Have you noticed how we always seem to be ready to reduce the importance of something? Maybe it’s a Britishness thing that makes us do this, but we tend to downplay our achievements. Humility and modesty are great things, but I sometimes wonder how healthy that is when it extends into professional conduct. Health and safety, for example, is something that often gets an apology when it really shouldn’t. I genuinely once heard this, “sorry, but could you put this life jacket on? You know how it is, health and safety, and all that”. Feeling the need to offer up an apology for having to wear something that could save your life seems odd to me.
Compliance also seems to get a bad press, and many people look at meeting a standard as a “ticking boxes”. Well, frankly, we don’t. In fact, just the opposite. We are pleased to be ISO 27001 accredited. No, actually, we are more than that; we are ISO 27001 believers. What I mean by being believers is that we don’t see ISO 27001 as being hoops we need to jump through or a way for getting a nice certificate to show off with, we see it as a vital and integral part of what we do.
ISO 27001 is an international standard. Earning it means that your business can say that it is compliant with the highest data security standards; documented and lead by an effective Information Security Management System (ISMS) and is continually improving those standards. It means that the company has met a stringent set of benchmarked requirements that prove it can maintain those standards. When you see ISO 27001 on our information, it is basically telling you that, according to regularly updated international standards, the data we handle is treated as securely as possible, from the ground floor up. It says that we are not only capable of legal compliance but that we can confidently say that your private data is handled using our “privacy and security first” ethos; something that runs throughout all our business processes.
To put that into perspective, it means that if your data is passing through an ISO 27001 compliant system, it is held holistically securely. It isn’t just held securely in spot areas or specific functions. As well as the commonly vulnerable areas being assessed and proven secure, the whole system must be able to respond to common external threats such as cybercrime and data breaches as well as other perhaps less newsworthy but nonetheless very destructive dangers such as misuse and theft of personal information.
All this is before we get into the big legal compliance area of GDPR, which is probably one of the biggest concerns for modern businesses. It is simply unacceptable for any business organisation to not be GDPR compliant these days. The potential fines for non-compliance alone, are enough to put a severe strain on any but the largest companies.
If you look at the .gov site relating to cybersecurity breaches, the numbers are chilling. According to the official statistics, four in ten businesses (39%) and a quarter of charities (26%) report having cybersecurity breaches or attacks in the last 12 months. If you consider the amount of personal data that could be leaked just from the wrong person accessing something as intrinsic to your business as the payslips you issue, it is instantly clear how worrying these statistics are.
Our attitude is that we are more than just ensuring we are compliant with ISO 27001 because, as I said earlier, we are believers. The principles of the standards run through everything we do and every action we take. We know that the security and continued application to the safety of data is vital to every business. When you see the damage done by a data breach, you cannot help but be a believer in anything that promotes the knowledge that you are interacting with a secure and compliant company.