ERM Practical Connection Activity

ISO 27001 is an international standard and sets out the requirements for an Information Security Management System (ISMS). As with other ISO Standards, such as ISO 9001 that addresses quality management, certification is voluntary, but the benefits are substantial for two reasons: first it forces a company to improve its processes, policies and procedures, thus improving productivity, and second, adoption of ISO Standards are recognized around the world and provide competitive advantage (and the reverse is often true – not adopting ISO Standards can result as a tremendous competitive disadvantage). As a globally recognized framework, ISO 27001, establishes implementation, maintenance and improvement to the information security processes of organizations. Certification to ISO27001 of the organization's ISMS is a valuable step. It makes a clear statement to customers, suppliers, partners and authorities that the organization has a secure information management system. (Calder& Watkins, 2008)

Yes, my organization has ISO 27001 certification. ISO 27001 information security management system helps to keep our organization's information secure and eliminates the risk of a security breach that could have legal implications. Outside of overall protection from cyber-attacks below are some other advantages and disadvantages that our organization will achieves by having certification.

Advantages

· Provides competitive edge to the company by improving working relationships with clients and enhancing the company's reputation. They trust that their data will be secure

with us because certification proves to them that we have the polices and procedures in

place to secure data.

· Improves our customers' and business partners' confidence.

· Helps in avoiding the financial losses and legal penalties or contractual non-conformity.

· Reduction on losses due to security incidents

· Improvement of internal organization and data management. It provides an organizational

awareness and culture that permeates the organization.

· It ensures continuity and conformance from department to department, employee to

employee.

Disadvantages

· Extra cost - The extra work means extra cost. Although I have heard this said, my belief

is that ISO 27001 actually saves money through better management.

· Personal resistance - Some people consider it is a waste of resources and they offer resistance during both implementation and maintenance phases. My hope is that ‘the

cultural’ change will correct this resistance over time.

Based on my experience, the following four benefits are the most important:

1. Compliance

It may appear to be odd to list this as the primary advantage, yet it frequently shows the easiest "profit from venture" - if an association should go along to different guidelines with respect to information assurance, protection and IT administration then ISO 27001 can bring in the methodology which enables improvement in the most efficient way.

2. Marketing edge

In a market which is increasingly aggressive, every factor matters, and ISO 27001 is a huge and

significant discriminator among competitors.

3. Lowering the expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if the company can lower expenses by preventing unfavorable incidents.

4. Putting business in order

This one is probably the most underrated especially for companies which have grown rapidly. with little concern for data security. The process of certification will correct the management inconsistencies to many companies experience overtime.

My company already has this certification. However, other companies who do not have this certification can obtain it by going through following steps:

1. Appointing an ISO Manager who has specialized knowledge about the procedures.

2. Drafting an information security document that details security controls and objectives

3. Auditor performing two-stage audit of the company (ISMS, 2021).