#16 Article:Implementing an information security Standard or Not!

#16 Article:Implementing an information security Standard or Not!

« 8 September 2014 .. 'Implementing an information security Standard or Not!'»

The first time that an Information security management system (ISMS) became an ISO was at 2005. The first ISO27001 we see in the market can only start from 2006 and after. The certification bodies and the external auditor needed time to get approve for their NACE’s Codes. Since that time more than 17,000 companies have been certified with the ISO27001:2005 around the world. But which companies are more interested to implement and get certified against ISO27001.We have to see why and whom are more related to this standard.


ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving ISMS. These requirements describe the intended behavior of ISMS once it is fully operational. The standard is not a step by step guide on how to build or create ISMS. Information security management system is an integral part of the organization’s processes and overall management structure.



According to a BSI poll at Infosecurity Europe 2014, 37 percent of IT professionals regard rogue employees as the biggest threat to companies. They have described the threads from employees even bigger than cyber-attacks (19 percent) or ineffective BYOD (Bring Your Own Device) or lack or bad policies (15 percent).

Identifying a threat is all well and good - the real challenge is figuring out how to mitigate the risk. Based on its findings, the BSI identified adoption of ISO 27001 regulations as the most effective course of action for businesses looking to improve confidence in their security measures. The study found that:

  • 52 percent of the businesses had implemented an internal information security policy
  • 47 percent were providing staff training
  • 34 percent operated in compliance with ISO 27001
  • 29 percent had ISO 27001 certification
  • 23 percent were looking to certify in the "near future

The research was based on a poll of 79 attendees at Infosecurity Europe 2014.



There are various reasons why organizations choose to have an information security management system (ISMS).

  • To increase success on public and private tenders – Many public and private sector tenders request ISO certification as either a pre requisite to moving to the next stage or as a filter to remove companies from the tender process. By achieving the ISO certification that your customers give weight to, ensures that you are on a ‘level playing field’ with your potential competitors and improves your chances of successfully tendering.
  • To improve internal efficiency and reduce costs - By running a quality management system, a company can stay in control of its processes and procedures, ensure if anything does go wrong it is rectified quickly, efficiently and to the satisfaction of the customer. It can also ensure a smooth line of communication between employees, suppliers and customers at all times. Many companies we work with report a major internal efficiency improvement which allows them to achieve greater results both in a sales and operational capacity.
  • Improve Corporate Image by showing our logo on your marketing you prove to your prospective clients you are credible business. If choosing between two suppliers you will either bring yourself up to a level playing field, if your competitors have it, or will push you over an above if they don’t.
  • Market assurance - concerns the ability of an ISM to provide confidence, within the marketplace, in an organization’s ability to look after information securely. In particular, it inspires confidence that the organization will maintain the confidentiality, integrity and availability of customer information.


Best Regards,

Stelios Sakkas

Managing Director

ISO/tc176 Member