Benefits of the ISO 27001

In the previous article, we talked about the recent changes in ISO 27001 with the new revision of October 2022.

Today, we will discuss the reasons why you should get certified and the benefits of doing so.

Reasons to be certified

Companies are willing to get certified for multiple main reasons.

The main one is to improve their information security. ISO 27001 will help to structure the Information Security Management System of the company through the clauses and controls it implements. Those controls are varied and include some technical aspects, some human resources aspects, some trainings, audits and more.

The second reason is when the headquarter requests that its subsidiaries get certified as well. The main gain in this situation is that you will be able to take advantage of the certification of the headquarters. You can get “inspired” by what they have already done in terms of processes, documentation, and training!

The last one is when your customer requests that you to be certified to keep doing business. In that case, it becomes more challenging for the company to get the certification. Indeed, in addition to changing the company culture to fit with the norm, you will also have the pressure of obtaining the certificate in the shortest time possible.

Benefits of the certification

Having a good information security management system helps you on different aspects.

Firstly, your brand’s reputation will be strengthened since you manage the information in a controlled manner.

The cost of management will reduce by having fewer information security incidents.

Your staff can be more motivated by providing them a way to improve their knowledge in information security.

Also, the certification could bring you more customers, either through a better brand reputation or through customers only working with certified suppliers.

Information security management ensures business continuity by minimizing business damage by preventing and reducing the impact of security incidents while preserving the CIA of information and associated information processing facilities.

Not this one! The CIA stands for ConfidentialityIntegrity, and Availability.

  • Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • Integrity: The property of safeguarding the accuracy and completeness of assets.
  • Availability:The property of being accessible and usable upon demand by an authorized entity.

Integrity is playing the pivotal role here, even if the 3 of them are equally important.

By getting certified, you will follow the framework used to manage information security, which generally includes the establishment of the information security policy, information security objectives and processes, information security planning, information security control, information security assurance, and information security improvement.

Additional benefits for the companies in China

If you are in China, ISO 27001 can also bring you additional benefits.

In the past years, the Chinese government has passed a couple of laws related to cybersecurity and personal information protection:

  • CSL (Cyber Security Law) since June 2017,
  • MLPS 2.0 (Multi Level Protection Scheme) since December 2019,
  • DSL (Data Security Law) since September 2021,
  • PIPL (Personal Information Protection Law) since November 2021.

The MLPS 2.0, which is mandatory, is based on many international standards and laws, including ISO 27001.

Consequently, implementing ISO 27001 will also help you start your conformity journey regarding Chinese laws.

A future article will detail more of the similarities between ISO 27001:2022 and MLPS 2.0.

For now, we can say that the main similarities include:

  • The human resources: screening before hiring an employee, what to do when an employee leaves,
  • The training of your employees, and more specifically cybersecurity awareness,
  • The audits that must be performed regularly,
  • The information security roles that shall be defined,
  • The access rights management,

Kindly note that being certified ISO 27001 won’t make you fully compliant with the MLPS 2.0; and vice versa, being compliant with MLPS 2.0 won’t provide you the ISO 27001 certification directly!

General information

Getting certified is a long process that will require several resources (time, human and financial) and some changes in the company (culture, process, etc.).

The certification should be seen for the benefits of the company in the long term, and not as a short-term goal (i.e., getting the paper). Indeed, a continual improvement will be required.

Before starting the process of implementing the norm, make sure that you have the full support of the top management!

If you have any projects regarding the ISO 27001, for its implementation or to manage your internal audits, you can connect with us by email: contact@apisconsulting.cn or by adding Antoine on WeChat via the QRcode below.

Antoine Pilarczyk founded APIS Consulting in 2021 to help companies in China to improve their cybersecurity awareness. He is a certified Lead Auditor and Lead Implementer ISO 27001.

Leave a Reply

Your email address will not be published. Required fields are marked *

Popular Posts

Categories