ISO 27001 certification. Risk management’s competitive advantage 

Published on November 5, 2018

ISO 27001 certificationLockpath’s Jason Eubanks is like those Farmers Insurance commercials. He knows a thing or two because he’s seen a thing or two. In a recent webinar titled, “Gain a Competitive Advantage with ISO Certification”, Eubanks, a former ISO auditor, takes you through the reasons for ISO 27001 certification, shares the standard’s requirements and what ISO auditors look for, along with technology solutions that bring efficiencies to maintaining an information security management system (ISMS).

A few highlights from our webinar include:

Top-down risk management
One of the advantages of ISO 27001 is it improves top-down risk management. It replaces the traditional siloed approach to managing risk within departments with a top-down, enterprise-wide approach to managing risk. It’s comprehensive in scope but detail-oriented upon review.

“It’s more than just controls you see with many frameworks,” said Eubanks. “ISO 27001 is understanding risk and implementing processes to address risk.”

Show more, tell less
Throughout the webinar, Eubanks advocates a “show more, tell us” approach to dealing with ISO auditors. To show more, Eubanks recommends developing an ISMS manual.

The manual contains process flows, interested parties, policies, procedures and controls showing compliance with ISO 27001 requirements. The more information in the manual, the better. An example of this is senior leadership’s involvement that ISO 27001 stipulates. According to Eubanks, companies get tripped up not by failing to involve senior leaders but rather falling short on documentation.

Findings are good news, not bad news
Most organizations dread audit findings. Eubanks offers a more positive assessment.

“It’s not the end of the world. It’s a learning moment.”

Eubanks sees ISO 27001 audit findings as opportunities to improve. When you recall that ISO 27001 focuses on continuous improvement, you can interpret findings as ways to improve. For every finding, follow processes for determining root cause and implementing a corrective action plan. Also, document every step, so you can show, not tell, auditors that you addressed findings.

Seek efficiency in technology solutions
Many organizations seeking ISO 27001 certification rely on spreadsheets, email and other standard office tools. Eubanks advises against using spreadsheets for managing an ISMS.

“Spreadsheets don’t offer data integrity with information security standards,” said Eubanks. “There’s no easy, efficient way to manage change control or version history.”

Eubanks recommends using a GRC platform because of the efficiencies gained in managing an ISMS and complying with ISO 27001 requirements. A GRC platform offers a central repository for controls, policies and other documents and provides linkage between them. A GRC platform enforces standard processes, its workflow forces standardization and brings automation to many processes, which minimizes the chance for manual errors. It also facilitates an advanced risk register with risk scoring and heat maps that connect the dots for auditors. Go here to download a case study of how Lockpath used their own GRC platform, Keylight, to earn ISO 27001 certification.

Your competitive advantage
ISO 27001 certification is a global benchmark recognized internationally. Being able to say your organization is ISO 27001 certified tells customers that your company follows the highest standards for protecting their data, which can ultimately give you a competitive advantage.

That’s five highlights from the webinar, “Gain a Competitive Advantage with ISO Certification.” You can watch it in its entirety here. Finding a competitive advantage is never easy, but there’s one in risk management, and the route to it is ISO 27001 certification.

 

Related Articles:

NYDFS Cybersecurity Regulation Isn’t Just a Phase

NYDFS Cybersecurity Regulation Isn’t Just a Phase

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation was a first-in-the-nation cybersecurity regulation when it became effective on January 1, 2017. It was big news then, and it’s big news now.