Does ISO 27001 certification even make sense?

For companies that would like to have their conformity certified as a competitive advantage, among other things, the question arises as to which certificates currently make sense. Can this actually represent useful preparation for certification according to Art. 42 GDPR? Financial service providers are particularly challenged and therefore motivated to be able to demonstrate their fulfillment of the obligations under Article 5 (2) EU GDPR in accordance with Article 24 (3) EU GDPR. In this situation, companies may come up with the idea of seeking ISO 27552 certification. It should be noted that certification is always issued on the basis of ISO 27001.

The ISO 27001 standard is part of the ISO/IEC 2700x family of standards. The ISO standards are published by the International Organization for Standardization (ISO). These standards are internationally recognized. The ISO 27001 standard regulates compliance with applicable information security standards in private, public or non-profit organizations. The setup, implementation, optimization and operation of a documented information security management system is described in ISO IEC 27001. Measures for implementing and operating an information security management system are described here. However, there are no specifications regarding the depth of implementation.

ISO 27001 certifies compliance with information security

When is ISO 27001 certification not suitable at all?

It is always astonishing how far some sales organizations go to avoid generating sustainable sales. Why does a chip shop need an ISO certificate if it doesn’t store customer data or explicitly process any personal data? Neither a snack bar, a newspaper kiosk, nor a florist needs ISO 27001 certification if they do not cross any significant hurdles.

Industries that benefit from ISO 27001 certifications

There are a variety of industries in which data is processed intensively. The size and organizational structure of the company also play a role in determining whether certification of an ISMS according to IEC ISO 27001 makes any sense.

The following industries generally benefit from ISO 27001:

  • Financial service providers
  • eCommerce / online retailer
  • Mail order companies
  • Internet service provider (ISP)
  • educational providers
  • Consulting company
  • IT service provider
  • Internet marketing agency
  • Software manufacturer
  • IT system house
  • SaaS service provider
  • Tax consulting firm
  • Venture capital organization

ISO 27001 certification – is it really worth it?

Building a QMS or ISMS is partly a creative process

The challenge for SMEs is to implement all the requirements of the ISO 27001 standard. There is usually a lack of available time, expertise and personnel capacity to introduce an ISMS independently. As a result, most small businesses fail to get certified on their own despite having technical expertise.

The attempt to introduce an ISMS using general systems such as M365, Google Docs or web-based wiki systems fails despite a lot of effort from those involved. The control of documents (i.e. release, revisions, etc.) can be carried out cleanly using the tools mentioned. However, it is very difficult to map workflows: 4-eye principle when releasing documents.

The ISO 27001 standard sets out 52 “MUST objectives” in Chapters 4-10. You must meet these requirements. If the MUST objectives are not met, auditors will find significant major deviations during the certification audit. This means that the certificate cannot be issued.

Related Posts