{"id":4648,"date":"2013-10-22T21:40:44","date_gmt":"2013-10-22T21:40:44","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/013\/10\/22\/how-to-address-main-concerns-with-iso-27001-implementation\/"},"modified":"2025-07-09T14:30:59","modified_gmt":"2025-07-09T14:30:59","slug":"how-to-address-main-concerns-with-iso-27001-implementation","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2013\/10\/22\/how-to-address-main-concerns-with-iso-27001-implementation\/","title":{"rendered":"How to address main concerns with ISO 27001 implementation"},"content":{"rendered":"<p>Last week I delivered two webinars on the topic of <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, and I have asked the attendees to send me their top concerns regarding ISO 27001 implementation before those webinars.<\/p>\n<p>I\u2019ve summarized most common concerns into the following five areas \u2013 I\u2019ve presented them in the webinars, and here is a more detailed explanation on how I feel they should be addressed:<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">1) The effort required to transition from the 2005 revision to 27001:2013<\/h2>\n<p>It is true that every company certified against the ISO 27001:2005 will have to transition to the 2013 revision within two years, and it is true that the 2013 revision has some new requirements, while some are gone. It is also true that this process won\u2019t be finished in a couple of hours, but it certainly doesn\u2019t have to be anything close to the effort of the initial implementation of the standard.<\/p>\n<p>The key is in careful planning \u2013 if you know exactly which steps you need to take, you will reduce this transition effort to a minimum. With this in mind, read my article <a href=\"https:\/\/advisera.com\/27001academy\/knowledgebase\/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to make a transition from ISO 27001 2005 revision to 2013 revision<\/a>.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">2) Successfully communicating a beneficial reason why a company should implement ISO 27001<\/h2>\n<p>The key is to determine benefits for the business side of the organization \u2013 benefits that are easily understandable and that bring clear value to the business, not to IT. Because, after all, the decision about ISO 27001 is not going to be made by the head of the IT department, but by your senior management.<\/p>\n<p>In my view, there are four potential benefits that may be applicable to companies: (1) compliance, (2) marketing advantage, (3) decreasing costs, and (4) optimizing processes. Click here to read the details: <a title=\"Four key benefits of ISO 27001 implementation\" href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a>.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">3) Setting up an appropriate and pragmatic risk assessment &amp; treatment process<\/h2>\n<p>First of all, risk assessment and treatment cannot be performed by downloading some template you\u2019ve found somewhere on the Internet, or by using the first tool you come across. Risk management needs to be done based on a <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=risk-assessment-and-risk-treatment-methodology\" target=\"_blank\" rel=\"noopener\">risk assessment and treatment methodology<\/a> that is adapted to the size of your company, various requirements, and the sensitivity of the information you have.<\/p>\n<p>Too many times I\u2019ve seen small companies using a risk assessment tool that is made for large corporations, only to realize they have spent six months performing work they could have finished in one month, and with questionable results. Therefore, before starting your risk management process, you need to find an appropriate methodology that will define how to identify the main elements of your risks (assets, threats and vulnerabilities) and which scales you will use to evaluate the consequence and the likelihood. Register for this free webinar for more information: <a href=\"\/27001academy\/webinar\/basics-risk-assessment-treatment-according-iso-27001-free-webinar\/\" target=\"_blank\" rel=\"noopener noreferrer\">The basics of risk assessment and treatment according to ISO 27001<\/a>.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">4) The resources required to maintain the certification<\/h2>\n<p>I\u2019m afraid this concern shows one of the main myths about ISO 27001 \u2013 that the documents are written only for the purpose of certification. Let me give you an example \u2013 if you develop a <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" target=\"_blank\" rel=\"noopener\">Backup policy<\/a> because you implement ISO 27001, will you require additional resources just because you are now complying with this policy? Or, what about if you performed backup normally before writing that policy, and now you want to make it clear to everyone how it is done?<\/p>\n<p>My point is \u2013 you shouldn\u2019t write the documents because of the auditor \u2013 you have to write them for yourself. And if you do so, there are no additional resources required because such rules become part of your daily routine; in some cases you will even have a smaller amount of work because some problems (i.e. security incidents) won\u2019t happen again.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">5) How much time will ISMS take me away from my main duties?<\/h2>\n<p>The answer to this question is very similar to that of the previous one, but I would add this \u2013 of course you will need someone who will coordinate all the information security effort in your company. But if you have, e.g. 50 employees, this will require perhaps a couple of hours of work per week, so this could be someone\u2019s task in parallel to his or her normal job. Only when you pass the number of 1000 employees in a company should you consider a full-time CISO \u2013 but such an information security professional will probably save you so much money because of prevented incidents that such a move will certainly pay off.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To see how to implement ISO 27001 through a step-by-step wizard, and eliminate most of the manual work through automation,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"3\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week I delivered two webinars on the topic of ISO 27001, and I have asked the attendees to send me their top concerns regarding ISO 27001 implementation before those webinars. I\u2019ve summarized most common concerns into the following five areas \u2013 I\u2019ve presented them in the webinars, and here is a more detailed explanation &#8230;<\/p>\n","protected":false},"author":26,"featured_media":4649,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[379,381,405],"class_list":["post-4648","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-information-security","tag-iso-27001","tag-isms"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4648"}],"version-history":[{"count":2,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4648\/revisions"}],"predecessor-version":[{"id":104320,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4648\/revisions\/104320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/4649"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}