The need for ISO standards in a security-demanding sector

Quadra’s Gavin Kane explains why ISO standards are increasingly essential for tech firms

Certification to ISO standards is not new to the IT sector, however, the demand for ISO certification has been increasing consistently.

Certification to standards such as ISO 27001 (Information Security Management) and ISO 9001 (Quality Management) has largely become the norm in the tech sector.

This means that IT companies without ISO certification may struggle to differentiate themselves from competitors and not be able to satisfy the increasingly challenging vendor approval requirements and conditions which organisations are applying to their supply chain.

Indeed the International Organisation for Standardisation is quoting annualised growth in ISO27001 certificates of 87%. (Source IS Partners).

With the IT sector accounting for a massive 25% of the total certificates issued worldwide, take a few minutes to look at your competitors and identify how many currently have ISO certification, if they have, they are already one step ahead.

The UK is aiming to become one of the most secure countries in which to live and work and as a result certification to ISO standards is becoming the norm in many sectors.

On 31^st October 2022, the UK Health Security Agency implemented a requirement that any company accessing protected YKHSA data will be required to have a system of assurance in place and ISO27001 has been stipulated as one of only two options.

The Health and Social Care Network (HSCN) (NHS Digital) has recently implemented a requirement under its compliance framework which includes a stipulation that suppliers to the Health and Social Care Network must have certification to both ISO 9001 Quality Management and ISO 27001 Information Security Management, which must be untaken by a UKAS affiliated auditor.

Over the past 30 years, we have often heard of consultants quoting excessive figures to assist companies to achieve certification. The amount of external input required will vary from company to company. However, it is important to remember that funding may be available to assist with the cost of advice and certification.

To implement an ISO Standard, the project timeline varies from company to company and depends on a range of factors such as size, scope number of staff, number of locations and complexity of the operation. The average project will take usually around 6 to 9 months from the beginning of the project to reach obtaining certification.

There are a few downfalls, but these can be managed with a level head. Such as:

• Consultant selection – if you decide to use an external adviser choose a company with experience in this field and a proven track record. Ask for references and take these up.
• Scope – ensure that the scope for the ISO27001 information security management system is clearly defined and realistic and avoid ‘scope creep’ as the project progresses.
• Certification body – always ensure that you select a properly ‘accredited’ certification body. If you don’t, the certificate is likely to be rejected as insufficient. Most certification bodies will carry UKAS or INAB accreditation, seek evidence of this before committing.

Given the current trends within the IT industry that those without IT certification may well be a dying breed.

Now is the time to implement ISO Standards, especially ISO 27001. This will help your organisation focus on information security threats and protect your information assets by establishing robust policies/procedures and the technical controls required to protect the confidentiality, integrity, and availability of information.

The Information Security Standard has recently been updated with changes to clauses 4 to 10, Annex A Controls and ISO 27002. any organisation that currently is certificated to the standard will have two years to transition to the updated standard.