Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you’re getting into and can make this project a success!
The 3 benefits of ISO 27001 certification
The main advantage of obtaining an ISO 27001 certification is that you have the certificate. That means that you can demonstrate, for example to new customers who find it important that you as a supplier handle their data well, that you handle information security well. It may help that you no longer have to fill out an extensive information security checklist with new customers. But you can suffice by showing your certificate.
Certification can also make international business easier because ISO is an international organization. And ISO 27001 is an internationally recognized certificate. If you also want to do business across borders, having the certificate makes this a lot easier.
And, perhaps the most important benefit: implementing ISO 27001 makes you take information security much more seriously. No matter how well you are already doing as an organization, you will find that by implementing ISO 27001, the level of information security gets a whole lot better.
How long does it take to get ISO 27001 certified?
How long does it take to become ISO 27001 certified? That can vary quite a bit. Many organizations take at least a year. Other organizations opt to put all the available manpower into the project. And they do it in six months.
If you use an application that also provides you with the documentation you need for ISO 27001, it can be as quick as within three months.
Read also: ISO 27001 Step-By-Step Guide
What are the costs of an ISO 27001 certification process?
For an ISO 27001 certification process, you need several things. One of the things you need in any case is a certification audit. An auditor checks whether your organization meets the requirements of ISO 27001.
Those costs depend very much on the size of your organization. And also on how many branches your organization has. But for a small organization, you can count on €15,000 in three years.
Read also: What does an ISO certification auditor do?
Next, you may opt to hire a consultant to help you implement ISO 27001. Again, these costs can vary considerably. But as a starting point, you can figure around €10,000.
Finally, you may want to use software to help you structure your processes. The cost of this is generally limited. You can get good management software for as little as €1,500 a year.
And additionally, you could choose to purchase a package of documentation for between €2,000 – €4,000. With this, you get a lot of documentation that you need. This helps you cut your consultants’ fees.
What is an ISMS?
ISMS stands for Information Security Management System. It’s the set of documentation, tasks, and things that you record to fulfill the requirements of ISO 27001. So ISMS is not necessarily software, it’s not necessarily a particular application.
It can be, for example, a combination of documents and tasks scattered throughout your system. But all of that together actually constitutes your ISMS.
You can also choose to use software for your ISMS. That has the advantage of bringing all the elements together. And so you have an overview of your information security management system in one place.
Also read: What are the benefits of ISMS software?
Challenges with ISO 27001 implementation
What do organizations encounter most when implementing ISO 27001? One is maintaining progress on the project. A project can take quite a while, approximately between 3-12 months. So you have to make sure that you stay involved during that time and that progress is maintained.
The second thing that can be challenging when implementing ISO 27001, is involving all your employees who have a role in this. Make sure they get the information they need and do what they need to do.
Finally, once you’ve achieved ISO 27001 certification, it can be a challenge to keep up with the measures after that. You have to check that policies are being followed. And whether things are set up as you agreed.
Is it mandatory to implement all ISO 27001 measures?
Are the measures included in ISO 27001 mandatory to implement? The short answer is: no.
You are obliged by the ISO 27001 norm, to take inventory of the risks your organization contains regarding information security. And then take measures to mitigate those risks. In doing so, you can take suggestions from the list of measures included in ISO 27001 to assess whether or not you can use them.
You are also obliged to state why you’re implementing the specific measure from that list. For example, because you spot a risk, or because it’s some kind of best practice. Also, for each measure that you don’t implement, you are required to indicate why you don’t implement it.
So in theory, you can choose not to implement all those measures. And put together your own set of measures and implement just those. All with good explanation and justification.
What are the benefits of using sample documentation?
What are the advantages of using sample documentation when implementing ISO 27001? The first advantage is that you save a lot of time. All the documents that you need for ISO 27001 are provided to you so you don’t have to write them yourself.
You also get a structure. Your documentation won’t consist of just a list of documents. It will be delivered in a structure so you’ll know which risks belong to which measures. And which policies belong to which measures. So everything related will be already linked together. This provides you with a tremendous overview.
The third advantage is you won’t just save time and be provided with an overview, but you also have peace of mind. Because you have an example that you know is already OK. And you’ll know when you implement the measure, that it will be enough. And you’ll never have to wonder again, “Is this enough?”.
About Ivar van Duuren
Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.
A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.
More tips about ISO 27001 certification?
Feel free to contact us. We would love to think with you!
What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...
In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...
What exactly is compliance automation? Why is it important for businesses? And what are the actual benefits of it? What is compliance automation? Compliance is about complying with policies you've created yourself. Or perhaps to requirements that external parties put...