At TDX Group, we’ve chosen to certify to ISO27001 – the international standard for information security management – so clearly we believe this is a critical investment that reflects our commitment to data security. However, for smaller businesses, such as debt collection agencies, do the benefits justify the cost and operational overhead? Or, are there other options?
I guess the place I start is ‘why certify’ at all?
Data security is an ever higher priority for businesses as continual international debate on privacy and the endless list of data breaches makes customer trust increasingly difficult to maintain. So, being able to show consumers and customers that you’re subject to regular independent audits on security can earn or retain customer loyalty, set your organisation above competitors, and build trust in your brand. In short, certifying is no longer an optional extra, it’s a ‘must’ and a regular independent audit is a key part of making sure that data is being handled securely.
So assuming you do go ahead and certify, in addition to the few mandatory standards (such as PCI DSS), there are a few important considerations to weigh up when choosing your standard:
1. Global recognition
Very few of the over 1,000 existing standards are recognised (let alone valued) in the world’s biggest markets. Be wary of local or unproven standards which have a much lower impact in other markets, and always aim to utilise third parties who are accredited by a national body (such as UKAS in the UK).
Be sure to compare the cost of certification to the benefits that you can reasonably expect it to bring – such as reducing client audit overheads or attracting new business, as well as mitigating the risk of a data breach. Don’t forget to consider any impact on your existing processes, which may have to change to conform to your chosen standard.
The rate of change in IT security is often faster than standards can be reviewed and updated. When you’re choosing a standard, you should make sure that it’s flexible in order to allow you to respond to market demands or emerging threats.
All being well, your organisation will grow over time – choosing a security standard which is designed for small businesses is likely to reduce the initial workload, but may mean that your hard work in gaining certification is abandoned when you lose the ‘SME’ label.
To ISO or not to ISO?
Certifying to a security standard can be an expensive process, particularly with up-front costs such as audits and potentially consultancy support. However, once it’s in place, and with the correct marketing effort, holding a recognised and trusted certification can put your business ahead of its competitors. If adopting ISO27001 immediately is too onerous, using a lighter standard such as the UK Government’s Cyber Security Essentials is a method of reducing the short-term challenge and preparing an organisation for more in-depth and rigorous standards over time.
At TDX Group, our view is that ISO27001 as a trusted barometer for security management, and we strongly
encourage debt collection agencies to certify to this standard using a UKAS-accredited certifying body.
By David Rimmer, Head of Information Security