Applicability of ISO 27001 across industries
People often mistake ISO 27001 for an IT standard, as something that is applicable to the IT industry only. And they are partially right – lots of IT companies are going for ISO 27001 because they see it as good for their businesses.
However, this is only half of the story – very often, companies that are not very obvious candidates for ISO 27001 are also implementing it – for example, pharmaceutical companies, health organizations, government bodies, etc.
ISO 27001 is about protecting the information, not about IT
Why are many non-IT companies interested in ISO 27001? Because, believe it or not, IT is not the key element in protecting information. In most cases, the companies already have all the technology in place – e.g., firewalls, antiviruses, backups, etc. However, they still have data breaches because this technology is not enough. This is because the employees do not know how to use that technology in a secure way, but more importantly – the technology is very limited when it comes to stopping an insider attack, so obviously something else needs to be deployed. See this article for details: Information security or IT security?
And this is what ISO 27001 is all about: it provides the methodology for companies to find out which potential incidents could happen to them (i.e., risks), and then define procedures on how to change employee behavior in order to prevent such incidents from happening. (See also: The basic logic of ISO 27001: How does information security work?)
From that point of view, any organization that has sensitive information, no matter if it is for profit or non-profit, small business or corporate, government or private, can benefit from ISO 27001 implementation.
Let’s see which industries are typically implementing this standard the most.
Software development companies, cloud companies, and IT support companies are only some of those that implement ISO 27001 – most commonly, they do it because they want to get new clients by proving to them with a certificate that they are able to safeguard their information in the best possible way; some IT companies also use ISO 27001 to comply with contractual security requirements from their main clients, or SLAs (Service Level Agreements). In some cases, fast-growing companies use ISO 27001 as a way to resolve problems in their operations, because this standard forces companies to define who is responsible for what and which steps need to be done in the most important processes, which is very often undefined in companies that are growing too fast.
Banks, insurance companies, brokerage houses, and other financial institutions typically go for ISO 27001 when they want to comply with numerous laws and regulations. Data protection legislation is the strictest for the financial industry, and luckily, the lawmakers have based their legislation mostly on ISO 27001. This means that ISO 27001 is a perfect methodology to achieve compliance, which makes it very easy to present such a project to the executives.
The second most common reason why these kinds of organizations implement ISO 27001 is cost – they want to prevent incidents from happening, which is, of course, much cheaper than dealing with the consequence of an incident. This approach is typical for the financial industry, because they are usually the most advanced when it comes to risk management.
Telecommunication companies, including Internet providers, are very keen on protecting the huge amount of data they handle and reducing the number of outages, so naturally they look toward ISO 27001 as a framework that helps them do that. Further, similar to the financial industry, there are a growing number of laws and regulations for telecoms, where ISO 27001 is very helpful for compliance.
Typically, government agencies handle very sensitive data – in some agencies this data is confidential, but in all agencies protecting the integrity and availability of their data is of paramount importance. The fact that ISO 27001 was designed to satisfy those three concepts (the famous C-I-A triad) makes it a perfect methodology to decrease the number of incidents to a minimum.
And, being an international standard recognized by standardization bodies in each country, ISO 27001 is a perfect framework with official government recognition.
… and any other organization with sensitive data
This list could go on and on – e.g., health organizations want to protect the data of their patients, pharmaceutical companies want to protect their development data and data on formulas, food processing companies protect their special recipes, manufacturing companies want to protect their knowledge on how certain parts are produced.
Basically, any company that has sensitive information can find ISO 27001 useful. To see a list of potential benefits, and to learn how to present them, read this article: Four key benefits of ISO 27001 implementation.
So, the point is: rather than viewing ISO 27001 as a purely IT project, you should view it is a tool to achieve some very concrete business benefits. And, when you do this, you’ll see that it can be applied much more widely than you initially thought, and it can help you in more ways than you expected.
To learn more about the most usual challenges with information security and how to avoid them, try this online Security Awareness Training.