ISO 27001: Save properly and increase efficiency

For many companies, the introduction and maintenance of the ISO 27001 certificate is a key measure for ensuring information security. However, many ask themselves: How much time must be invested in order to fulfil and maintain the requirements of the standard and is the result worthwhile? In our current status report, numerous companies were asked about this and pass on valuable experience.

According to the results of the survey, 21% of companies state that they only invest up to four hours per week in maintaining ISO 27001 measures:

• Up to 4 hours per week: 21%
• Up to 1 day per week: 23%
• Up to 2 days per week: 39%
• More than 2 days per week: 17%

This means that 44% of companies spend a maximum of 1 day on maintaining ISO 27001 and a further 39% state that they spend a maximum of 2 days on it. This small investment in time is negligible compared to the time required in the event of a potential incident.

The survey data says a lot about the residual risk – i.e. the remaining risk that remains despite all security measures. 76% of respondents state that the ISO 27001 measures have reduced the residual risk in their organisation.

• More than 20% risk reduction: 30%
• Up to 20% risk reduction: 46%
• No change in risk: 18%
• Slight increase in risk: 6%

The implementation of ISO 27001 contributes to a significant reduction in residual risk. For 46% of respondents, this even means a significant risk reduction of up to 20%.

The implementation of ISO 27001 has far-reaching effects on the processing time for security incidents: A key finding of the survey is that 79% of respondents have seen an improvement in the identification and resolution of security incidents:

• 35% of organisations stated that they had seen a significant increase in the identification and resolution of incidents.
• 44% reported a slight improvement in the speed of vulnerability identification and remediation.
• 19% saw no change, while only 2% saw a decrease in response time efficiency.

76% of the companies surveyed rated the impact of ISO 27001 certification on the trust of their customers and partners as very positive. This not only serves as an internal management tool, but also conveys to stakeholders that internationally recognised security standards are being met. Customers and partners also feel that they are in better hands when it comes to data protection in a company that proactively takes measures to minimise risks and carries out regular audits.