We did an event in central London today, in collaboration with DNV, the international certification body. We had 40+ people in the room for most of the day, all of them there to explore the possible value to their organisations of implementing an ISMS (information security management system) that could be independently certified to ISO 27001.
I did a straw poll of the attendees: how many of them were considering ISO 27001 certification because it might improve their information security or because it was an IT department priority – and how many of them had come along because there was some business imperative?
100% of them were looking at it from a business perspective – either because a recently won contract required certification, or because future bids required it, or because it would simplify answering RFPs, or because it might give the organisation a competitive edge. And those answers are consistent with the feedback we’ve had from the 135+ clients we’ve helped achieve certification and from the several thousand people who’ve been on one of our training courses.
The hard evidence is that ISO 27001 certification is a business-driven project – and it should thefore always be led by a senior business leader, with the full backing of the board and senior management team. Anything less risks the project failing to deliver the benefit the organisation wants.