ISO27001 Security Management – Belgium starts closing the gap!

Information is by and large the “lifeline” of the modern organization and those organizations are becoming more and more dependent on their information systems. Such information systems are currently the focus of attack for many cybercriminals and pose serious threats in the world of information security. Facebook, Amazon, Apple, NMBS, Picanol have already had to deal with security breaches and the list continues.

Almost every organization already had to deal with an attack and smaller firms are insufficiently prepared to respond effectively to such incidents. It goes without saying, therefore, that every organization should manage its information with the utmost care and dedication.

Belgium lags behind…  

So how does an organization manage its information (systems) properly? Most internationally accepted guidelines and requirements regarding the management of information security are contained in the standard ISO 27001. ISO 27001 is a top-down process approach to security management which, if implemented correctly, will lead to the continuous improvement of security management within an organization. With GDPR legislation directly referring to this standard and the contemporary relevance of information security, one would think that the ISO 27001 standard is already being implemented everywhere, but that is not the case.

The implementation is running very slowly as studies show that Belgium, with only 94 certificates, is lagging behind enormously compared to our neighboring countries. There is a saying in security management that when its storms in The Netherlands, it starts raining in Belgium. As we often follow the security and compliance trends of The Netherlands with a delay of some years.

… but the ISO27001 standard is increasingly in demand. 

As a security company we currently do notice a strong increase in the demand for the security standard. So it seems that we are finally starting to closing the gap.

We crawled into the minds of Flemish IT & Security managers of organizations with an ISO 27001 certificate and looked at the effects on the organization’s Risk Management, why they have implemented the standard, and how about risk awareness in the organization?

Several interesting conclusions can be drawn from in-depth interviews with Flemish managers. The standard ensures better risk management in the organization, where everyone is aware that Security Risk Management does not ensure the elimination of all risks, but a considerable reduction in risk. More attention is paid to and the risks are dealt with, which ensures good business continuity in organizations with an ISO 27001 certificate. This was also the case during the corona epidemic, as certified organizations had little difficulty in dealing with the business continuity crisis. In addition to the ability to work completely remotely, employees were sufficiently aware of all risks when they worked from home.

The most important motivation for implementing the standard according to the managers is bringing in new customers. In international projects or public tenders, for example, the standard is increasingly in demand.

Non-IT employees are the group within the organization that is least risk-aware, but thanks to the strong focus of ISO 27001 on raising awareness within the organization, non-IT employees are much more aware of the risks. After the implementation, non-IT-employees report much more about possible dangers, and possible incidents are avoided.