ISO 27001 implementation

#1
Hello everyone,

I currently work for a digital consultancy. I recently started working on implementing the ISO 27001 standard (“Information security management”)
I have a few questions in mind and was hoping that we could start a discussion around the topic.

- First of all, any general experience feedback would be appreciated on the question. I am mainly trying to assess the effort needed to get ISO 27001 certified right now, but I understand it might depend on several parameters such as the size of our company (we’re only 30 employees), our budget, the time we have to comply, and simply what is the gap between where we stand right now with our Information Security Management System (ISMS; which is basically inexistent at the moment).
-How to decide the budget, resources needed for it?
- The time spent on such a project is also something I fail at assessing in an accurate manner right now, but I get the idea that this will be naturally quite a big project, not something that takes a few weeks.
- I’ve even been wondering about the relevance of such a project for a small company like ours. If we have a Data Protection Officer (DPO) for example, would that guide us enough on our compliance journey? Or would you still advise a small structure to go for ISO 27001 anyway (since the framework would be very concrete then)? It can get quite confusing.
-Finally, I am wondering how to identify the internal and external issues of the company (clause 4.1). Is there any sample of it? What kind of questions would I ask top management?

I am looking forward to some feedback on your experience with this topic. Thanks a lot!
 
Last edited:
Elsmar Forum Sponsor
#2
Firstly, purchase the guidance documents for ISO 27001, they will help. Secondly, the Context can be answered by the management performing a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) to the security of the information they are responsible for. Hope this helps.

Since you edited your post, I've added this:

The choice of being certified is a strategic decision. Do not go on a certificate collection spree because someone thinks it'll bring work. The actual cost of certification is easy - get three quotes from three top name CBs. - don't fill out an online form the sales people will bug you. Call and get a rough order of magnitude quote - it's based on days of auditing and that's based on the number of employees and risks. The quote will be for a total of 3 years, typically - the period of certification.

How much it costs YOU, the organization is going to depend on other factors. Have your people any clue about information security. ISO 27001 is just "cyber" security.

Having a DPO may be helpful. It depends on their knowledge. Information security is everyone's responsibility and the development of policies and procedures, testing and other activities (auditing etc) for an ISMS is difficult to put a number on. Your management need to decide if it is useful to the organization's objectives and goals a) to have a robust ISMS and b) to have it certified.
 
Last edited:
#3
Firstly, purchase the guidance documents for ISO 27001, they will help. Secondly, the Context can be answered by the management performing a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) to the security of the information they are responsible for. Hope this helps.

Since you edited your post, I've added this:

The choice of being certified is a strategic decision. Do not go on a certificate collection spree because someone thinks it'll bring work. The actual cost of certification is easy - get three quotes from three top name CBs. - don't fill out an online form the sales people will bug you. Call and get a rough order of magnitude quote - it's based on days of auditing and that's based on the number of employees and risks. The quote will be for a total of 3 years, typically - the period of certification.

How much it costs YOU, the organization is going to depend on other factors. Have your people any clue about information security. ISO 27001 is just "cyber" security.

Having a DPO may be helpful. It depends on their knowledge. Information security is everyone's responsibility and the development of policies and procedures, testing and other activities (auditing etc) for an ISMS is difficult to put a number on. Your management need to decide if it is useful to the organization's objectives and goals a) to have a robust ISMS and b) to have it certified.
Thank you for your updated response. Yes, staff has a little knowledge of information security (basic cyber essential training etc).

I understand your SWOT analysis response, but is there any template or sample available for clause 4.1 especially?
 
#4
but is there any template or sample available for clause 4.1 especially?
Try Google. Lots out there. Unlikely there's a specific one to suit your organization - everyone is different. You have to put in the work, it's not something you can copy from elsewhere. It's about ownership. Your SWOT, created by your management will be owned by them, because they created it. You can't force another one on them and get the same result.
 
Thread starter Similar threads Forum Replies Date
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A ISO 27001 Implementation in the Automotive Industry IEC 27001 - Information Security Management Systems (ISMS) 10
A ISO 27001:2005 ISMS implementation process & Procedure IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO 27001 Implementation Map Other ISO and International Standards and European Regulations 2
Richard Regalado ISO 27001 Implementation and Metrics Guide Other ISO and International Standards and European Regulations 8
A Process documentation in a ISO 27001:2005 ISMS implementation Document Control Systems, Procedures, Forms and Templates 10
M BS ISO/IEC 17799:2005 and ISO 27001:2005: Any advice on value and implementation? Customer and Company Specific Requirements 4
H Asset Inventory - documents and people (ISO 27001) IEC 27001 - Information Security Management Systems (ISMS) 1
Y How can i integrate ISO 13845 into ISO 27001? ISO 13485:2016 - Medical Device Quality Management Systems 4
Richard Regalado Informational ISO/IEC DIS 27001:2021, to be published soon. IEC 27001 - Information Security Management Systems (ISMS) 0
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 5
M Choosing Auditors - ISO 9001 / ISO 27001 (UK) IEC 27001 - Information Security Management Systems (ISMS) 2
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
S How to Learn all aspects of ISO 27001:2013 | The best way to grab the knowledge on 27001:2013 (Step by Step) IEC 27001 - Information Security Management Systems (ISMS) 7
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
P Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1 IEC 27001 - Information Security Management Systems (ISMS) 3
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
B Integrating ISO 9001/27001 External Audits - Audit Time Reduced? Discounts? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
A ISO 27001 function wise or department wise audit questionnaire with control & clauses IEC 27001 - Information Security Management Systems (ISMS) 3
S Sample document for integrated ISO 20000 & ISO 27001 Other ISO and International Standards and European Regulations 3
W What are the benefits of ISO 27001 for my IT Organization IEC 27001 - Information Security Management Systems (ISMS) 3
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
S ISO 27001:2013 - How to document Context Of the Organization IEC 27001 - Information Security Management Systems (ISMS) 13
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 35
G ISO 27001 for a Hosting Provider IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance IEC 27001 - Information Security Management Systems (ISMS) 13
W Working in a company where we try to implement ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
I ISO 27001:2013 Released - Transition Requirements? IEC 27001 - Information Security Management Systems (ISMS) 6
J ISO 27001 - Business Continuity Event Simulation Testing Business Continuity & Resiliency Planning (BCRP) 8
R Required artifacts (records) for ISO 27001 Auditing IEC 27001 - Information Security Management Systems (ISMS) 9
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
L Time Required to Implement ISO 27001 if ISO 9001 certified & SOX compliant? IEC 27001 - Information Security Management Systems (ISMS) 3

Similar threads

Top Bottom