Hello everyone,
I currently work for a digital consultancy. I recently started working on implementing the ISO 27001 standard (“Information security management”)
I have a few questions in mind and was hoping that we could start a discussion around the topic.
- First of all, any general experience feedback would be appreciated on the question. I am mainly trying to assess the effort needed to get ISO 27001 certified right now, but I understand it might depend on several parameters such as the size of our company (we’re only 30 employees), our budget, the time we have to comply, and simply what is the gap between where we stand right now with our Information Security Management System (ISMS; which is basically inexistent at the moment).
-How to decide the budget, resources needed for it?
- The time spent on such a project is also something I fail at assessing in an accurate manner right now, but I get the idea that this will be naturally quite a big project, not something that takes a few weeks.
- I’ve even been wondering about the relevance of such a project for a small company like ours. If we have a Data Protection Officer (DPO) for example, would that guide us enough on our compliance journey? Or would you still advise a small structure to go for ISO 27001 anyway (since the framework would be very concrete then)? It can get quite confusing.
-Finally, I am wondering how to identify the internal and external issues of the company (clause 4.1). Is there any sample of it? What kind of questions would I ask top management?
I am looking forward to some feedback on your experience with this topic. Thanks a lot!
I currently work for a digital consultancy. I recently started working on implementing the ISO 27001 standard (“Information security management”)
I have a few questions in mind and was hoping that we could start a discussion around the topic.
- First of all, any general experience feedback would be appreciated on the question. I am mainly trying to assess the effort needed to get ISO 27001 certified right now, but I understand it might depend on several parameters such as the size of our company (we’re only 30 employees), our budget, the time we have to comply, and simply what is the gap between where we stand right now with our Information Security Management System (ISMS; which is basically inexistent at the moment).
-How to decide the budget, resources needed for it?
- The time spent on such a project is also something I fail at assessing in an accurate manner right now, but I get the idea that this will be naturally quite a big project, not something that takes a few weeks.
- I’ve even been wondering about the relevance of such a project for a small company like ours. If we have a Data Protection Officer (DPO) for example, would that guide us enough on our compliance journey? Or would you still advise a small structure to go for ISO 27001 anyway (since the framework would be very concrete then)? It can get quite confusing.
-Finally, I am wondering how to identify the internal and external issues of the company (clause 4.1). Is there any sample of it? What kind of questions would I ask top management?
I am looking forward to some feedback on your experience with this topic. Thanks a lot!
Last edited: