window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');
DataHub Consulting, Experts in Analytics, Business Intelligence, and Compliance 1200 627

Written by

Date

3 September 2023

Category

Datahub Consulting are a UK based data consultancy that have a dedicated risk and compliance team that focuses on data protection laws and implementing ISO 27001. When we discuss ISO 27001 with clients there are some misconceptions and in general a lack of understanding. So, in this article I wanted to answer some of these topics. So lets have a look at considerations when implementing ISO 27001.

What is ISO 27001?

ISO 27001 is a set of standards that is focused on Information Security, cybersecurity, and protection of privacy. ISO is short for the International Organisation of Standards, who publish the standard. When first considering ISO 27001 we would recommend downloading a copy of the standard from the ISO website. This can be in electronic format or alternatively a hard copy can be purchased. Have a look through the ISO 27001 to get a high-level understanding of what’s involved.

ISO 27001 Framework is known as the ISMS (Information Security Management System) and is in place to protect the systems for:

  • Confidentiality
  • Integrity
  • Availability

The framework is in place to identify security risks and to implement the controls to mitigate the risk. At the current time Annex A of ISO 27001 will detail the 114 controls and the domains that these controls are part of.

At the time of writing this article the current version is ISO/IEC 27001:2022

What is the Different Between ISO 27001 and ISO 27002?

ISO 27001 is the standard that is broken into two parts. The first part is clauses 0-10, this is the requirements of ISO 27001. The second part is Annex A which details each of the controls.

ISO 27002 is the supplementary information (guidance) for implementing the controls. All of the controls are detailed in Annex A of the ISO 27001, more informative information on each control is available in ISO 27002.

ISO 27001 Domains and Controls

When implementing ISO 27001 there are 14 domains to be aware of. Within these domains there are 114 controls that are mentioned within Annex A.

The 14 Domains are:

  1. Information security policies      
  2. Human resource security            
  3. Access control  
  4. Physical and environmental security       
  5. Operations security       
  6. Supplier relationships    
  7. Information security aspects of business continuity management
  8. Organisation of information security
  9. Asset management
  10. Cryptography
  11. Operations security
  12. System acquisition, development, and maintenance
  13. Information security incident management
  14. Compliance

Does an Organisation need to Implement all the Controls?

The answer to this is No. Depending on the type of organisation and the scope of the implementation, not all the 114 controls may be applicable. So as part of the planning phase, once that the scope of the implementation has been established then the organisation can go through all the controls and identify which will be not applicable. In our opinion we would suggest documenting the control and the reasoning why it’s considered out of scope. With ISO 27001 certification where any decision has been made then it’s best practice to document this with the reason why and who made the decision. This document will the be available to the certification body so that they fully understand the rationale behind why the control was not included.

Initial Planning of the Project

With the initial planning what are the considerations when implementing ISO 27001? Firstly, identify the internal team and to select any external consulting partners like Datahub Consulting to support the implementation. It’s key that thought is given to who internally would need to be involved. This would include a project manager, someone as a point of contact for the leadership team, IT manager, key staff from the IT team with specific technical knowledge, and finally stakeholders from within the business.

The next stage is to create:

  • A project plan with key milestones.
  • A way to allocate tasks. Like a Kanban board where tasks for the next 2 weeks can be categorised into “Not Started”, “In Progress”, “Completed”, and “Signed off”
  • Have an implementation checklist. The checklist is vital to aid the project plan.
  • An ISO 27001 implementation roadmap. The roadmap will detail all the key deliverables and keep the team on track.

Also, have a think about, Is there a specific date for implementation completion. Understand within the plan the roles and responsibilities, also lines of communication. It’s key that senior management are kept informed. Because of the financial investment most senior management require a detailed update in a monthly management meeting. Also, the director of IT or CTO may require a weekly summary update.

Other areas of communication will be, communication with staff and any partners or vendors that may be involved. You will need the staff to work with you on this and for the staff to understand the importance. So an initial communication with the staff could include: what is ISO 27001, Why it’s important to the business, What will be the staff involvement etc.

Implementation Scope

In the project planning phase, for the implementation there needs to be consideration for the scope of the ISO 27001 certification. Not all the business needs to be in-scope. So, what to include, think about the products and services that you deliver to customers. These will need to be included within the scope.  Does the sales and marketing systems need to be included, not all the time. Identifying the project scope is in our opinion one of the most important considerations when implementing ISO 27001.

How long will it take to Implement ISO 27001?

This is in a lot of cases underestimated. It does vary from one organisation to another. Also, good project management of the project will support the efficient implementation. But realistically for organisations to implement ISO 207001 be prepared for the timeframe.

As a guide we would estimate

  • Small organisations approx. 3-6 months
  • Medium size organisations approx. 6-12 months
  • Large organisations approx. 12-18 months

Please note that these are only estimates. To understand this in more detail then the scoping, and a gap analysis would need to be conducted. The gap analysis would identify the security measures currently. The implementation duration would be based on the different between your current measures and the measures that are required for a successful audit. Some security measure may need to be implemented. Some current measures may need to be changed or refined.

Budget Considerations

In our experience ISO 27001 implementation cost are usually higher than an organisation initially expect. When planning the implementation, the senior management team need to be aware of the financial implications. This could include:

  • Internal costs – Internal staff that are allocated to the project. Internal staff do carry an internal cost such as wages. Even if they are already employed by the organisation there will be internal budgets that will have to be considered. Also, if an internal people are used to lead the project then additional temporary staff may be required to fulfil other work.
  • Support from an external professional. A professional would be a person will the skills and knowledge to support the implementation. There are courses and qualifications that can assess this. There is an ISO27001 Lead Implementer and an ISO Lead Auditor.
  • There could be additional costs associated with any applications purchased to support the implementation.
  • The cost of the external audit
  • Cost of surveillance and recertification Audits

ISO 27001 Policies

Can we use template policies?
This is one of the common questions we get asked. ISO 27001 isn’t just the implementation of a set of policies and go through an audit checklist. ISO standards make sure that there are overarching policies, procedures, and governance, but also that the organisation is implementing these policies and processes into the core of the business. This is what the audit team will be looking at, and making sure with evidence that the controls are effective. The audit team will ask and want to see the policies and procedures, but this is a small element to the overall audit process.

Its Not Just About Policies!

To fully embrace ISO 27001, or any data protection regulations, organisation need to embed the policies and procedures into the organisations. But also embed then standard or regulation into the organisation. It’s not just about creating the policy or procedure and it’s just a tick box exercise. ISO standards need to be embraced by the management and staff alike.

For this to happen it’s important to include training and awareness with the staff so they know about the standard, the importance to the organisation, and what to do to support ISO 27001.

Stakeholder Engagement

With any successful implementation of ISO 27001 there needs to be stakeholder engagement. Firstly, there needs to be a buy in from the senior management team. They need to have an understanding of commitment, estimated costs, and the requirement from them.

Also, we would recommend there to be an internal working group that will be made up of key stakeholders from the key areas of the business that is in-scope. These people will be the champions within the business to make the implementation succeed.

Common Pitfalls and Considerations

Let’s have a look at some of the common scenarios where organisations may overlook.

  • Remote working
    Since COVID organisations are allowing for remote or hybrid working. Some organisations close their offices on a Monday and Friday and have the staff only attend the office from Tuesday to Thursday. So, considerations need to be thought about regarding remote working of the staff. Are there any risks to the IT security or the organisations data?
  • Bring Your Own Device (BYOD)
    Does the organisation allow staff or contractors to use their own devices. As part of the IT security all IT assets will be logged and have a number to identify it. The IT team will ensure that sufficient security software is installed to protect the device and also the organisation infrastructure. But if a member of staff uses their own device what are the risks to consider. Does the IT policies allow BYOD and also what are the rules around doing so.

    Organisations can set up a separate wifi for staff to use with devices that are not assets of the organisation. Also, application like email client, outlook etc, the policy may state that the web client must be used with devices that are not owned by the organisation. You may not want to discourage using own devices but there needs to be policies and procedures to protect and monitor the organisations IT security risk.
  • Risk Management
    For organisation to demonstrate a risk management system then there needs to be considerations how to perform:
    • Risk Identification
    • Risk Analysis
    • Risk Evaluation
    • Risk Treatment
      Within ISO a risk treatment is a document that outlines how the organisation will manage and treat and risks identified in the risk evaluation process.
    • Risk Monitoring and Reviews
  • Zero Gaps
    When being audited against the standard there does not have to be zero gaps. Both Data protection compliance and IT security is a continual improvement process. With that in mind assessors want to understand that there are processes to monitor, measure, and mitigate the gaps. So long as the organisation can demonstrate a robust gap identification and mitigation process then this will be beneficial.

Difference Between Internal and External Audits

This is a misconception with many organisations.
An internal audit is an audit that is carried out by the organisation itself, or by a third-party consultancy that is working on behalf of the organisation.

An external audit is an audit carried out by an organisation that is registered as a certification body.

Benefits of Using a Lead Implementer / Lead Auditor

With ISO 27001, to improve the implementation consider using a lead implementor and a lead auditor. So, what is the difference?

A Lead implementor is what the name suggests, this is a person that has passed an exam to demonstrate their skills and knowledge in the implementation of ISO 27001. This is a person that can help with the smooth running of the project and can lead the organisation with the project.

The lead Auditor is a person that has been certified and has passed an exam. The lead auditor will have the skills required to carry out an internal audit and can oversee and maintain an audit programme. They will have the ability to identify and correct any non-conformance.

Selecting a Certification Body

This is up to the organisation, and this is a consideration that will need some thought. Do your homework and research the organisations. Make sure that you are happy with the cost, availability of the audit team and the process that they will adopt. At the end of the day, you will need to work with this organisation to get certified and also their details will appear on your certification documentation.

Certification Costs

The costs will vary depending on the size of the organisation and the number of days required to undertake the certification audit. Once that you have selected a certifying body then the scope and complexity will determine the number of days for the process. They will discuss the duration with you prior to the audit.

Securing an ISO 27001 certification consists of a two-part audit:

  • Stage 1 is the initial documentation audit.
  • Stage 2 which is the certification audit.

After successfully completing stage 2 then you will receive the certification. Depending on the certifying body you choose to use, the duration of the audit, and the size of your organisation, the stage 1 & 2 audits could cost approx. $7,500 – $20,000 (U.S. Dollars). If you choose one of the big 4 certification bodies, then you will get a certification with their name will include. This could provide a high level of credibility but will come at a cost.

Further Audits

Surveillance and Recertification Audits

After getting certified for the next 2 years there are surveillance audits. Then in year three there would be a recertification audit. The recertification could cost the same amount as the initial certification. Whilst the surveillance audits could be in the region of $4,000 – $8,000 (U.S. Dollars).

Please note that all the above cost are estimates to give an idea of the costs involved.

Contact Datahub

If your organisation is considering implementing ISO 27001 and require support in successfully achieving the standard, then please use either our contact form or contact one of our offices. We will be happy to have an initial discussion to understand what you want to achieve, your timelines, and answer any questions on implementation.

Also if you have any other question, queries, or considerations implementing ISO 27001 then please reach out to us. We would be more than happy to have a telephone call or MS Teams call to discuss.

So to conclude our article on considerations when implementing ISO 27001 we have includes some useful references to help.

References

Datahub’s Risk & Compliance Services
Datahub have a risk & compliance services that includes Data Protection and Cyber Security. The Cyber Security team provides consulting services for ISO 27001 implementation. Our Data Protection services provides expertise in global data protection laws.
Risk and Compliance | DataHub Consulting

International Organization for Standardization
ISO/IEC 27001 Standard – Information Security Management Systems

Microsoft and ISO/IEC 27001
ISO/IEC 27001:2013 Information Security Management Standards – Microsoft Compliance | Microsoft Learn

Find out how we can help

We do not employ salespeople; our team are all experienced technical specialists that can talk you through any of our services.

Contact us