Ryan Ettridge, PwC digital trust presenting a seminar on the importance of ISO 27001
Information Security

ISO 27001 – Why is it important?

Published: January 27, 2017
Ryan Ettridge, PwC digital trust presenting a seminar on the importance of ISO 27001
Information Security

Here at PwC’s Auditor Training, we have recently released our latest auditor training course, and it’s all about ISO 27001 Information Security, the Internationally recognised information security standard.
We asked Ryan Ettridge, PwC Partner in Digital Trust and Risk Assurance, to explain why ISO 27001 and Information Security is so important, particularly in today’s security-conscious business environment.

Ryan has extensive experience in information technology, particularly in IT risk and cyber security. He has managed and embedded transformation programs for clients across all industry sectors; and his strong focus on cultural change and an ability to successfully blend people, processes and technology provides businesses with the security imperatives they need to confidently manage modern information technology risks.

Read more about Ryan.

What is ISO 27001?

“ISO 27001:2013 is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way.”

Why do we need it?

“Information security is a business problem, not an IT problem. Risk-based approaches are vital for modern information security effectiveness.
There are many ways to achieve security risk management, so a good standard like ISO 27001 puts formalities in place to ensure the right thought processes were followed and captured when the inevitable breach is realised.”

What value does ISO 27001 certification add to a business?

“Certification is fundamentally about providing trust and confidence – and these can provide a competitive edge. In today’s world, our customers, business partners and shareholders want to be sure that you’re not putting them or their businesses at risk by not having appropriate safeguards in place around information and technology enabled business assets.

Boards want this confidence; management wants this confidence; and certification is a solid way of showing that you have invested and continue to invest to maintain appropriate levels of security based on acknowledged risks.”

Can I achieve the same processes without certification?

“Many organisations do follow the same process to achieve their security objectives without ever certifying, however certification is the formal proof that the standard has been integrated. Consistency and repeatability are key for traceability and justification of security investments. Understanding the standard in enough detail to appropriately apply it is necessary if you want to be truly effective.”

Why is ISO 27001 over other standards such as NIST and IS 18?

“This is a common question, and the reality is that the standard is flexible enough to be adopted for all industries and maturities. It can be integrated at many layers to ensure both security and compliance.”

Where do you see information security heading into the future?

“Anything that can be digitised is being digitised, so access to information and anything that is connected presents far greater risk to society than ever before.

As long as there is a dependence on technology to live, there will always be malicious, accidental and other ways to cause negative impacts. Security is a byproduct of risk management. Security in the context of this conversation is about shifting the cyber risks in your favour – InfoSec must become part of your everyday personal and professional lives just like locks on your doors. Live it, breathe it.”

What are the potential career pathways for a person with ISO 27001 knowledge and experience?

“We talk a lot about ‘lines of defence’ in risk management and assurance. Let me briefly explain…

Line 1 involves Management/Leadership/Operations – these people set the tone for risk and manage the day-to-day running of a business.

Line 2 involves the SMEs and advisors to the business involved in how to manage risk within the business’s frameworks and policies.

Line 3 is an independent audit.

In all three lines of defence, this skill is well respected such that we know how to operate within our risk appetite; we know how to tailor and integrate a practical framework/standard; and we know what to audit against. Whether I look to hire a security architecture, analyst, auditor or otherwise, knowledge and experience with this standard is always included.”

To find out how PwC’s Auditor Training can help click here


Related Articles




Back to Blog

One Comment

Powtoon Blog

think PwC puts it best, “Information security is a business problem, not an IT problem… so a good.

“Excellent trainers with high level expertise, varied content to keep us engaged and quality resources leave me with confidence that I could implement what I’ve learned.”

“The presenters really helped to link the course material to real life situations. They were very professional and helped make the course very enjoyable.”

“Thoroughly enjoyable learning experience, facilitated to an excellent standard – Well adapted to the diversity of skill within the group.”

Fantastic course professionally run by a ‘real’ auditor working in the field which allowed for a fantastic bridge between theory and practical examples.

“Very informative and enjoyable course. Excellent materials and tools in the course and to take home. Excellent value for money. The trainer did a great job of keeping us engaged and learning. I will do future training through PwC.”

Need help finding a course?

Speak directly with a member of the Training Academy team to decide which course is right for you.

We are a community of solvers combining human ingenuity, experience and technology innovation to deliver sustained outcomes and build trust.

It all adds up to The New Equation.

See how The New Equation can solve for you