ISO 27001 increases information security at 81% of certified companies

Maintaining information security is one of the biggest challenges facing domestic companies. The forthcoming NIS-2 Act further increases this requirement with its statutory penalties for companies and their management bodies. A survey of 200 people from various sectors and company sizes in Austria has now asked for the first time to what extent the international standard for information security management systems (ISO/IEC 27001) helps to overcome these problems in practice. The result: around 81% of the certified companies stated that ISO/IEC 27001 had specifically improved information security in their organisation.81% of the certified companies stated that the implementation of ISO/IEC 27001 had increased information security in their company, 68% also attested that ISO/IEC 27001 had led to risk minimisation in their company. When asked how the implementation of the ISO/IEC 27001 standard had affected security incidents in the organisation, more than a third (35 %) of respondents stated that there had been a significant acceleration in the identification of security incidents and the resolution of the problem. A further 43 % noted a slight acceleration in the identification and resolution of incidents. “This shows that the introduction of the ISO/IEC 27001 standard in companies in all sectors improves the handling of data security and that risk areas and security gaps can be recognised and rectified more quickly – before a catastrophe occurs,” says Harald Erkinger, Managing Director of CIS, commenting on the results.

“The survey also shows that the added value generated exceeds the required effort and investment costs,”

For 93% of the certified companies

the benefits outweigh the costs

Implementing international standards is known to be time-consuming and costly. The status report identifies time and documentation expenditure as the biggest resource guzzlers. However, the result is satisfactory, as 93% of respondents whose companies are ISO/IEC 27001 certified stated that the benefits and advantages outweigh the costs and effort of implementation. 61% per cent of respondents were even of the opinion that the benefits and advantages clearly outweigh the costs. “This is remarkable in that the majority of companies (60%) stated that they needed between 6 and 12 months to implement ISO/IEC 27001. This means that a time investment is definitely required at the beginning, but this is completely levelled out by the effects of the certification,” says Erkinger about the significance of the results.

ISO/IEC 27001 therefore plays a practical role for companies in protecting sensitive data and helps to ensure information security in companies and organisations.

“In an increasingly digital world, in which threats from cyber attacks and data breaches are becoming more frequent, aligning companies’ IT and information security with this standard can generate significant added value in many cases. For example, more than 82% of respondents stated that the ISO/IEC 27001 standard should be categorised as ‘high’* for the overall competitiveness of their company”,

72% achieve certification

without or with only trenchant external advice

Although the certified companies stated that they considered the time required (88%) and the documentation effort (86%) to be a challenge during implementation, more than a third (37%) of the companies completed the implementation without external help. A further 35% only utilised selective support during the certification process and only 28% stated that external consultants were “heavily involved” in the certification process.

*The “high” rating was 7 or higher on a 10-point scale.