Do I absolutely need ISO 27001 certification?
The most commonly cited reasons for ISO 27001 certification are obvious: protecting valuable data and improving a company’s trustworthiness. However, the costs of an ISO27001 project are sometimes not in proportion to the profits that can be achieved. So every managing director rightly asks himself: do I need an ISO 27001 certification?
Benefits of ISO 27001 certification
Organizations benefit from ISO 27001 certification:
- Reducing liability and business risks
- Insurance premiums fall due to fewer claims
- Competitiveness increases through improved customer trust
- More trust leads to more profitable orders
- Attractiveness as an employer increases
- Admission to more government contracts
Risk reduction reduces operating costs
Through better risk management in the area of information security, fewer disruptive factors arise in everyday operations. Viruses, Trojans, ransomware and hackers are less likely to bring down work computers and servers. If data is lost due to cyber attacks, accounting transactions for several months often have to be recorded and processed again. The lost working time due to absences from work costs companies a lot of capital. In addition, customers’ trust in the supplier or service provider decreases.
Poor information security leads to extortion, ransoms and fines
If the entrepreneur, managing director or responsible manager has neglected his duties, the legislature can impose a heavy fine on both the company and the responsible persons. It becomes particularly problematic if the company pays a ransom to the hackers or cybercriminals. This can also make you liable to prosecution if the judiciary considers it to be support for criminal organizations in accordance with the Criminal Code. The Criminal Code has clearly and yet problematically defined how one could commit an offense here.
The attractiveness as a supplier and employer increases
Studies have shown that companies with certified management systems have significantly more growth potential. On the one hand, this is because business customers pay attention to long-term indicators when establishing a new business relationship. ISO 27001 certificates strengthen the advantages of a business relationship with potential suppliers. References to certification can be presented on the company website, in marketing materials and on social media. Especially for smaller companies with growth potential, certification is a testament to professionalism and a commitment to quality.
Highly qualified applicants look at potential employers very carefully. They know their market value and the potential damage to their careers should they engage in an unreliable work environment. A company website with an ISO 9001 and ISO 27001 certificate improves the employer’s chances of successfully recruiting a new specialist.
What advantages do ISO certifications offer for medium-sized manufacturing companies?
ISO certification has special advantages for medium-sized companies, which we would like to briefly mention here. We will also look at each individual advantage in more detail from the perspective of individual industries in further articles.
- Cost reduction in production or service areas
- Improved quality of your own goods or services
- Better correspondence between the intended and achieved goals
- Reduced waste and associated costs
- higher customer satisfaction and less expense for liability, maintenance and customer service
- More sales through better quality promises improves competitiveness
- Developing new customers and partners
- Development of new markets and customer target groups
- Stronger identification of employees with their own products and promotion of their own initiative for improvements
- Advantages in liability issues (e.g. compared to insurance companies)
What are the disadvantages of certification?
ISO certification can have the following disadvantages:
- High consulting costs and initial costs
- High certification costs
- High effort to maintain documentation and processes
- Demotivating aspects (“quality dictatorship”, “quality bureaucracy”)
- Quality management and certification as a “self-runner”
As with many things in life, there is no black or white. Many situations with ISO certifications lead to high costs, competitive disadvantages and high staff turnover. Anyone who acts unilaterally will also create such disadvantageous situations. One must first understand how such disadvantages can arise. Only then can you take countermeasures in good time. Classic excessive bureaucracy and over-regulation lead to frustration among the workforce in companies. This triggers a trend towards job changes.
However, overzealous consultants are often partly to blame for the wave of dismissals. Consultants can get into a conflict of interest: By inflating and complicating ISO 27001 projects, the corporate consultant’s profit share increases. This is not in the client’s interest. This situation drives skilled workers to quit because they no longer want to work for the client.
Who needs ISO 27001 certification?
KRITIS has required organizations responsible for critical infrastructures to certify the ISMS they operate according to DIN ISO/IEC 27001 since January 31, 2018. These critical operators must demonstrate that the requirements to maintain information security are met. The management is responsible for implementation and maintenance.
The following sectors are included in KRITIS:
- Information technology and telecommunications
- Media and culture
- Finance and insurance
- energy
- Transport and traffic
- Health
- Water
- Nutrition
- Municipal waste disposal (according to BSIG)
- State and administration
Why is certification important?
With certification from an independent body, certified companies gain significant competitive advantages over their competitors. Certification requires quality. With a valid certification, the organization confirms the quality of information security to the outside world.
How important is an ISMS system according to ISO 27001 for suppliers of large clients?
Major customers often carry out supplier audits. Anyone who already operates management systems certified according to ISO 9001 and ISO 27001 in their company has a better chance of successfully surviving such an external audit. Size Clients expect their suppliers to provide evidence that they have implemented appropriate measures to protect information and personal data. Corporations already demand ISO 27001 certification as a minimum requirement from their system-relevant suppliers.
This usually has no direct impact on current contracts. Nevertheless, more and more major customers are holding preliminary discussions with their existing suppliers about the topic of ISO 27001 certification. In the near future, an ISO 27001 certificate will also be mandatory for suppliers. ISO 9001 certification is already a basic requirement for exploratory discussions about new business relationships. Since an ISO 27001 project requires several months, companies should start implementing ISMS early on. ISO 27001 documentation requires expertise, time and energy.
The mid-sized companies and corporations have recognized significant advantages if they only get involved with certified companies. Here are the benefits of requiring ISO 27001 certification from your suppliers:
- Application of certification as a guarantee within the meaning of GDPR Article 28 (see processor)
- Increasing the trustworthiness of the supplier when processing sensitive information from a client
- Reduction of effort in vendor management: Individual security requirements no longer have to be negotiated with the supplier
- Reduction of effort for supplier audits regarding information security
- Higher ratings help with supplier selection for certified companies
What speaks against certification?
When companies ignore their own rules, it leads to stagnation and loss of sales. Anyone who introduces contradictory rules when setting up a quality management system or information security management system generates a pre-programmed potential for conflict. ISO 9001 and ISO 27001 expect that the requirements of the standard as well as their own standards are followed.