ISO 27001: effort, benefits and success factors

The establishment of an information security management system (ISMS) in accordance with ISO 27001 is a key task for all companies that want to strengthen their information security in the long term. However, this process comes with challenges – from the preparation time and documentation effort to the implementation costs. The results of the ISO 27001 status report provide valuable insights into practice and show how companies in Austria are dealing with these issues.

Mitarbeiterin mit gelbem Hemd zeigt Kollegen ein Blatt Papier, Kollege sitzt am Schreibtisch, Hintergrund ist gelb

ISO 27001 certification not only enables companies to fulfil legal and regulatory requirements, but also facilitates supplier requirements and prepares them well for the NIS 2 directive. Before implementation, the strategy to be pursued and the objective of ISO 27001 certification should be determined. The companies surveyed in the 2024 status report cited supplier security, business continuity management and risk management as the most important priorities for the next 12 months.

Preparation time: How long does it take to get certified?

The majority of companies (60%) took between six and twelve months to prepare for ISO 27001 certification.

  • 12% completed the preparations in less than six months.
  • 21% took more than a year
  • 7% of respondents stated that it took them more than two years.

These figures illustrate that setting up an ISMS can take different amounts of time depending on the size of the organisation, resources and existing security structure.

External consulting: support with added value?

Not all companies rely on external consulting

  • 37% implemented ISO 27001 entirely internally
  • 35% obtained targeted support for individual topics.
  • 28% relied on comprehensive external consulting.

The data shows that many companies are able to bring in internal expertise, while others specifically rely on external support to make the process more efficient.

Challenges: Focus on time and documentation requirements

The biggest challenges in implementing ISO 27001:

  • 88% cited the time required as a major challenge.
  • 86% identified the documentation effort as a key challenge.
  • 51% referred to the complexity of integration into existing processes.

Other challenges, such as employee resistance, lack of expertise or technical requirements, were only mentioned to a minor extent.

Ansicht von oben von gelbem Kalender, Tastatur und schwarzer Lesebrille und rotem Kuli auf hellblauem Hintergrund

Implementation costs: effort versus benefit

Estimates of the implementation costs are divided:

  • 47% of respondents see the costs as justified, as they lead to risk minimisation and added value.
  • 46% state that the costs are in balance with the benefits achieved.
  • Only 7% perceive the costs to be higher than the benefits achieved.

The results show that many companies not only recognise the long-term added value of ISO 27001 implementation, but also value it highly due to the increased security and protection against potential damage.

Conclusion

Building an information security management system in accordance with ISO 27001 requires time, resources and a clear strategy. The status report shows that despite the challenges – particularly in terms of the time and documentation required – most companies consider the investment to be worthwhile. Companies that have not yet embarked on this journey can learn from the experiences of others and plan their implementation strategy accordingly.

Contact us, we look forward to hearing from you!

The status report (german) is available for free download here.

More from the series: To the news article about the benefits of certification for your company.

More news

Bleiben Sie Up-to-Date
to the News