant, adhering to a strict security standard is your best liability insurance.
If you’re trying to prove that your organization is serious about security, ISO 27001 is the gold standard.
Whilst ISO 270001 accreditation is not yet mandatory in Australia, high-profile data breaches such as those at Medibank and Optus in the last year demonstrate the importance of safeguarding sensitive information and mitigating risks related to cyber threats. So, is your business ready?
What is ISO 27001?
In a nutshell ISO 27001 is an international standard for information security management systems (ISMS). It sets out a best-practice approach to cyber risk management that can be adopted by all businesses, large or small.
ISO 27001 specifies how an ISMS should function to satisfy the CIA of information security:
- Confidentiality (Restricting data access to authorized users)
- Integrity (Data is complete and free from inaccuracies or corruption)
- Availability (Users can access the information they need)
It provides a framework for organizations to establish, implement, maintain, and continually improve their information security practices.
Many industries in Australia are subject to various data protection and privacy laws, such as the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme. Whilst ISO 27001 is not mandatory here in Australia yet, achieving ISO 27001 accreditation demonstrates a company’s commitment to complying with relevant data protection laws.
What sort of organisations should be getting accredited?
In principle, any company with sensitive information can benefit from ISO 27001
Being accepted as the global benchmark for best security practices, the framework provides the methodology to identify any information security risk and defines procedures to mitigate such threats. Therefore, any business dealing with sensitive information, be it a corporate or small business, profit or non-profit, private or government-owned, can benefit from implementing ISO 27001.
- The primary industries where we find currently ISO 27001 certification in Australia are IT, Finance, Telecom, Healthcare, and Government.
- IT support companies, software development companies, and cloud companies are proponents of the standard reassuring customers that they can effectively safeguard any sensitive information.
- Companies that do business outside of Australia benefit from having the global security benchmark.
- Businesses competing with other organisations that have ISO 27001 compliance would benefit from the accreditation.
Benefits of ISO 27001 certification
- An excellent framework to comply with to protect information assets from malicious attacks.
- Enhances the security credentials of an organisation.
- Protection of your intellectual property, brand, and professional reputation.
- A differentiating factor to give your organization an edge over competitors.
- The global standard provides complete guidance on building, implementing, maintaining, and consistently improving the ISMS.
- Long term cost savings through streamlined processes and risk reduction.
- Compliance with global business, legal, contractual and regulatory requirements.
What does the 27001 certification process involve?
1. Read the ISO 27001:2013 Standard
2. Get Stakeholder Support
3. Conduct a Risk Assessment
4. Write a Statement of Applicability
5. Update company ISMS Documentation
6. Undergo Audit – Stage 1
7. Undergo Audit – Stage 2
8. Maintain and Review Compliance
For more information, read the Australian Compliance Councils overview
How much does the ISO 27001 certification cost?
ISO 27001 certification costs depend upon the size and maturity of the organization. According to Best Practice Biz you can expect to pay at least $120 for a single copy of ISO standards. Auditor costs range anywhere between $1,000 and $ 1,600 per day. The auditor’s fees you pay will depend on the ISO standard being audited. The average certification cost for small businesses is approximately $10,000 – $15,000 at the minimum.
Can you afford to be discounted for not having compliance?
It’s evident that getting ISO 27001 certification is a large undertaking. It requires significant commitment, resources and funds; which is probably why only a small percentage of Australian businesses have chosen to do so….thus far.
For those that do make the commitment, the benefits of certification are far-reaching. ISO 27001 is going to become more and more important with trends suggesting it will become a prerequisite for many organisations before they enter into new tenders and partnerships.
Ultimately each individual business case will be different, so our recommendation is to do your due diligence.