People often mistake ISO 27001 for an IT standard, as something that is applicable to the IT industry only. And they are partially right – lots of IT companies are going for ISO 27001 because they see it as good for their businesses.
However, this is only half of the story – very often, companies that are not very obvious candidates for ISO 27001 are also implementing it. Take for example pharmaceutical companies, health organisations, government bodies and the list continues.
ISO 27001 is about protecting the information, not about IT
Why are many non-IT companies interested in ISO 27001?
Because, believe it or not, IT is not the key element in protecting information. In most cases, the companies already have all the technology in place – eg, firewalls, antivirus software, backups.
However, they still have data breaches because this technology is not enough. In 2014 there was a 27.5 percent increase in data breaches, as the infographic below shows.
This is because the employees don't know how to use that technology in a secure way, but more importantly – the technology is very limited when it comes to stopping an insider attack, so obviously something else needs to be deployed.
What ISO 27001 is all about
ISO 27001 provides the methodology for companies to find out which potential incidents could happen to them (ie, risks), and then defines procedures on how to change employee behaviour in order to prevent such incidents from happening.
From that point of view, any organisation that has sensitive information, no matter if it is for-profit or non-profit, small business or corporate, government or private, can benefit from ISO 27001 implementation.
Which industries are typically implementing this standard the most?
Software development companies, cloud companies, and IT support companies are only some of those that implement ISO 27001 – most commonly, they do it because they want to get new clients by proving to them with a certificate that they are able to safeguard their information in the best possible way.
Some IT companies also use ISO 27001 to comply with contractual security requirements from their main clients, or SLAs (Service Level Agreements).
In some cases, fast-growing companies use ISO 27001 as a way to resolve problems in their operations, because this standard forces companies to define who is responsible for what and which steps need to be done in the most important processes, which is very often undefined in companies that are growing too fast.
Banks, insurance companies, brokerage houses, and other financial institutions typically go for ISO 27001 when they want to comply with numerous laws and regulations.
Data protection legislation is the strictest for the financial industry, and luckily, the lawmakers have based their legislation mostly on ISO 27001. This means that ISO 27001 is a perfect methodology to achieve compliance, which makes it very easy to present such a project to the executives.
The second most common reason why these kinds of organisations implement ISO 27001 is cost – they want to prevent incidents from happening, which is, of course, much cheaper than dealing with the consequence of an incident. This approach is typical for the financial industry, because they are usually the most advanced when it comes to risk management.
Telecommunication companies, including internet providers, are very keen on protecting the huge amount of data they handle and reducing the number of outages, so naturally they look toward ISO 27001 as a framework that helps them do that.
Further, similar to the financial industry, there are a growing number of laws and regulations for telecoms, where ISO 27001 is very helpful for compliance.
Typically, government agencies handle very sensitive data – in some agencies this data is confidential, but in all agencies protecting the integrity and availability of their data is of paramount importance.
The fact that ISO 27001 was designed to satisfy those three concepts (the famous C-I-A triad) makes it a perfect methodology to decrease the number of incidents to a minimum.
And, being an international standard recognised by standardisation bodies in each country, ISO 27001 is a perfect framework with official government recognition.
… and any other organisation with sensitive data
This list could go on and on – e.g., health organisations want to protect the data of their patients, pharmaceutical companies want to protect their development data and data on formulas, food processing companies protect their special recipes, manufacturing companies want to protect their knowledge on how certain parts are produced.
Basically, any company that has sensitive information can find ISO 27001 useful.
So, the point is: rather than viewing ISO 27001 as a purely IT project, you should view it is a tool to achieve some very concrete business benefits. And, when you do this, you'll see that it can be applied much more widely than you initially thought, and it can help you in more ways than you expected.
Contributed by Dejan Kosutic, cyber security information expert and an author at 27001Academy.
2014 Data Breaches in the United States Infographic – created by 27001Academy