|
The first question I often get when talking to IT Service providers on ISO 27001 certification is: “How much does it cost to get it?” I like to reply with a question: “how much does it cost when you don’t have it?” The answer to the first question is easy, the answer to the second one is more complicated. As a financial I am interested in the business case. If the cost of not having an ISO 27001 certification is higher than the cost of getting and maintaining one, you can actually make a profitable investment by getting certified.
The cost of NOT having an ISO 27001 certification
Let’s have a look at some of the cost components of NOT having an ISO 27001 certification.
Opportunity Cost – Do you know how many opportunities for new customers are lost because you are not properly certified? How many of your target customers would prefer a supplier that is properly certified and won’t even consider you? And after having done the sales funnel math, how much margin would you potentially loose and for how many years?
Lost customers (Churn) – You have invested to acquire and maintain your current customers. How many would potentially turn their back on you because they are increasingly concerned about security and are looking for evidence of compliance? How much margin is at stake today and in future years?
Trust and Transparency: lost opportunity for a competitive advantage – With ISO 27001 you can turn your information security management into a competitive advantage and a weapon against churn. You will earn customers’ trust, being able to provide them with transparent and pro-active reporting on security, incidents and measures taken. This will not only reduce the risk of churn of existing customers, but will also position you better to get new customers in, which will improve your future revenues and margins. Without ISO 27001 chances are this opportunity is lost.
Risk of data loss, breach of privacy or confidentiality and outages – Cost may vary from SLA related compensation credits and “fixing the problem” cost to claims for damages, customer loss and reputation damage. You may limit some of these risks by contractual exclusion and mitigation and—sure—customers will understand this as such. But what if they are not convinced that you are properly in control? Your contractual clauses won’t help you, because they won’t buy your services at all. Will an ISO 27001 certification exclude all possible risk? No, of course not. But in this case customers more easily accept your contractual clauses, because you can prove that you have done your utmost to prevent security incidents. And if your organization is fully aware of all elements of information security and acts and behaves in line with the ISO 27001, no doubt that you have significantly reduced security risk and related cost.?
The business case
So, after looking at the above, what are the costs of NOT having an ISO 27001 certification for you? You might have compensating controls and/or assurance reports like ISAE3000. They have a mitigating effect on the cost of NOT having an ISO 27001 certification, which needs to be taken into account of course. After you have looked at all the components above and you have done the business case, it’s up to you: can you afford the cost of NOT having an ISO 27001 certification?
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byVerisign
I don’t know. We don’t have the answers to any of the questions you pose.
I would be interested in knowing if there is any advantage at all.
Or if there is no reason to worry about this type certification at all.
I could argue that there are *many* good operators who diligently handle all these potential issues, and that they have *many* satisfied customers, but they perhaps did not have their operations assessed and certified. They might be as busy and as profitable as they want to be.
Also, there are at least some certified operations that though they did hire an assessor and they have a big three ring binder with a lot of papers in it, they have not properly handled all or even most of those potential issues. They are in over their heads, at least in some areas.
Jos, please feel free to post data supporting your assertions. I don’t think a magic certification automatically guarantees best practices. It might in some cases, but I have seen evidence of lack of those best practices many times, from those who surely know better, at least in some cases.
Thanks for your comments Steven and I completely agree that a certification does not guarantee best practice and not being certified doesn’t necessarily mean that those companies do not live up to the highest security standards. Key is that service providers handle their information security in such a manner that customers can rely on it. Not just for the sake of certification, but because they are pro’s. It’s what they do and they do it well. It should not be a onetime certification effort with a yearly update, but a daily way of working according the highest security standards. It should be in the culture of the organization and between the ears of all its employees.
There are indeed many professional service providers like that, without certification. From that perspective an ISO 27001 certification probably would not add a lot. However, they should ask themselves the question whether they could be commercially more successful by being certified. It wouldn’t be a big effort to them not to miss out on the increasing number of potential customers that require their vendors to be properly certified as a matter of policy or as part of their own certification. And if it ever becomes a legal requirement it’s good to already have it. You didn’t need to be forced to get certified and you don’t have to get in line during peak hour.
To many others, getting ISO 27001 certified is a perfect way to focus on upgrading their information security management up to the highest level. The Standard guides them in a very effective and efficient way. And after having gone through the effort, why not take the reward of an internationally recognized and increasingly asked for certification? After the auditors have left and the certificate has been obtained, the mission really starts: they now have the framework and the processes in place to live up to that Standard every single day. The certification is a kick starter to them internally and a USP externally.