Please note: This table does not include all the ISO standards. This just contains some of the main ones you will come across working within GRC.
The ISO (international Organisation for Standardisation) is an international organisation that develops various standards.
ISO - International Organization for Standardization
Having an ISO certificate is a badge of honour that demonstrates that an organisation has been audited to a specific standard, indicating that a minimum level of security is in place. This creates demand, as many businesses refuse to buy anything from an organisation that does not conform to a specific standard(s).
The demand for ISO certification creates jobs for GRC professionals on both sides of the coin. Businesses want to maintain their ISO certifications and status, so you can work internally to help them maintain that. Alternatively, you can audit organisations and judge them, giving them a certificate if they meet the requirements.
It is worth noting that ISO standards are not the only standards around. Many countries, sectors, and regulators have their own versions, which can be confusing. Although ISO standards are recognised globally, places like America prefer NIST Standards, which are created by a government agency.
Preferences in standards also shift over time. For example, after COVID-19 in 2020, many businesses started asking for ISO22301, a Business Continuity standard. This standard demonstrates that an organisation has planned and tested a Business Continuity plan with various scenarios, including pandemic response. So, if you want to sell software or IT services, it is important to plan for incidents, disasters, pandemics, etc., as the marketplace is demanding that.
Businesses often refuse to adopt standards if they cannot see a financial gain in it. Business leaders may ask, "Why should I be more secure if it costs money? We have not been hacked. Why do I need to plan for an emergency?" Often, the only reason businesses get ISO standards is because customers or potential customers ask for it.
Therefore, a new customer or potential business is often the driving factor. Businesses will sign contracts with customers/clients that say they agree to get ISO27001 in the next 12 months, or ISO22301 in 24 months or whatever. The customers need this assurance for their own internal compliance needs, and they pressure companies to conform and adopt these standards.
Smaller companies are normally not as mature, and a ground-up implementation can be costly and involve a lot of time, as it is a huge mentality shift for the organisation. Bigger businesses are like well-oiled machines with refined processes that need limited input, just someone to observe and maintain (although that is not always the case).
Here are a few examples of Microsoft's standards and certificates: https://learn.microsoft.com/en-us/compliance/regulatory/offering-home
That is just the preamble to discussing ISO standards. It took me a long time to understand this, as no one really explained it to me. I wish someone had broken it down in this way when I started with ISOs. Hopefully, this has helped contextualise and explain the ISO and IT relationship.