The Journey to ISO27001 Certification

25th January 2017 Author: InfoSaaS

There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority proceed to have this independently assessed for ISO27001 certification. This important evidence demonstrates a responsible approach to information security, which is important for customer confidence, legislative compliance and also helping to keep the organisation safe from ever increasing cyber threats.

Whilst some organisations will complete their ISMS implementation and certification project by only using internal resources, this is unusual as there are some great methodologies, tools and resources available on-line that can help increase the chances of improving cyber resilience and certification success. However, it is important to understand that time and effort will be involved to develop the “information security culture” that is required, which includes:

  • ensuring the organisation’s senior management is committed to the project, and the achievement of its objectives
  • allocation of resources for the project, including any training needed to deliver project tasks well
  • understanding the security needs of interested parties – customers, partners, regulators etc.
  • the preparation of information security documentation and records – policies, procedures and work instructions
  • risk management: identifying the organisation’s assets and assessing their levels of risk to vulnerabilities and threats
  • risk treatment: implementing security controls to manage risks which have been identified
  • delivering effective information security education, awareness and communications
  • selecting a certification company, and understanding their approach
  • external audit: Gap Analysis, Stage 1 Assessment (management framework), Stage 2 Assessment (implementation activities)
  • post-certification activities, continued internal audits, risk management, training programmes etc.

From our experience, most SME organisations will take between 9 and 12 months from project inception to the completion of certification activities. This is only a guide, however, and will vary depending on the complexity of the business, the number of employees and the amount of resource that has been assigned to complete the project. And the cost? That depends on the cost of the labour resource, the use of external specialists, expenditure for implementing controls, fixing risks, undertaking technical tests and the certification process itself. Most credible UKAS audit companies will charge in the region of GBP 5,000 for initial certification, and an ongoing day rate for surveillance audits each year. So this is neither a quick nor cheap activity to undertake, but the value of the benefits of customer confidence and business resilience are widely acknowledged as far outweighing the costs of achieving an ISO27001 certificate.

At InfoSaaS, we’ve been implementing successfully certified information security management systems for over twenty years. Our experience over that time has allowed us to develop and deliver a variety of resources which continue to support successful ISO27001 certification projects to this day, and why many of our new customers are pleased to have been referred by those we already work with.

Firstly, we have our free “Eight Steps to ISO27001 Certification” which we readily share if you would like a copy. It provides a graphical overview of the different steps involved in the implementation and certification process.

Next, InfoSaaS has prepared a number of competitively priced documentation packs, which provide a solid foundation for customising to meet your organisation’s specific requirements. Be wary of suppliers who claim that they can write documentation without taking time to understand your business, or those who may have pre-prepared documentation that is claimed to be fit for all purposes. It’s embarrassing (and expensive) to find out that your ISMS documentation is not meeting the requirements of ISO27001 during the certification phase. You can find our documentation options here. If you require support in customising InfoSaaS documentation please get in touch – we have a number of experienced and friendly partners who would be pleased to assist you.

The main element of the ISO27001 standard is to implement and manage an effective system for the identification, management and treatment of risks. That’s why we developed InfoSaaS, our cloud-based risk management solution. Already deployed in many countries around the world, and with a healthy portfolio of successful customer certifications to its name, InfoSaaS not only provides an intuitive and user-friendly means of complying with Sections 6.1.2/8.2 (Information Security Risk Assessment) and 6.1.3/8.3 (Information Security Risk Treatment) from the standard. The best means of seeing InfoSaaS in action is to explore our demonstration environment, which can be assessed here. We also have a short training video available to help you and your colleagues become familiar with the many features of InfoSaaS quickly and easily. Once again, if you would like a helping hand with setting up or using InfoSaaS, our experienced network of partners (in the UK, North America and Australia) would be pleased to discuss your requirements with you.

InfoSaaS systems have formed the cornerstone of successful audits undertaken by some of the world’s largest and most credible certification organisations. As a Gold-level Consultant of LRQA, we are pleased to recommend their certification services, and we can also provide discounts for LRQA ISO27001 training for you or your colleagues.

The journey towards ISO27001 does not need to be daunting. Our advice is always free, and our services are here to help you when you need them. Visit us at www.infosaas.uk.