Implementation of Information Security management System (ISMS) in line with ISO 27001: 2013 demonstrates management commitment to protect information assets, and getting certified to ISO 27001: 2013 is a third-party endorsement that an organisation has fulfilled baseline requirements.
Lets analyzes what happens to the organisation which is not certified; They are my top 5, needless to state there are many more:
1) You will realise the true value of your own ‘information’ assets – Yes this is true, in most organizations what truly is their OWN asset and its TRUE Value is revealed as a part of this initiative. When the CEO answers the question ‘what is the most important information asset?’ – it reveals what is really most important. One of the key exercises in assessments including valuation of assets on a per-determined levels (such as 3 point rating) that helps identify assets that require protections, and assets that do not.
2) You will know your vulnerabilities. Lets put it this way – “Do you know exactly how many people can cause theft of your intellectual property of how they can do it”? OR ” Do you know how many security vulnerabilities that you presently have?”. Only a formal assessment will show what your real weaknesses are. In the absence of a formal assessment you are far away from understanding your own information risks.
3) You will know your security strengths – you may believe that your controls are working, but in most of our assessment we find that most controls are either non-existent, or implemented loosely that they do not work against a specific threat. ISO 27001 certification ensures that they are tested, and measured;
4) You will test accountability, coordination in incident response: Accountability is neither understood or not enforced, both leading to confusion in terms of completeness. So if you have an incident personnel are looking at each other to establish who should act first. In a formal implementation the incident management process is well defined and tested.
5)Management will have a clear visibility of security operation and responsibility: Management plays key role in information protection, as they sign policies at the apex level. They sign documents that shows ‘information protection = business protection”. In the absence of ISO 27001 this is generally falls within IT responsibility, where information protection is driven “by IT, for IT and of IT”, instead of “by organization, for organization, and of organization”.
Not sure where to start? consider a quick iso 27001 gap analysis to know where you are.
Hope this helps!