Smartly dressed people looking at a print out of code
Information Security

ISO 27001 – Why is it important?

Published: January 27, 2017
Smartly dressed people looking at a print out of code
Information Security

Why is ISO 27001 and Information Security so important, particularly in today’s security-conscious business environment?

We asked Ryan Ettridge, a Digital Trust and Risk Assurance specialist, with extensive experience in information technology, particularly in IT risk and cyber security to explain why. Ryan has managed and embedded transformation programs for clients across all industry sectors; and his strong focus on cultural change and an ability to successfully blend people, processes and technology provides businesses with the security imperatives they need to confidently manage modern information technology risks.

Read more about Ryan.

What is ISO 27001?

“ISO 27001:2013 is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way.”

Why do we need it?

“Information security is a business problem, not an IT problem. Risk-based approaches are vital for modern information security effectiveness.
There are many ways to achieve security risk management, so a good standard like ISO 27001 puts formalities in place to ensure the right thought processes were followed and captured when the inevitable breach is realised.”

What value does ISO 27001 certification add to a business?

“Certification is fundamentally about providing trust and confidence – and these can provide a competitive edge. In today’s world, our customers, business partners and shareholders want to be sure that you’re not putting them or their businesses at risk by not having appropriate safeguards in place around information and technology enabled business assets.

Boards want this confidence; management wants this confidence; and certification is a solid way of showing that you have invested and continue to invest to maintain appropriate levels of security based on acknowledged risks.”

Can I achieve the same processes without certification?

“Many organisations do follow the same process to achieve their security objectives without ever certifying, however certification is the formal proof that the standard has been integrated. Consistency and repeatability are key for traceability and justification of security investments. Understanding the standard in enough detail to appropriately apply it is necessary if you want to be truly effective.”

Why is ISO 27001 over other standards such as NIST and IS 18?

“This is a common question, and the reality is that the standard is flexible enough to be adopted for all industries and maturities. It can be integrated at many layers to ensure both security and compliance.”

Where do you see information security heading into the future?

“Anything that can be digitised is being digitised, so access to information and anything that is connected presents far greater risk to society than ever before.

As long as there is a dependence on technology to live, there will always be malicious, accidental and other ways to cause negative impacts. Security is a byproduct of risk management. Security in the context of this conversation is about shifting the cyber risks in your favour – InfoSec must become part of your everyday personal and professional lives just like locks on your doors. Live it, breathe it.”

What are the potential career pathways for a person with ISO 27001 knowledge and experience?

“We talk a lot about ‘lines of defence’ in risk management and assurance. Let me briefly explain…

Line 1 involves Management/Leadership/Operations – these people set the tone for risk and manage the day-to-day running of a business.

Line 2 involves the SMEs and advisors to the business involved in how to manage risk within the business’s frameworks and policies.

Line 3 is an independent audit.

In all three lines of defence, this skill is well respected such that we know how to operate within our risk appetite; we know how to tailor and integrate a practical framework/standard; and we know what to audit against. Whether I look to hire a security architecture, analyst, auditor or otherwise, knowledge and experience with this standard is always included.”

Find out more about our ISO 27001 courses


Related Articles



Back to Insights

“Excellent trainers with high level expertise, varied content to keep us engaged and quality resources leave me with confidence that I could implement what I’ve learned.”

“The presenters really helped to link the course material to real life situations. They were very professional and helped make the course very enjoyable.”

“Thoroughly enjoyable learning experience, facilitated to an excellent standard – Well adapted to the diversity of skill within the group.”

Fantastic course professionally run by a ‘real’ auditor working in the field which allowed for a fantastic bridge between theory and practical examples.

“It is rare to find a trainer with extensive practical and current industry knowledge of the topic. This is a real world training course for real world application. 100% recommend Pat to conduct any training in future.”

Need help finding a course?

Speak directly with a member of the RTP team to decide which course is right for you.