Expert Tips On ISO 27001 Implementation

Written by Ivar van Duuren

December 11, 2023

security island

Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you’re getting into and can make this project a success!

The 3 benefits of ISO 27001 certification

The main advantage of obtaining an ISO 27001 certification is that you have the certificate. That means that you can demonstrate, for example to new customers who find it important that you as a supplier handle their data well, that you handle information security well. It may help that you no longer have to fill out an extensive information security checklist with new customers. But you can suffice by showing your certificate.

Certification can also make international business easier because ISO is an international organization. And ISO 27001 is an internationally recognized certificate. If you also want to do business across borders, having the certificate makes this a lot easier.

And, perhaps the most important benefit: implementing ISO 27001 makes you take information security much more seriously. No matter how well you are already doing as an organization, you will find that by implementing ISO 27001, the level of information security gets a whole lot better.

Also read: Benefits of ISO 27001 for cloud service companies

How long does it take to get ISO 27001 certified?

How long does it take to become ISO 27001 certified? That can vary quite a bit. Many organizations take at least a year. Other organizations opt to put all the available manpower into the project. And they do it in six months.

If you use an application that also provides you with the documentation you need for ISO 27001, it can be as quick as within three months.

Read also: ISO 27001 Step-By-Step Guide

What are the costs of an ISO 27001 certification process?

For an ISO 27001 certification process, you need several things. One of the things you need in any case is a certification audit. An auditor checks whether your organization meets the requirements of ISO 27001.

Those costs depend very much on the size of your organization. And also on how many branches your organization has. But for a small organization, you can count on €15,000 in three years.

Read also: What does an ISO certification auditor do?

Next, you may opt to hire a consultant to help you implement ISO 27001. Again, these costs can vary considerably. But as a starting point, you can figure around €10,000.

Finally, you may want to use software to help you structure your processes. The cost of this is generally limited. You can get good management software for as little as €1,500 a year.

And additionally, you could choose to purchase a package of documentation for between €2,000 – €4,000. With this, you get a lot of documentation that you need. This helps you cut your consultants’ fees.

Also read: Tips on asset risk management through ISO 27001

What is an ISMS?

ISMS stands for Information Security Management System. It’s the set of documentation, tasks, and things that you record to fulfill the requirements of ISO 27001. So ISMS is not necessarily software, it’s not necessarily a particular application.

It can be, for example, a combination of documents and tasks scattered throughout your system. But all of that together actually constitutes your ISMS.

You can also choose to use software for your ISMS. That has the advantage of bringing all the elements together. And so you have an overview of your information security management system in one place.

Also read: What are the benefits of ISMS software?

Challenges with ISO 27001 implementation

What do organizations encounter most when implementing ISO 27001? One is maintaining progress on the project. A project can take quite a while, approximately between 3-12 months. So you have to make sure that you stay involved during that time and that progress is maintained.

The second thing that can be challenging when implementing ISO 27001, is involving all your employees who have a role in this. Make sure they get the information they need and do what they need to do.

Finally, once you’ve achieved ISO 27001 certification, it can be a challenge to keep up with the measures after that. You have to check that policies are being followed. And whether things are set up as you agreed.

Is it mandatory to implement all ISO 27001 measures?

Are the measures included in ISO 27001 mandatory to implement? The short answer is: no.

You are obliged by the ISO 27001 norm, to take inventory of the risks your organization contains regarding information security. And then take measures to mitigate those risks. In doing so, you can take suggestions from the list of measures included in ISO 27001 to assess whether or not you can use them.

You are also obliged to state why you’re implementing the specific measure from that list. For example, because you spot a risk, or because it’s some kind of best practice. Also, for each measure that you don’t implement, you are required to indicate why you don’t implement it.

So in theory, you can choose not to implement all those measures. And put together your own set of measures and implement just those. All with good explanation and justification.

What are the benefits of using sample documentation?

What are the advantages of using sample documentation when implementing ISO 27001? The first advantage is that you save a lot of time. All the documents that you need for ISO 27001 are provided to you so you don’t have to write them yourself.

You also get a structure. Your documentation won’t consist of just a list of documents. It will be delivered in a structure so you’ll know which risks belong to which measures. And which policies belong to which measures. So everything related will be already linked together. This provides you with a tremendous overview.

The third advantage is you won’t just save time and be provided with an overview, but you also have peace of mind. Because you have an example that you know is already OK. And you’ll know when you implement the measure, that it will be enough. And you’ll never have to wonder again, “Is this enough?”.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about ISO 27001 certification?

Feel free to contact us. We would love to think with you!

Related Articles

3 Expert Tips to Implement ISO Standards More Efficiently

3 Expert Tips to Implement ISO Standards More Efficiently

When you start implementing an ISO standard, you need to think about things you need to take care of, such as scheduling an internal and an external audit. If you develop software, you may need to do a pen test to check out vulnerabilities. In addition, you need to...

Information security with ISOPlanner: building on a solid foundation

Information security with ISOPlanner: building on a solid foundation

One piece of advice we sometimes hear when it comes to ISO certification is that every ISO implementation is customized. On the one hand, that's true, of course. Because every organization is different. So each organization itself has to look very carefully at exactly...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights