ISO 27001 compliance is becoming a must have in the digital era, but is still a tick-box exercise for many


There are various reasons why a company might want to comply with ISO 27001, with some looking to provide assurances to customers and partners that they are aligned with international best practices. Others want to show that they promote organisational improvement for regulatory reasons.

ISO 27001 is an internationally recognised specification which assists organisations to align their information management systems to comply with recognised best practices. Achieving ISO 27001 certification can be a business differentiator that affirms that an organisation takes information security management seriously.

However, often businesses feel that having certifications is something they need to satisfy clients and stakeholders but see little intrinsic value in compliance. This approach reduces ISO compliance to a tick-box exercise which is generally regarded as a burden. Yet, compliance can hold many benefits when an organisation applies the standard to identify its current levels of maturity and, based on this, tries to close the gaps.

Typically, the best way to implement ISO 27001 compliance is to structure it around four key questions that will cover the standard in theory – Do you say what you do? Do you do what you say? Are you always continually improving? Can you show proof of the previous three?

Stronger infosec footprint

Implementing the ISO 27001 standard allows for a stronger information security footprint within your organisation and enables you to identify what you want to achieve. Once you’ve identified the gaps there is no further requirement to implement the entire standard. Instead, you should put certain controls in place and do what is feasible in terms of compliance.

Compliance with ISO 27001 is not a legislative or regulatory requirement, and companies generally do not need to certify, unless certification is a condition set out by an international partner in order to do business with them. Organisations typically either align to the framework and become “compliant”, but without certification from a national standards body, or they become complaint and certified. The difference is cost.

There are already costs involved in implementing a gap analysis for your organisation and trying to understand what you are currently doing, where the gap is and closing it. This is in addition to certification costs, which can be significant. Certification is essentially an audit by a national standards body such as the South African Bureau of Standards.

However, while ISO certification may not be a legal requirement, compliance is becoming a must have, as the information management space has become regulated and legislated in recent times.

Helping with compliance

Considering the advent of the General Data Protection Regulation (GDPR) and, in the South African context, the Protection of Personal Information (POPI) Act, ISO 27001 is not a bad standard to follow, along with ISO 27007 which is another standard related to information security, cybersecurity and privacy protection, and plugs into ISO 27001. Thus, implementing these standards will help companies meet the requirements laid out by legislation.

But to successfully achieve ISO 27001 compliance, an organisation must have the backing of senior management to drive the requirements across every department, with every division actively collaborating and working on this initiative.

It is also important for a company to decide whether it will merely align or align and certify, before assessing its maturity levels and gaps, so that it can form a plan to tackle these areas. Remember, you don’t have to implement the entire standard from A to Z, but rather focus on what works for you.

Finally, it is advisable for companies to engage a third-party service provider to assess their organisational maturity and help them decide what they should put in place. There is no one-size-fits-all for ISO 27001 alignment, so a service provider with years of experience working with a wide range of organisations should be able to mould the standard around your company and its needs.

By Ryan Boyes, Governance, Risk and Compliance Officer at Galix