Call us on 03450 21 21 51

The top 3 sectors embracing the ISO 27001 framework as their biggest weapon against a security breach
The SRM Blog

The top 3 sectors embracing the ISO 27001 framework as their biggest weapon against a security breach

Julia Wailes-Fairbairn

Written by Julia Wailes-Fairbairn

30th July 2019

Share this article

These days, you don’t have to look very far to find the latest data breach story to hit the news. At the same time, we are also seeing more and more conversations via social media that would suggest that we are all doing what we can to be proactive. However, this is not true of every industry at this moment in time. But rather than call out those who may be lagging, let’s discuss the sectors which are doing their utmost to lead from the front; by using the ISO 27001 framework to implement best practice policies and procedures within their organisations.


An increasing number of law firms are taking the move towards becoming ISO 27001 certified. It may have something to do with the fact that 2018 saw a significant rise in the number of law firms reporting security incidents, up 15% from the previous year, according to research by PwC. These incidents commonly concerned their own staff and included the loss or leakage of confidential information, highlighting the need for better information security management within the legal sector. As well as its own corporate data, a law firm holds a wealth of client information, ranging from financial information, proprietary information and intellectual property, litigation strategy information, to personal data and other legally privileged information.

So why have so many law firms taken the move towards becoming certified? The ISO 27001 framework sets out the requirements for an information security management system (ISMS), a best-practice approach that incorporates people as well as processes and technology. It also mandates regular staff awareness training and can be the perfect starting point for building out a more comprehensive cyber strategy.


The FCA is proactively promoting the use of the ISO 27001 framework in 2019. Having published several cross-sector surveys on the subject of business and cyber resilience, some of their findings related directly to issues that could be lessened or solved by the adherence to this type of framework. Change management, for example, is a well-established technology discipline and therefore it might be reasonable to assume that most firms across all sectors would have assessed themselves as mature in this area. However, there is a disconnect between firms’ self-assessed strength in change management and the analysis of incidents reported to the FCA.

For example, poor change management caused almost 20% of the incidents reported between October 2017 and September 2018. Additionally, 80% percent of firms reported that they maintain a register of third parties. However, half of firms admitted that this list is not comprehensive enough to include every firm that is able to access their systems and data. Without this understanding, it will be difficult for firms to appropriately assess the criticality of third parties, and the subsequent risk to services they provide. ISO 27001 encourages this practice and gives guidelines on how to maintain and assess these aspects on a continuous basis.


Many in the retail sector have responded to the increasing need to demonstrate the steps they are taking to safeguard their customer and supplier data by becoming ISO 27001 certified. This is in addition to the requirements of the Payment Card Industry Data Security Standard (PCI DSS) which is mandatory for those handling card data.

PCI DSS compliance is a legal requirement across all European countries – and it also applies worldwide in some form. It demonstrates that retailers have control over the payment card information they process and that they take steps to prevent data theft and fraud. There are different levels of PCI compliance and any organisation who takes payments for goods or services on the Internet, even if that actual transaction is outsourced, must go through some level of assessment. The penalties for non-compliance can be catastrophic, therefore it makes sense that e-commerce businesses, high-street retailers and SME’s alike pay particular attention to their wider information security strategy.

The ISO 27001 framework helps them to do this. In contrast to PCI DSS certification, the ISO standard is advisable rather than compulsory but retailers find there are significant benefits to following the framework provided and demonstrating an additional layer of security to their customers and suppliers. ISO 27001 sets out a best practice standard which is especially helpful for GDPR compliance. In 2019 there has been an increase in spend by the retail sector which also reflects their adoption of internal security teams and their use of trusted third parties to assist in regular penetration testing and incident simulation exercises.

While we appreciate that working towards the certification isn’t in everyone’s plans, let’s recap the main benefits to those firms that have chosen to do so:

  • They have joined approximately 30,000 other organisations around the world that are already certified to ISO 27001, and companies looking to contract with governments or large corporate businesses will find that ISO 27001 is fast becoming a prerequisite for engaging in business.
  • Once certified, they can ask that contractors and suppliers also work towards certification, ensuring that all third parties that have legitimate access to their information and systems will maintain suitable levels of security.
  • ISO 27001 provides a useful workable framework to help towards adherence to GDPR. Under GDPR a data controller is liable if any third-party data processor suffers a breach.
  • ISO 27001 Global Report (2016) by IT Governance: ‘98% of respondents say that the most important benefit of ISO 27001 was improved information security, while 11% said it improved company reputation, and 8% said it improved competitiveness’.

To discuss ISO 27001 compliance or any aspect of your information security, call Mark Nordtrom on +44 (0) 3450 21 21 51.

Or visit our website.

Follow us on Linkedin.

Or read our blog:

ISO 27001 – Top 5 challenges to becoming certified

Why get ISO 27001 certification?

Phishing attacks and the perks of purple teaming

Virtual CISO: too good to be true?



Back to top