Is ISO 27001 Worth It?

Updated: 18 January, 2024

1 May, 2023

Is ISO 27001 worth it?

In this blogpost we will be discussing ISO 27001. What are its pros and cons in comparison to the other general certification and whether or not it is worth the cost of adoption.

 

ISO Logo

Key Takeaways:

  • ISO 27001 is a comprehensive international standard for managing information security, offering a systematic approach to securing sensitive data.
  • The standard can be tailored to fit the unique needs of any organization, regardless of size or industry.
  • ISO 27001 provides a foundation for meeting various security regulations, such as GDPR and PCI DSS.
  • Adoption of ISO 27001 demonstrates a commitment to information security, potentially increasing customer and stakeholder trust.
  • ISO 27001 may lead to a checkbox mentality, where organizations focus on compliance rather than actual security.
  • The certification process can be expensive and lengthy, requiring extensive planning and resources.
  • For those new to security, ISO 27001 can be daunting, and may require external consultancy for implementation and maintenance.
  • Holding an ISO 27001 certification does not guarantee robust security; a more security-focused approach like OWASP SAMM is recommended for higher maturity levels.


What is ISO 27001?

ISO 27001 a is a widely recognized international standard that specifies the requirements for an Information Security Management System (ISMS). It is considered one of the most comprehensive and suitable standards for managing information security in organizations. Codific is proud to receive the renewal of the ISO 27001 audit certification.

ISO 27001 audit certification demonstrates that an organization has implemented a systematic approach to managing sensitive company and customer information to ensure that it remains secure, confidential, and available. The standard covers a range of areas, including risk management, access control, physical and environmental security, and incident management. It provides a framework for ongoing review and improvement of an organization’s information security practices.

Organisations ask for this certification from their suppliers or partners to guarantee the minimal security posture of a company.

At Codific we use the OWASP SAMM framework and the SAMMY tool to make the whole process easier to manage and to assure our security posture. Due to this, the security posture of the organisation is much easier to demonstrate.

 

Pros of adopting ISO 27001

Other ISMS frameworks, such NIST SP 800-53 and COBIT, are available. However, they are not as well-known or as complete as ISO 27001. Unlike some other frameworks, ISO 27001 is also more adaptable because it can be customized to fit the demands of any firm, regardless of its size, sector, or location.

In conclusion, ISO 27001 differs from other ISMS in terms of its global recognition. It also differs in extensive requirements, attitude to continuous improvement, and flexibility to meet different organizational demands.

Other general pros of adopting and ISMS are as follows:

  • Improved information security: An organization’s sensitive information can be managed and protected more systematically according to ISO 27001, which enhances information security. It helps in possible security risk identification and mitigation, enhancing the organization’s overall security posture.
  • Compliance with regulatory requirements: Specific security laws and guidelines, such the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS), must be followed. A foundation for complying with such laws is provided by ISO 27001.
  • Increased customer trust: The adoption of ISO 27001 shows a company’s dedication to safeguarding customer data and preserving the confidentiality, integrity, and accessibility of information. Customers and other stakeholders may start to trust you more as a result of this.

 

Cons of adopting ISO 27001

The flexible and adaptive approach of ISO 27001 may not be preferred by all enterprises, who may prefer a more prescriptive ISMS framework that offers comprehensive instructions on how to apply certain security procedures.

Additionally, ISO 27001 being compliance centric is one of the biggest disadvantages. Companies just check the boxes without fundamentally doing all the security activities properly. It is compliance with the hope it will bring security and it doesn’t work. Often, the holders of ISO27001 aren’t very secure. That is why you need a security centered approach like SAMM.

Also ISO is boolean, which means that everything is yes or no. SAMM is a maturity model with much more detail in the extent of implementation of certain measures.

Other general cons of adopting ISO 27001 would following:

  • Cost: In terms of the cost of certification, ISO 27001 may be more expensive than some other ISMS certifications because it is an internationally recognized standard. Not only do you need to pay for implementation, but also a certification audit.
    An ISMS’s implementation and upkeep can be costly, especially for small businesses. Costs could include paying for security consultants, security gear and software, training, and frequent security assessments. 
  • Time-consuming: It can take a long time to implement ISO 27001 because it necessitates extensive planning, documentation, and training.
  • Resource-intensive: Because designing, implementing and maintaining the ISMS involve a sizable investment of time, money, and staff; implementing ISO 27001 can be resource-intensive. However, this one is specifically dependent on the size of the company and what aspects of the ISMS are being taken advantage of. The more aspects, the more resource-intensive. 
  • Complex: If you are new to security, ISO 27001 can seem pretty intimidating, adopting it could necessitate a high level of information security knowledge. Employing outside consultants to help with implementation and upkeep may be necessary for organizations.
  • Not that safe: When doing compliance for the sake of compliance often the purpose is defeated as all the actions are to “check the box” not to do things in the most secure way possible. A security centric approach such as OWASP SAMM is much better as the goal is security.  

 

Conclusion

ISO 27001 certainly has its well deserved place in the industry. For many organizations it is responsible for a large part of their security journey. However it is not enough and it should not be relied on as an answer to the security question. It is useful to go from a low to a medium security maturity. However, if you want to go beyond that we recommend OWASP SAMM instead.

 

Read more about SAMMY, the free tool provided by Codific: https://sammy.codific.com/

Read here on how Zebra Technologies uses SAMMY to implement OWASP SAMM: https://codific.com/implementing-owasp-samm/

Wondering if SOC 2 worth it? Look no further! https://codific.com/is-soc-2-worth-it/

Author

Leo is a Market Analyst at Codific. He is currently doing his Bachelor's degree in International Business Management at the Geneva Business School where he is consistently top of class. Leo writes about topics ranging from patient centered care to data protection strategies. If you have questions, reach out to me hereContact