OPINION: ISO/IEC 27001 Standard is key to managing digital security

Thursday October 17 2019

By Tumainiel Malisa

More than ever, organizations are embracing technology to drive business operations and hence effectiveness and efficiency.

The rewards in optimizing business processes and institutional productivity are clear. A recent demonstration of this change is the paradigm shift witnessed within the payment space with diminished physical transactions involving cash in settling their bills, thanks to technology.

Likewise, top executives are increasingly relying on the use of technology such as analytics, social media and mobility to change customer relationships, enhance internal processes, and in the end continuously challenging the status quo while delivering compelling value propositions to the society.

But with the rewards from technological advancement come technological and security risks. Hence an organization needs to be mindful of the security of its own confidential information assets as well as its customers’ since a breach in either of these will damage its reputation.

To overcome the challenges leading to these security risks that come with technology, there are a number of internationally recognized standards that help businesses secure their information assets. One such standard which organizations need to consider is the ISO 27001 standard.

The ISO 27001 is an international best-practice standard for information security management.


Widely regarded as the de-facto standard by which organisations can be measured and certified for information security management, it specifies the requirements for the design, establishment and continuous improvement of an Information Security Management System (ISMS) and is applicable to all organisations regardless of their type, size or nature.

Since organisations have varying information security objectives, the standard also helps organisations to assess information security risks tailored to their requirements and expectations of stakeholders.

The drivers to adopt and implement the ISO 27001 standard or any other standard can be broadly categorised into two, namely: performance and conformance. Performance includes all benefits (tangible or intangible) that can be ascribed to an organization as a result of the implementation of the standard.

Examples of performance drivers include protection of critical business information, having a holistic process in place for managing enterprise security as opposed to managing security in silos, addressing the needs and expectations of all stakeholders (internal and external) and gaining competitive edge when trying to market a certain product.

Conformance drivers relate to compliance to regulatory requirements stipulated by regulatory agencies or government e.g. the Cybercrime Act of Tanzania, 2015

According to the 2018 ISO 27001 annual survey conducted by IT Governance Institute, more than 70 per cent of respondents reported that improving information security was the biggest driver for implementing ISO 27001, with other top motives for adopting the standard being to gain a competitive advantage (57 per cent), to ensure legal and regulatory compliance (52 per cent) and to achieve GDPR compliance (48 per cent).

Delivery of ISO 27001 standard should be treated similar to any other major project, and typically is implemented through the ‘Deming Cycle’ (Plan-Do-Check-Act).

The four steps translate to first establishing the ISMS, implementing it after which one should monitor and review progress. The “Act” step seeks to continuously improve the ISMS process based on prior actions.

In measuring success of ISO 27001 just like any other project, organizations need to ensure that they have executive leadership support and buy-in on the overall programme. This is through giving clear direction (e.g. policies), demonstrating their commitment and explicitly assigning information security responsibilities to designated personnel. Why embark on the ISO/IEC 27001 implementation journey? Well apart from forming a strong foundation to strengthen information security across an organization, an organisation with an established ISMS standard will also build confidence among stakeholders in the organization’s approach to information security management. Certainly, a commercial advantage if competitors have not taken similar steps - so food for thought!

Tumainiel Malisa is Manager in the Risk Assurance Services. He is a PECB certified ISO/IEC 27001 Lead Implementer. The views expressed are those of the author do not necessarily represent those of PwC.