ISO/ IEC 27001 is an internationally recognized standard that sets requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).

The ISO/ IEC 27001 standard is developed for information technology, safety techniques, and management systems for information security. Recently, more organisations are choosing to get the ISO/ IEC 27001:2013 certification. In this article I discuss why these organisations make this decision and, more importantly, how they benefit from it.

The initial decision to get the ISO/ IEC 27001 certification is often dictated by external factors, such as a customer or a supervisor who wants more certainty regarding information security. This is becoming an increasingly common practice, and in many tendering processes ISO/ IEC 27001 certification is already a knock-out criterion. Moreover, organisations do not want to be left behind by the competition, and an increasing number of organisations have ISO/ IEC 27001 certification.

Consideration of the aforementioned factors leads to the first encounter with the standard and the management system phenomenon. The implementation of a management system generally causes most problems in the beginning. The process approach and the plan-do-check-act cycle appear to be difficult to implement. This implementation begins as a project, but is never actually finished. The most important thing is continuous improvement.

The obligation to continuously improve is the one thing that always ends up being the most beneficial. The management system needs to provide correct information regarding the status of information security, so it can learn from its mistakes and adjustments can be made. And it means that monitoring must be done, and that processes, documentation of agreements and training need to be standardised. In the end, this leads to improved efficiency, which is an advantage that no one predicted in the beginning—in fact, quite the opposite!