Myth Busting: Why Do Companies Not Get ISO 27001?

ISO/IEC 27001 sets out the requirements for implementing information security management systems (ISMS) on a global scale. The certification was established in 2013 to help maintain and improve the information security infrastructure many organisations around the world have in place.

Achieving ISO 27001 certification shows that your business actively manages potential threats and ensures sure that information is secure. As legislation becomes tighter and organisations become more scrutinised when it comes to data protection, this is not something you want to skip out on. Despite all of this, there are still some companies today who have not implemented an ISMS – and therefore have not become ISO 27001 certified.

Our team of experts here at Hicomply look at some of the myths around ISO 27001 and explain why it is not as daunting as it may seem.

Myth: It’s too expensive for my business

Organisations often assume that putting an ISMS in place is too expensive. However, all our clients have been pleasantly surprised by its affordability and have seen a greater return on their investment across many areas.

In a world where data is the most valuable resource in the world, protecting it does come at a price, but it is not as much as you think. Especially when you consider that organisations spent around £2.9 million recovering from data incidents in 2020 alone.

The actual ISO 27001 certification cost depends on your organisation size, but offers something invaluable. With Hicomply, our out of the box ISMS implementation starts at £3000 annually, going to £9000 when including the external auditor costs needed to achieve ISO/IEC 27001 certification. Most importantly, as soon as you log in you have a fully functioning ISMS preparing your business for audit.

Not only does having an ISO 27001 certification in place prove to your customers that you take information security seriously, but it also gives you an advantage of your competitors and ensures you are compliant

Myth: It’s too time-consuming and a big change for the company

With a digital ISMS solution, you’ll reduce internal senior management and external consultancy time, and have a clear overview of your ISMS set-up.

Having the right processes will help bring your information security policies and procedures to life meaning ISO 27001 certification can be done in as little as 4-6 months which is half the time it can take. In addition, it's a very strong statement to customers to say you are working towards ISO 27001 - helping you win business in the meantime.

Myth: We are too small a company

It is much easier and much cheaper to implement ISO 27001 as a small business and adapt it as you grow compared to waiting until your business reaches a specific size.

If you want to grow your business quickly, look like a serious contender and compete with those bigger players, information security is the best place to start. More and more enterprise-level customers are asking for ISO 27001 certification from all their suppliers. Can you afford not to compete for their business?

We see businesses with 10 or fewer employees regularly implement ISO 27001 for the advantages it brings. You can read more about the commercial impact of implementing ISO 27001.

Myth: We must make sure our processes are perfect first

One of the first steps in implementing ISO 27001 is to identify where you are and what steps are needed to achieve ISO 27001-compliant processes and policies. You can find out more in our comprehensive ISO 27001 checklist.

Don’t waste time guessing. There is no time like the present when it comes to implementing an ISMS and becoming ISO 27001 certified. The certification itself is all about showing that you have the right processes in place to manage security risks when they occur within your business.

Final thought

Data protection is not something that can be delayed, and competitive organisations are taking every step possible to show that they are doing everything they can do to manage it.

In fact, every organisation that handles customer data should be implementing an ISMS. Data is too valuable and it is too damaging to your organisation should it be lost or stolen.