A couple of the main criteria for being able to work on public sector contracts are GDPR and information security compliance. Whilst GDPR compliance can be dealt with fairly easily through obtaining a Cyber Governance accreditation (which we have), information security management usually requires jumping through a number of burning hoops. Cyber Essentials Plus, the audited version of Cyber Essentials, takes a couple of days to get through and is not too onerous.
However one requirement quite a few university and business clients have introduced in recent times is for their suppliers to demonstrate they work in a particular way in accordance with internationally recognised standards. These standards tend to be the dreaded ISOs, something smaller firms in particular have to spend an inordinate amount of time working towards. Once you have been through an ISO audit, you will know the meaning of pain! Furthermore, once you have the ISO standard, it is likely you will want to deal with other ISO accredited organisations in future, because this is often part of the requirement of the ISO standard.
ISO 27001
This ISO standard is all about information security management and we hold the UKAS version of this, which requires us to build a compliant information security management system and then go through two audits to assess it.
Is pursuing ISO 27001 certification worth the effort and resources, or is it merely a bureaucratic exercise?
Context for Small Business
To show the effect ISO compliance requirements have on small businesses, this was our experience. We started building our information security management system in September 2023 and we had finished by February 2024. We used a specialist ISO company, who provided us with the timetable and templates. During this time we built, developed and drafted over 300 documents, spreadsheets and system parts. We then spent a day being audited for a Level 1 audit, subsequently spending two days adjusting the system as directed, before finally completing a Level 2 audit in March 2024, which took 3 full days with two senior management team members plus IT consultants. We have spent over 150 hours of time building the system, and we now factor in additional time every month keeping everything up to date and compliant. Our accreditation lasts for 3 years and we have to be checked externally on an annual basis every year before being fully audited again in 3 years time. Total cost? It must be well over £7,500 a year to keep the ISO certificate in place.
The Case for ISO 27001
Enhanced Security
ISO 27001 requires organizations to assess risks and implement appropriate controls to mitigate them. This process helps identify vulnerabilities and strengthens the overall security of information systems. By following the structured approach of ISO 27001, organisations can establish robust security practices that protect against data breaches and cyber threats.
Improved Business Continuity
The standard ensures the resilience of information systems. By planning for adverse scenarios, organizations can ensure they maintain essential functions even in the face of disruptions.
Regulatory Compliance
With the increase in regulatory requirements around data protection, ISO 27001 can provide a comprehensive framework.
Enhanced Customer and Partner Confidence
Ths is the key reason for us to have gone through the UKAS ISO accreditation. Certification serves as a testament to our commitment to security, which in theory enhances our reputation. This can be a crucial differentiator in the transcription and translation sector where data security is a significant concern, but the vast majority of operators are too small to be able to deal with data security requirements of larger clients.
Competitive Advantage
In many tender processes, especially in the public sector, ISO 27001 certification is a requirement.
The Case Against ISO 27001
High Costs
The cost of implementing ISO 27001 can be prohibitive, especially for small to medium-sized enterprises (SMEs). Expenses include the cost of risk assessments, security controls, training employees, hiring consultants, and the certification process itself. We estimate that it has cost our organisation about £15,000 in direct costs and time spent on achieving the standard to date.
Resource Intensive
Implementing ISO 27001 is not just costly but also resource-intensive. It requires significant time and effort, which could have been directed towards other business-critical activities. The ongoing requirement to monitor, review, and improve the ISMS also puts a strain on resources. We estimate it has taken over 150 hours of senior management time to implement our ISO27001 compliant system.
Bureaucratic Overhead
Some critics argue that ISO 27001 can lead to bureaucratic overhead, with too much focus on documentation and compliance rather than practical security improvements. This can result in a tick-box approach to security. We can see the truth in this statement – quite a bit of the standard is a tick box exercise, but it does point organisations towards improvements not otherwise noticed.
False Sense of Security
Merely obtaining ISO 27001 certification does not guarantee that we are fully secure against all forms of cyber threats. This is partly why we have taken the decision to obtain Cyber Essentials Plus which physically tests our system, as well as the ISO 27001, which assesses our system structure.
Value Added?
The value of ISO 27001 certification varies depending on several factors, including the size of the business, the nature of the data it handles, its regulatory environment, and its specific security needs. For us the key is the requirement from our larger clients to have the ISO system in place just to be able to get the work.
Conclusion
We see the benefit to our clients of having ISO 27001 compliant customers, but it does put smaller businesses at a significant disadvantage to go through the process. However on the other hand perhaps it elevates smaller businesses to new heights and opens doors to much faster expansion than would otherwise have been possible?
