How hard is it to get ISO 27001, and is it worth it?

iso27001 May 12, 2020

The media interest from our successful certification against the ISO 27001 last month triggered lots of conversation with our customers and partners.  This was overwhelmingly positive, but the apparent fanfare prompted at least one person to ask “Is it more than just a marketing exercise?”

This warrants more than just a ‘yes’ answer – because while the standard itself is internationally well-regarded, what it entails is much less known and the underlying reason for this question is “should I do this myself?”

What is the ISO 27001 standard anyway?

ISO 27001 is an Information Security Management System (ISMS) – a structured system to recognise and assess risk, to decide what to do about it, and to sustain this on an ongoing basis in an auditable way.  It’s important to realise we are not just talking about technical risk here – we’re also talking about pandemics, people communications and ensuring everyone is aware of their responsibilities and with adequate training.  It’s also about writing down what we need to protect, and to what degree, about senior leadership buy-in, identifying the interests of our customers, and about how we  can keep the business going when bad things happen.

A criticism of ISO 27001 is that it doesn’t guarantee specific technical controls are adopted (as does, for example, the New Zealand NZISM).  This is because ISO 27001 is more about implementing a holistic management system than being lost in an ever evolving and often esoteric technical security jungle.  So yes, it doesn’t guarantee one’s firewall is configured in a particular way, but it does ensure the risk of a badly configured firewall is assessed, responsibility assigned and appropriately managed.

ISO 27001 specifies 114 controls spanning everything from mobile devices to document destruction that must be considered and implemented if applicable.  These controls are uniformly good practice and you would need a good reason for not doing so.  We were audited on this.

Why did vBridge do it?

vBridge has been in operation now for 10-years and I’ve known John and Hamish since they started the business.  Honest dealings and strong integrity are their hallmark and key reasons for me joining the team in 2019. Not letting the customer down is one of vBridge’s values (feel the gravity), which means vBridge was already doing ‘good practice’.  However, it wasn’t formalised.  As a company grows it becomes harder to maintain consistency in its operations team and having reached a size of 12 John and Hamish were keen to undertake a security review.  It was Hamish who first suggested we become ISO 27001 certified.

So, is it just a marketing exercise?

The logo is nice, but ISO 27001 has reached deep into the heart of how we operate.  It’s not just a paintjob, it’s a revisit of our key business systems to ensure the quality of our services at a foundational level.  I’m really pleased with the outcome.  We’ve done it properly, and we have 5-days of external audit to prove it.   This is entirely better than just saying ‘we align to ISO 27001’

Peter Brook

Peter is our vBridge Operations and Information Security Manager. He has over 20 years experience in many NZ organisations including PGG Wrightson, CDHB, Lyttelton Port Company and Spark Digital.