Ratio of successful cyber attacks on organisations who are ISO 27001 certified
Are there statistics available which indicates the ratio of successful cyber attacks on organisations who are ISO 27001 certified against those who are not ISO 27001 certified?
Assign topic to the user
Unfortunately, we are unaware of such type of statistics (most probably because attacked organizations often keep details about the incident of the media).
What we can infer is that ISO 27001 certified organizations are recognized as less susceptible to such attacks, because insurance companies consider its implementation as a good practice and in some cases, it is a criterion to reduce the premium to be paid by companies with this certification.
These links can provide more information:
- Cyber Insurance: Recent Advances, Good Practices, and Challenges https://www.enisa.europa.eu/publications/cyber-insurance-recent-advances-good-practices-and-challenges
- Cyber Security Breaches Survey 2020 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020
For more about ISO 27001 benefits, please see:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Thank you for the response, much appreciated.
I just may not agree with the following statement that was made:
"Unfortunately, we are unaware of such type of statistics (most probably because attacked organizations often keep details about the incident of the media).”
I am sure that you will agree that there are sufficient enforcement of legislation related to cyber security breaches to ensure that all cyber- and information security breaches are recorded and reported to the relevant authorities as required.
Please note that:
- not all countries have laws and regulations enforcing communication of cyberattacks and information security breaches;
- some laws and regulations are specific about which incidents must be reported, and to whom;
- even with enforcement, some organizations may decide not to communicate incidents (i.e., they decide to absorb the impacts of not communicating in case it occurs)
Considering that, without a clear scope and sample, any statistics about cyberattacks and information security breaches need to be considered carefully.
Comment as guest or Sign in
Feb 15, 2021