Gary Hibberd


We all have standards. Don’t we? The way we act, the way we dress, the way we conduct ourselves. Having high standards is no bad thing.

But in business, how can you evidence that these standards are working for you, and not against you? And which standards do you adhere to?


Introducing ISO27001

Recently there has been a lot of talk about people working remotely, due to the current pandemic crisis, and the risks to data security that this brings.  However, for those organisations who have already implemented the security standard, ISO27001 there is some hope (emphasis on the word ‘some’).


What is ISO27001?

If you’re not familiar with this standard, now would be an excellent time to become acquainted with a standard that has been around (in its current form) for 15 years. In short, ISO27001 is a structured approach to putting in place an Information Security Management System (ISMS). 

It enables you to develop a strategic, tactical and operational approach to Information Security and importantly ensures you’re managing security risks


What does it cover?

I like to think of ISO27001 as a quality standard for Information Security. It doesn’t just cover technology; It covers all aspects of controlling, managing and processing data. Covering the main aspects of Data security;

  • People
  • Premises
  • Policies
  • Processes
  • PC’s
  • Providers

Some believe that ISO 27001 is only for large organisations, but we have helped everyone from sole-traders through to multi-national corporations implement the Standard.  The only difference is the time it takes to implement the measures we help put in place. 


Is it difficult?

Be under no doubt, the Standard still expects you to consider the 114 controls in place, even if you’re a team of twenty or a business with two thousand people.

It can be a complex process, but it shouldn’t be complicated. 

We have helped organisations achieve full certification to the standard in as little as three months. In others, it has taken longer due to the size and complexity of the business. But in all cases, the approach should be to make things as simple and easy as possible.

For example, some consultants will develop policies which are deliberately ‘wordy’ and will produce policies which aren’t needed. Why? Because they believe it looks impressive and will mean the client keeps coming back for more help (hence, spending more money). I think this approach went out in the early ’80s and I firmly believe that ‘less is more’. 

As the saying goes; “Any fool can make something complicated. It takes a genius to create simplicity”.

Irrespective of this, there are still around 30 mandatory documents and records you’ll need to put in place. Everything from an Information Security Policy, through to a Business Continuity Process will be required. But it’s still not difficult if you know what you’re doing.


What are the benefits?

In these worrying times, we have all adopted new ways of working and the ‘control’ we once had on our working environment has now been pushed into people’s homes. Data is increasingly shared on devices hastily implemented, with people who are under increased stress and pressure. Thereby increasing risks to data security.

This means that there is an increased risk of becoming a victim of a cyberattack or suffering from a data breach. (Action fraud reported an increase of 400% in reported cases in March 2020.)

If reducing the risk of a cyberattack or data breach wasn’t compelling enough, then being able to demonstrate to your clients and customers that you take Information Security seriously should be.

If you want to grow your business then there is a strong likelihood that your larger clients will expect you to demonstrate that you have Information Security under control. This can, of course, be achieved without having ISO 27001. But it will mean you’ll be completing questionnaires and writing policies for each engagement.  Wasting time and effort.

Having ISO 27001 reduces this burden on gives is visible evidence that you care about Data Security.

Finally, if this isn’t compelling enough, there’s always the argument that ISO 27001 is a great way to demonstrate compliance with the General Data Protection Regulation (GDPR). Remembering that this is the law, and we need to adhere to it at all times, ISO 27001 enables you to measure the effectiveness of your Information Security and Data Protection practices.



I would always start with ‘why are you doing this?’ Do you NEED to be ISO 27001 certified? Or can you simply ‘align’ yourself to the Standard? Cost will always be a factor, but so is time and effort.  Is it worth it? In my humble opinion, I believe it is. The benefits out way the costs, but only if you have a clear understanding of why you need to implement the Standard. Once you are clear on this, the whole journey will make sense and become far easier.

I believe having standards is important in life, and in business. ISO Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimising waste and errors and increasing productivity.

They can help you access new markets, boost your business (above your competitors), manage risks, increase employee and stakeholder engagement and increase evidential GDPR and regulatory compliance.

If these aren’t compelling enough reasons for you, then you probably shouldn’t implement ISO27001.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >


See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >


In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >