• (0)

    ISO 27001 & ISO 22301 Blog

    The shortest path to getting ISO 27001 certified as a business

    Getting ISO 27001 certified doesn’t mean you can knock on the door of the certification body and ask them to give you a certificate – there are many things you have to prepare in order to get your certificate.

    It is true that this is a rather complex process, so I’ve divided it into 5 key areas you have to address:

    1) Get support from your top management

    Too many companies overlook this step, and this is the number one reason why ISO 27001 projects fail: mid-level management starts the implementation, but inevitably they run into problems and they ask top management for help. But, top management, not knowing why this is important, do nothing about it.

    So, to avoid such a situation, first you have to get the attention and understanding of your CEO and/or top executives – and to do that, you have to present them with the clear business benefits of ISO 27001 implementation for their company, like: increased market share, higher profits, lower compliance risk, etc. Arguments like “we’ll have a great new firewall” won’t work with these guys.

    This article will help you formulate these business benefits: Four key benefits of ISO 27001 implementation.

    2) Plan the budget

    Starting the implementation without any planned budget will get you nowhere – it is true that this kind of project will probably cost you less than you initially expected (yes, you heard this right), but that doesn’t mean you can do it with no money at all.

    In most cases you’ll have these costs: literature and training, external assistance (either a consultant or online services), technology, certification, and – usually the biggest cost of all – your own employees. This is because most of the technology you probably already have in place, but your employees will have to organize better in order to start using this technology in a more secure way.

    Read this article for details: How much does ISO 27001 implementation cost?

    3) Treat the implementation like a project

    Implementing ISO 27001 is primarily about re-organizing how security processes are done in your company – so you can’t give this job to one person and expect him or her to do the whole thing completely alone; all the same, you can’t give it to a rookie or to someone who has no experience in running a project and expect such a person to coordinate everything that is necessary throughout your company.

    ISO 27001 implementation needs to be treated as a regular project, which means selecting an experienced project manager, setting the deadlines and deliverables, defining who is the project sponsor, etc.

    This article will help you: ISO 27001 project – How to make it work.

    4) Don’t skip the implementation steps

    I’ve seen many security enthusiasts skipping crucial steps in ISO 27001 like risk assessment, only to jump into the “real” implementation of various safeguards (security controls). But this standard is written in a very sequential way, and this is done with a very good reason: you can’t fix something unless you know what’s broken.

    Or, to translate this into security language: you should not implement controls unless there are potential incidents that would require such investment; in other words, first you have to perform the risk assessment in order to find out which bad things can happen, and then decide which safeguards you need to mitigate those risks.

    There are a total of 16 steps you need to perform to implement the standard fully – you’ll find their explanation here: ISO 27001 implementation checklist.

    5) Choosing the most appropriate certification body

    Not all certification bodies (also called: registrars) are created equal. Chances are, you’ll find at least a couple of them in your country, so you’ll be able to choose the one that suits you the best.

    Price is important, of course, but this is not the only criteria you should use – what is also important is that the auditors know your industry, that they have a good reputation, that they can certify other standards as well, etc.; the list goes on – see this article for more: How to choose a certification body.

    How long will it take?

    Will you be able to implement ISO 27001 without addressing these five elements? Yes. But if you want to get the certificate in a rather short time, these are the crucial issues you have to take care of.

    If you’re prepared and organized, you’ll be able to implement and certify against ISO 27001 in 4 to 6 months for a small company, in up to 10 months for a mid-sized company, and in 12 months or more for a larger company. This tool will help you calculate the timing more precisely: ISO 27001 Implementation Duration Calculator.

    On the other hand, if you don’t take this project seriously enough, it might become one of those projects that seem very nice, but never get finished.

    Click here to download a free template of  ISO 27001 Project Proposal that will help you present this project to your top management.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity/information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients.

    As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.
    Connect with Dejan: