15 May 2015
Some weeks ago I took part in an ISO 27001 Foundation training. The students were all IT professionals, some of them involved in certification projects. Many of them complained about the high effort in getting certified.
Certification is often seen as a pure cost factor, in particular information asset classification. But once you have identified and classified the information assets the entire organization can start working smarter. Let me show this by the means of two examples.
Since you know exactly who is responsible for an information asset, you know the information owner and who is able to grant access to an asset if required. The onboard process of employees is simplified because based on the job description access to the relevant information assets could be granted much easier. The same is true for the off-board process or the transfer of employees.
Your IT organization knows exactly what information assets are stored and processed on what IT systems. In the case of a new vulnerability you know exactly what systems have to be patched first. Thus IT organizations could focus again on their primary role as business enabler.
From my point of view an ISO 27001 certification is worth every dollar. It’s just a question of the right marketing…
Have a good day.