My organisation is non-IT and we are already ISO 9001:2015 certified, Now client want us to be certified in ISO 27001. But that certification is not beneficial for us in future as we are non -IT company. Can you please advise whether we should go for this certification just because client is asking or it has future benefits. If not necessary then what reply can be given back to client,.
Answer: Information security means the protection of information regardless the medium it refers to , and this goes well beyond IT environment (e.g., information flows through physical reports, people talk about them, etc.), and ISO 27001 can help you to ensure proper information protection in all these situations. As practical examples, I can mention that pharmaceutical companies must protect their research information , and banks must protect information about their customers. Both are non-IT organizations to which ISO 27001 is perfectly applicable.
So, I strongly recommend you to seek for certification, because besides complying with a customer demand, by implementing an Information Security Management System (ISMS) based on ISO 27001, you can achieve other benefits like enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conformity with legal requirements.