Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Back to Knowledge & Insights

Choosing the right certification standard for your organisation

Let’s clear one thing up right from the outset: there’s nothing wrong with pursuing certification with the aim of adding a new logo to your website and marketing materials.

If we’re honest, every organisation wants to put its best foot forward in business. And that often means entering awards, showcasing customer testimonials and, yes, featuring compliance logos. What we should remember is why industries value certain credentials and what it takes to meet relevant standards. After all, a mark of approval is there to denote qualities and qualifications for good reason.

Selecting a partner or supplier that adheres to ISO standards, for instance, comes with in-built reassurances that the business has put in the time to implement processes and procedures in a professional manner – be it environmental standards like ISO 14001 or information security standards such as ISO 27001.

It is important to note, however, that working towards certification for certification’s sake has its problems: if an organisation is solely interested in an accreditation and doesn’t buy into the value of the framework itself, then they are more than likely not going to do their best to maintain compliance throughout the year. Instead, they are more likely to cut corners or let their standards lapse between audits.

Nevertheless, we can acknowledge that achieving any internationally recognised standard or complying with any regulation takes real effort and work. So, on that basis, you are always within your rights to let organisations know when you’ve gained a new certification.

With this in mind, the next question is quite simply: which certification standard or standards are right for your organisation?

Assessing your requirements and capabilities

It may seem obvious but the best place to begin with new certifications is to establish what will make your organisation better: whether that means making it safer, more efficient or more environmentally responsible.

In broad terms, all modern organisations should aim to protect sensitive data, take steps to prevent breaches and do their bit for the planet. But it’s understandable that not all organisations have the resource or financial freedom to pursue enterprise-level accreditations across all disciplines.

Fortunately, there are many options out there for businesses to choose from. While ISO standards may be one option, other solutions may include the likes of Cyber Essentials and BSI.

Meeting your business objectives

If your organisation has begun to look at certification standards, there’s a good chance you’ve thought about the future. Certifications are often identified by businesses as part of three or five year growth plans, potential contract wins or the ability to tender for specific projects. It’s essential that the standards you invest your time, money and resource into reflect your strategic goals. The frameworks you follow should align with what will be needed to help your organisation thrive and progress in the years ahead.

For example, if your aim is to work with financial services institutions or as a cloud service provider, handling sensitive data with integrity, then SOC2 may be an important certification for you to work towards. Similarly, if you intend to work within the supply chain of US federal government agencies then your growth strategy may need to include NIST SP 800-53 certification.

For those businesses looking for a broader and internationally recognised information security standard, ISO 27001 compliance may be the most appropriate accreditation to work towards.

It’s worth noting, of course, that achieving one certification using Hicomply’s ISMS makes achieving multiple security certifications significantly easier. Our platform has been carefully designed to support the transition between standards. This flexibility is important because even the best laid business growth plans often change with time – so retaining the ability to add new accreditations and meet with evolving regulatory requirements is always worth considering.

Choose standards as a team

Achieving and maintaining compliance in any standard – whether it’s quality, management, health and safety, environmental or security – requires the involvement of individuals and teams across an organisation. Training and awareness work needs to be done from the top to the bottom of a business, so before embarking on a new compliance project it’s important to engage with staff and stakeholders at all levels.

Aligning efforts and agreeing standards to work towards from the outset can help to ensure that employees and stakeholders remain engaged and effective throughout the process.

Conclusion: kicking compliance down the road is never advisable

Taking the time to select the right certification should be considered time well spent. However, delaying efforts to comply with industry-recognised standards rarely leads to a positive outcome. Not only can a fresh, shiny accreditation improve operations, elevate your sales deck and enable you to apply for new tenders, it can also prevent you from getting into hot water.

In the case of information security standards, in particular, it’s important to state that compliance can go a long way towards preventing breaches. Similarly, if a breach does occur, the ability to demonstrate that best practice was followed can help to mitigate reputational damage and even the sizeable fines now frequently dished out by the Information Commissioner’s Office when an organisation loses data.

Ready to push for your next certification? Want to see what our platform can offer you? Why not book a demo today or ask a question by emailing [email protected].

More Insights

ISO27001
ISMS Risk Register
ISO27001
ISMS Implementation
ISO27001
Defining ISMS Objectives