Is ISO 27001 Worth It?

1 May, 2023

Is ISO 27001 worth it?

In this blogpost we will be discussing ISO 27001. What are its pros and cons in comparison to the other general certification and whether or not it is worth the cost of adoption.


ISO Logo

What is ISO 27001?

ISO is generally thought of as a certification. You get it through an audit and it is the most used and requested certification in the industry.

It provides a framework for developing, implementing, maintaining and enhancing the security of an organization’s information assets. This includes people, processes and technology. However, in this blog we will discuss whether or not this ISMS is actually worth it. 


Pros of adopting ISO 27001

Other ISMS frameworks, such NIST SP 800-53 and COBIT, are available. However, they are not as well-known or as complete as ISO 27001. Unlike some other frameworks, ISO 27001 is also more adaptable because it can be customized to fit the demands of any firm, regardless of its size, sector, or location.

In conclusion, ISO 27001 differs from other ISMS in terms of its global recognition. It also differs in extensive requirements, attitude to continuous improvement, and flexibility to meet different organizational demands.

Other general pros of adopting and ISMS are as follows:

  • Improved information security: An organization’s sensitive information can be managed and protected more systematically according to ISO 27001, which enhances information security. It helps in possible security risk identification and mitigation, enhancing the organization’s overall security posture.
  • Compliance with regulatory requirements: Specific security laws and guidelines, such the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS), must be followed. A foundation for complying with such laws is provided by ISO 27001.
  • Increased customer trust: The adoption of ISO 27001 shows a company’s dedication to safeguarding customer data and preserving the confidentiality, integrity, and accessibility of information. Customers and other stakeholders may start to trust you more as a result of this.


Cons of adopting ISO 27001

The flexible and adaptive approach of ISO 27001 may not be preferred by all enterprises, who may prefer a more prescriptive ISMS framework that offers comprehensive instructions on how to apply certain security procedures.

Additionally, ISO 27001 being compliance centric is one of the biggest disadvantages. Companies just check the boxes without fundamentally doing all the security activities properly. It is compliance with the hope it will bring security and it doesn’t work. Often, the holders of ISO27001 aren’t very secure. That is why you need a security centered approach like SAMM.

Also ISO is boolean, which means that everything is yes or no. SAMM is a maturity model with much more detail in the extent of implementation of certain measures.

Other general cons of adopting ISO 27001 would following:

  • Cost: In terms of the cost of certification, ISO 27001 may be more expensive than some other ISMS certifications because it is an internationally recognized standard. Not only do you need to pay for implementation, but also a certification audit.
    An ISMS’s implementation and upkeep can be costly, especially for small businesses. Costs could include paying for security consultants, security gear and software, training, and frequent security assessments. 
  • Time-consuming: It can take a long time to implement ISO 27001 because it necessitates extensive planning, documentation, and training.
  • Resource-intensive: Because designing, implementing and maintaining the ISMS involve a sizable investment of time, money, and staff; implementing ISO 27001 can be resource-intensive. However, this one is specifically dependent on the size of the company and what aspects of the ISMS are being taken advantage of. The more aspects, the more resource-intensive. 
  • Complex: If you are new to security, ISO 27001 can seem pretty intimidating, adopting it could necessitate a high level of information security knowledge. Employing outside consultants to help with implementation and upkeep may be necessary for organizations.
  • Not that safe: When doing compliance for the sake of compliance often the purpose is defeated as all the actions are to “check the box” not to do things in the most secure way possible. A security centric approach such as OWASP SAMM is much better as the goal is security.  



ISO 27001 certainly has its well deserved place in the industry. For many organizations it is responsible for a large part of their security journey. However it is not enough and it should not be relied on as an answer to the security question. It is useful to go from a low to a medium security maturity. However, if you want to go beyond that we recommend OWASP SAMM instead.


Read more about SAMMY, the free tool provided by Codific:

Read here on how Zebra Technologies uses SAMMY to implement OWASP SAMM:

Wondering if SOC 2 worth it? Look no further!


Leo is a Market Analyst at Codific. He is currently doing his Bachelor's degree in International Business Management at the Geneva Business School where he is consistently top of class. Leo writes about topics ranging from patient centered care to data protection strategies.

If you have questions, reach out to me here