ISO 27001 implementation

[Ridzi]

Hello everyone,

I currently work for a digital consultancy. I recently started working on implementing the ISO 27001 standard (“Information security management”)
I have a few questions in mind and was hoping that we could start a discussion around the topic.

- First of all, any general experience feedback would be appreciated on the question. I am mainly trying to assess the effort needed to get ISO 27001 certified right now, but I understand it might depend on several parameters such as the size of our company (we’re only 30 employees), our budget, the time we have to comply, and simply what is the gap between where we stand right now with our Information Security Management System (ISMS; which is basically inexistent at the moment).
-How to decide the budget, resources needed for it?
- The time spent on such a project is also something I fail at assessing in an accurate manner right now, but I get the idea that this will be naturally quite a big project, not something that takes a few weeks.
- I’ve even been wondering about the relevance of such a project for a small company like ours. If we have a Data Protection Officer (DPO) for example, would that guide us enough on our compliance journey? Or would you still advise a small structure to go for ISO 27001 anyway (since the framework would be very concrete then)? It can get quite confusing.
-Finally, I am wondering how to identify the internal and external issues of the company (clause 4.1). Is there any sample of it? What kind of questions would I ask top management?

I am looking forward to some feedback on your experience with this topic. Thanks a lot!

 

[Guest]

Firstly, purchase the guidance documents for ISO 27001, they will help. Secondly, the Context can be answered by the management performing a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) to the security of the information they are responsible for. Hope this helps.

Since you edited your post, I've added this:

The choice of being certified is a strategic decision. Do not go on a certificate collection spree because someone thinks it'll bring work. The actual cost of certification is easy - get three quotes from three top name CBs. - don't fill out an online form the sales people will bug you. Call and get a rough order of magnitude quote - it's based on days of auditing and that's based on the number of employees and risks. The quote will be for a total of 3 years, typically - the period of certification.

How much it costs YOU, the organization is going to depend on other factors. Have your people any clue about information security. ISO 27001 is just "cyber" security.

Having a DPO may be helpful. It depends on their knowledge. Information security is everyone's responsibility and the development of policies and procedures, testing and other activities (auditing etc) for an ISMS is difficult to put a number on. Your management need to decide if it is useful to the organization's objectives and goals a) to have a robust ISMS and b) to have it certified.

 

[Ridzi]

Firstly, purchase the guidance documents for ISO 27001, they will help. Secondly, the Context can be answered by the management performing a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) to the security of the information they are responsible for. Hope this helps.

Since you edited your post, I've added this:

The choice of being certified is a strategic decision. Do not go on a certificate collection spree because someone thinks it'll bring work. The actual cost of certification is easy - get three quotes from three top name CBs. - don't fill out an online form the sales people will bug you. Call and get a rough order of magnitude quote - it's based on days of auditing and that's based on the number of employees and risks. The quote will be for a total of 3 years, typically - the period of certification.

How much it costs YOU, the organization is going to depend on other factors. Have your people any clue about information security. ISO 27001 is just "cyber" security.

Having a DPO may be helpful. It depends on their knowledge. Information security is everyone's responsibility and the development of policies and procedures, testing and other activities (auditing etc) for an ISMS is difficult to put a number on. Your management need to decide if it is useful to the organization's objectives and goals a) to have a robust ISMS and b) to have it certified.

Thank you for your updated response. Yes, staff has a little knowledge of information security (basic cyber essential training etc).

I understand your SWOT analysis response, but is there any template or sample available for clause 4.1 especially?

 

[Guest]

but is there any template or sample available for clause 4.1 especially?

Try Google. Lots out there. Unlikely there's a specific one to suit your organization - everyone is different. You have to put in the work, it's not something you can copy from elsewhere. It's about ownership. Your SWOT, created by your management will be owned by them, because they created it. You can't force another one on them and get the same result.