In this article we will answer the questions we often receive about ISO 27001 certification.
This is indeed possible. The measures listed in Annex A of ISO 27001 are merely suggestions of things to consider implementing to manage the risks you previously identified. So the purpose of those measures is to control risks. But you don't necessarily have to implement each and every measure.
Actually, the suggestion in ISO 27001 is that you first consider which measures are appropriate for your risks. And that you then check whether the ISO 27001 measures are relevant.
So you may choose to implement completely different measures, for instance from a different framework. Yet in practice, we see very few organizations choosing to implement other measures. Because the ones from Annex A are quite easy and recognizable.
When the external auditor checks whether you have a sound and functioning management system for information security, he will also check the suggested measures from ISO 27001. Therefore, out of convenience, most organizations choose to just implement the ISO 27001 measures anyway.
Yes. ISO 27001 requires setting up an information security management system. That has to meet certain requirements. These are requirements on certain topics. For example, appointing the stakeholders for your organization? Which people or other organizations have an interest in you setting up information security properly? Another requirement is that you inventarize risks. So even small organizations can set up a management system that fits their size just fine.
However, it is important to remember there are certain costs involved in implementing ISO 27001. If you eventually want to be certified, you will need an external auditor to check your management system. Certain basic costs are always involved in carrying out these audits.
Nevertheless, we advise small organizations to get certified or at least start implementing ISO 27001 measures. As soon as you have data of customers, employees or suppliers, for example, that needs to be secured, this is relevant. And that is almost always the case.
The sooner you start setting up a management system for securing that information, the easier it is to grow into it. Especially when customers or other stakeholders start demanding it of you. But even if they don't, it is very convenient and smart for a small organization to simply start setting up a management system for your information security quickly.
As such, an organization does not have to exist for long to be certified for ISO 27001. However, it does need a certain lead time. From the moment you start setting up the management system according to ISO 27001 to the moment you get certified.
After all, you have to take certain steps, from setting up the policy to implementing certain measures. Then you will have to check whether that policy is properly implemented and complied with.
All in all, it takes an average of six months of running the management system before you are ready for certification. So if you start implementing a management system at the start of your business, that's fine. And if you then go through all the necessary steps, after six months or maybe a year you could just be ready for an external audit.
Firstly, the management of an organization has an important role in the implementation of ISO 27001. The standard itself requires a certain commitment from the management. And that commitment naturally includes the provision of resources needed for the implementation. Think of budget, but also people and time to be allocated by the management. So management commitment is important.
Next, you need someone to oversee the ISO 27001 implementation project. This is often a security officer (CISO), someone who is responsible for information security and includes this project of implementing the management system.
Finally, some managers are responsible for certain processes, for example an HR manager overseeing certain processes regarding staff. Or technical staff who implement certain technical measures. Of course, you want to involve them in this implementation as well.
The short answer is: yes, you can.
However, these two standards have a slight difference when it comes to purpose. ISO 27001 is a general information security standard that any kind of company in any industry can implement. NEN 7510 is specific to healthcare organizations or healthcare suppliers that also process healthcare-related data.
Despite this difference, there is an overlap between ISO 27001 and NEN 7510. The NEN 7510 is an extension of ISO 27001 with certain care-specific measures. So if you want to comply with NEN 7510 and also see the added value of ISO 27001, it is quite possible and also smart to implement both at once.
In practice, we see that most organizations starting a certification process spend a year or slightly longer doing so.
Firstly, this is because it is quite a big project with a lot involved. Secondly, there is not always urgency or haste behind it. It is desirable and needed at some point. But if a customer asks for something or a more urgent project comes along, the priority of ISO 27001 shifts down.
Yes, it can be done faster. Especially if you use a documentation set with a ready-made implementation of ISO 27001. Here, you get all the standard requirements and measures already delivered, including policies and processes. Of course, you still need to tailor these. But it saves an incredible amount of time.
In practice, we have seen several times that organizations are sometimes ready for certification after only three months, although these are exceptions. Still, if you use such a documentation package, you can very well be certified within six months.
Check out the starter package of ISOPlanner and Instant 27001
There are several aspects to consider when it comes to the cost of ISO 27001 implementation.
If you want to get your organization certified for the standard, an external auditor from a certification institute will visit and check that you have a working information security management system. Some parts of the certification process take a certain lead time, and the size of the organization and the number of sites also vary. So it varies how long the auditor takes to check everything.
But smaller companies with up to 25 employees would do well to factor in around €15,000 for a three-year period. In those three years, the auditor does smaller checks every year and after three years, the certification expires and you have to have an auditor visit again.
In addition, you need internal resources, especially the time needed to oversee and manage the project. That also costs money. You will need someone to do an internal audit, a kind of pre-audit that you can do internally. Because the internal auditor has to meet certain competencies and experience according to the standard, you usually need someone external. An internal audit can generally be done in a few days, but that's still another cost of several thousand euros that you need to take into account.
Furthermore, you might need a consultant or advisor, someone to guide you through the implementation process. Some organizations do this all by themselves, but then often have a documentation set with sample policies and processes that they then tailor. Other organizations have a consultant running around all day to help them with this. So the cost of this varies enormously.
Finally, it is useful to have a place where you record everything. For instance, how you implement the standard requirements, what risks there are for your organization and which tasks are still outstanding. For this, it is useful to use software. The cost of this can be huge, but if you choose ISOPlanner, for example, you already have a basic license for one person of € 583.
An external consultant or advisor is not necessarily needed. Some organizations work with ISOPlanner and use Instant 27001. The documentation set that contains all the policies, processes and risks you need then just needs to be customized. This gives them enough guidance and structure to go through the whole process.
Yet it is also common for organizations to engage a consultant or advisor. There are several reasons for this. One is the knowledge and experience. Because you run into all kinds of questions when implementing ISO 27001. When is a certain implementation of a measure sufficient? What is enough? What is too much? What is the connection between certain measures or risks?
An advisor or consultant will help you get answers to your questions, which can be very pleasant. In addition, such a party functions to add a certain pressure to your project. Because if you do it alone, there might be other work that takes priority. But if you need to account for your actions, it can be very motivating to take all the steps needed to get the certification.
No, a management system is not necessarily software. It is a combination of choices you make and things you record. For example, the commitment of a board, an information security policy in outline, and the risks, and measures you choose to implement. These are all choices and things you record. But you can do that on paper in a thick folder with policies, processes, and agreements as well.
If you opt for software, you can choose something you already use, such as Excel. And what could be easier than capturing a list of risks in Excel. In another tab, you can see a list of tasks and who will perform those tasks. So that is also perfectly possible and there are lots of organisations that set it up this way.
Yet you do have some limitations. For instance, if you want to manage a particular risk and link several measures to it. Each of those measures probably helps with another risk or even several risks. These connections and links are more difficult to record in Excel.
However, in specific software made for recording the standard requirements and measures for ISO 27001, it is much easier. Then you link tasks to certain components you consider important. And you can see where those tasks have even more effect. It is also useful if it fits in with the other software your organization already uses.
When you start the implementation process, an external auditor comes into the picture just before certification. This is the moment you have gone through the audit cycle to assess whether what you have established is working properly. This initial audit takes a bit longer comparatively, as the auditor checks the entire management system this first time.
Once you have your certificate that the management system meets the requirements, it is valid for three years. In the two intervening years, there is a control audit where most probably the same auditor comes by to check whether everything is still running properly. After those three years, the auditor comes by again to assess your entire management system for recertification.
In certification processes for ISO standards, there are two types of audits: the internal audit and the external audit. Only a recognized certification body is allowed to conduct an external audit. These institutions must also meet a variety of requirements from within the ISO organization itself, so look for a certified institution for the external audit.
Internal audits you may perform yourself within your organization. However, this should be done by an auditor who has demonstrably sufficient knowledge and experience for this task. When an organization starts implementing ISO 27001, such a person is not available internally.
For this reason, most organizations hire an external consultant who has done this before and who meets certain competence requirements. This is not one specific requirement in the form of a particular degree, but someone must have a certain experience.
The most important thing is that the software you choose is made specifically for ISO 27001. Of course, you can also use software you already have, such as Excel. Yet it is more difficult to record specific things you need for ISO 27001 in such software.
Another aspect to consider in your selection process is to what extent the software connects or integrates with software your organization already has and uses. You do not want to have to make a whole new system your own.
For example, if your organization already uses Microsoft 365 and you have all your documents in SharePoint, it is useful to choose software that can also include the documentation, policies, and associated processes in SharePoint.
For example, if you work with Outlook for appointments, then it is useful to choose software where you can also put tasks around the ISO implementation in Outlook.
Finally, budget is an issue. There is very complex expensive software and ‘free’ software such as Excel. ISOPlanner is available from as little as €583 per year for one basic license. You will probably need more features or licenses, but with that starting price, you can already get started with ISOPlanner.
Many organizations don't use specific software for ISO 27001 implementation and it doesn't necessarily go wrong. However, there are things you might run into.
One of them is collaboration. If you start collaborating in Excel sheets, it is not easy. Collaboration is a lot easier in software made specifically for that purpose.
It is also useful if the software is made for recording things and displaying interrelationships. That too is not so easy in Excel.
A third point is the transferability of a certification process if you don't use ISO-specific software. Many organizations that come to us are certified but report that the management system was set up by someone else and therefore no longer functions properly. Then the project consists of separate Excel sheets and other documents and they no longer oversee it. Out of necessity, they then restart the whole project.
Specific software that is made to collaborate, and record certain things and includes a transferable system will make your ISO project much easier and more sustainable in the short and long term.
Basically, it doesn't matter because most software has options for customization. However, ISO 27001 is much more common in Europe. In America, other standards such as SOC2 are more common. American software is therefore more set up for other standards like SOC2 than European software anyway.
Another related consideration is where your organization's data is hosted. It may be very important for European organizations to host all the data they use in software within Europe.
It probably does. The ISO 27001 standard gives a lot of freedom in how you ultimately implement those standard requirements and those measures. And also which risks you identify and how you deal with them. Because there is such freedom, we see in practice that implementations between different organizations differ enormously.
Yet there is common ground because every organization needs and wants to protect information. The integrity, availability, and confidentiality of information are paramount in this. And most organizations have broadly the same kind of data.
So if you really look closely, the risks at all these different organizations are roughly the same. And ultimately, the measures they take are also pretty much the same. And that's why Instant 27001's sample documents are suitable for lots of types of organizations.
Check out the starter package of ISOPlanner and Instant 27001
Erstens, was ist ein schlüsselfertiges ISMS? Die Norm ISO 27001 verlangt ein Informationssicherheitsmanagementsystem. Eine der Anforderungen von ISO 27001 besteht darin, dass Sie Risiken identifizieren und schließlich Maßnahmen ergreifen, um diese Risiken zu reduzieren.
Für diese Maßnahmen enthält die Norm selbst einige Vorschläge. Darüber hinaus können Sie ein vorgefertigtes ISMS implementieren, das aus all diesen Anforderungen sowie einer Reihe von Risiken und Maßnahmen besteht. Das bedeutet, dass all diese Anforderungen bereits im ISMS implementiert wurden und Beispielrisiken zur Verfügung gestellt wurden. Diese Beispielrisiken sind wiederum mit Kontrollmaßnahmen aus dem Standard verknüpft, und diese Kontrollmaßnahmen werden dann auch in Richtlinien oder Prozessen detailliert beschrieben.
Wenn es darum geht, alles zu dokumentieren und aufzuzeichnen, müssen Sie das Rad nicht selbst neu erfinden und einfach alles auf Ihr Unternehmen zuschneiden. Das spart Ihnen eine Menge Zeit. Wir sehen also, dass unsere Kunden, die ein schlüsselfertiges ISMS verwenden, bis zu drei Monate oder mehr Zeit sparen.
Das vorgefertigte ISMS Instant 27001, das wir in IsoPlanner anbieten, ist generisch und für eine sehr große Unternehmensgruppe anwendbar. Insbesondere KMU in der IT-Branche müssen nur sehr wenige Anpassungen vornehmen. Es ist auch für viele andere Branchen geeignet.
In jedem Fall entspricht das, was enthalten ist, dem Standard ausreichend. Wenn Sie also bereit sind, nach den angebotenen Prinzipien und Prozessen zu arbeiten, müssen Sie sich nur sehr wenig anpassen. Wenn Sie es ganz anders einrichten möchten, benötigen Sie mehr Zeit, um alles maßzuschneidern.
Log in to your ISOPlanner™ workspace, or start a free trial.
Log in Start your free trial