Considerations When Implementing ISO 27001
DataHub Consulting, Experts in Analytics, Business Intelligence, and Compliance 310 310Read it in 13 minutes
window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');
window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');Read it in 13 minutes
Datahub Consulting are a UK based data consultancy that have a dedicated risk and compliance team that focuses on data protection laws and implementing ISO 27001. When we discuss ISO 27001 with clients there are some misconceptions and in general a lack of understanding. So, in this article I wanted to answer some of these topics. So lets have a look at considerations when implementing ISO 27001.
ISO 27001 is a set of standards that is focused on Information Security, cybersecurity, and protection of privacy. ISO is short for the International Organisation of Standards, who publish the standard. When first considering ISO 27001 we would recommend downloading a copy of the standard from the ISO website. This can be in electronic format or alternatively a hard copy can be purchased. Have a look through the ISO 27001 to get a high-level understanding of what’s involved.
ISO 27001 Framework is known as the ISMS (Information Security Management System) and is in place to protect the systems for:
The framework is in place to identify security risks and to implement the controls to mitigate the risk. At the current time Annex A of ISO 27001 will detail the 114 controls and the domains that these controls are part of.
At the time of writing this article the current version is ISO/IEC 27001:2022
ISO 27001 is the standard that is broken into two parts. The first part is clauses 0-10, this is the requirements of ISO 27001. The second part is Annex A which details each of the controls.
ISO 27002 is the supplementary information (guidance) for implementing the controls. All of the controls are detailed in Annex A of the ISO 27001, more informative information on each control is available in ISO 27002.
When implementing ISO 27001 there are 14 domains to be aware of. Within these domains there are 114 controls that are mentioned within Annex A.
The 14 Domains are:
The answer to this is No. Depending on the type of organisation and the scope of the implementation, not all the 114 controls may be applicable. So as part of the planning phase, once that the scope of the implementation has been established then the organisation can go through all the controls and identify which will be not applicable. In our opinion we would suggest documenting the control and the reasoning why it’s considered out of scope. With ISO 27001 certification where any decision has been made then it’s best practice to document this with the reason why and who made the decision. This document will the be available to the certification body so that they fully understand the rationale behind why the control was not included.
With the initial planning what are the considerations when implementing ISO 27001? Firstly, identify the internal team and to select any external consulting partners like Datahub Consulting to support the implementation. It’s key that thought is given to who internally would need to be involved. This would include a project manager, someone as a point of contact for the leadership team, IT manager, key staff from the IT team with specific technical knowledge, and finally stakeholders from within the business.
The next stage is to create:
Also, have a think about, Is there a specific date for implementation completion. Understand within the plan the roles and responsibilities, also lines of communication. It’s key that senior management are kept informed. Because of the financial investment most senior management require a detailed update in a monthly management meeting. Also, the director of IT or CTO may require a weekly summary update.
Other areas of communication will be, communication with staff and any partners or vendors that may be involved. You will need the staff to work with you on this and for the staff to understand the importance. So an initial communication with the staff could include: what is ISO 27001, Why it’s important to the business, What will be the staff involvement etc.
In the project planning phase, for the implementation there needs to be consideration for the scope of the ISO 27001 certification. Not all the business needs to be in-scope. So, what to include, think about the products and services that you deliver to customers. These will need to be included within the scope. Does the sales and marketing systems need to be included, not all the time. Identifying the project scope is in our opinion one of the most important considerations when implementing ISO 27001.
This is in a lot of cases underestimated. It does vary from one organisation to another. Also, good project management of the project will support the efficient implementation. But realistically for organisations to implement ISO 207001 be prepared for the timeframe.
As a guide we would estimate
Please note that these are only estimates. To understand this in more detail then the scoping, and a gap analysis would need to be conducted. The gap analysis would identify the security measures currently. The implementation duration would be based on the different between your current measures and the measures that are required for a successful audit. Some security measure may need to be implemented. Some current measures may need to be changed or refined.
In our experience ISO 27001 implementation cost are usually higher than an organisation initially expect. When planning the implementation, the senior management team need to be aware of the financial implications. This could include:
Can we use template policies?
This is one of the common questions we get asked. ISO 27001 isn’t just the implementation of a set of policies and go through an audit checklist. ISO standards make sure that there are overarching policies, procedures, and governance, but also that the organisation is implementing these policies and processes into the core of the business. This is what the audit team will be looking at, and making sure with evidence that the controls are effective. The audit team will ask and want to see the policies and procedures, but this is a small element to the overall audit process.
To fully embrace ISO 27001, or any data protection regulations, organisation need to embed the policies and procedures into the organisations. But also embed then standard or regulation into the organisation. It’s not just about creating the policy or procedure and it’s just a tick box exercise. ISO standards need to be embraced by the management and staff alike.
For this to happen it’s important to include training and awareness with the staff so they know about the standard, the importance to the organisation, and what to do to support ISO 27001.
With any successful implementation of ISO 27001 there needs to be stakeholder engagement. Firstly, there needs to be a buy in from the senior management team. They need to have an understanding of commitment, estimated costs, and the requirement from them.
Also, we would recommend there to be an internal working group that will be made up of key stakeholders from the key areas of the business that is in-scope. These people will be the champions within the business to make the implementation succeed.
Let’s have a look at some of the common scenarios where organisations may overlook.
This is a misconception with many organisations.
An internal audit is an audit that is carried out by the organisation itself, or by a third-party consultancy that is working on behalf of the organisation.
An external audit is an audit carried out by an organisation that is registered as a certification body.
With ISO 27001, to improve the implementation consider using a lead implementor and a lead auditor. So, what is the difference?
A Lead implementor is what the name suggests, this is a person that has passed an exam to demonstrate their skills and knowledge in the implementation of ISO 27001. This is a person that can help with the smooth running of the project and can lead the organisation with the project.
The lead Auditor is a person that has been certified and has passed an exam. The lead auditor will have the skills required to carry out an internal audit and can oversee and maintain an audit programme. They will have the ability to identify and correct any non-conformance.
This is up to the organisation, and this is a consideration that will need some thought. Do your homework and research the organisations. Make sure that you are happy with the cost, availability of the audit team and the process that they will adopt. At the end of the day, you will need to work with this organisation to get certified and also their details will appear on your certification documentation.
The costs will vary depending on the size of the organisation and the number of days required to undertake the certification audit. Once that you have selected a certifying body then the scope and complexity will determine the number of days for the process. They will discuss the duration with you prior to the audit.
Securing an ISO 27001 certification consists of a two-part audit:
After successfully completing stage 2 then you will receive the certification. Depending on the certifying body you choose to use, the duration of the audit, and the size of your organisation, the stage 1 & 2 audits could cost approx. $7,500 – $20,000 (U.S. Dollars). If you choose one of the big 4 certification bodies, then you will get a certification with their name will include. This could provide a high level of credibility but will come at a cost.
Further Audits
Surveillance and Recertification Audits
After getting certified for the next 2 years there are surveillance audits. Then in year three there would be a recertification audit. The recertification could cost the same amount as the initial certification. Whilst the surveillance audits could be in the region of $4,000 – $8,000 (U.S. Dollars).
Please note that all the above cost are estimates to give an idea of the costs involved.
If your organisation is considering implementing ISO 27001 and require support in successfully achieving the standard, then please use either our contact form or contact one of our offices. We will be happy to have an initial discussion to understand what you want to achieve, your timelines, and answer any questions on implementation.
Also if you have any other question, queries, or considerations implementing ISO 27001 then please reach out to us. We would be more than happy to have a telephone call or MS Teams call to discuss.
So to conclude our article on considerations when implementing ISO 27001 we have includes some useful references to help.
Datahub’s Risk & Compliance Services
Datahub have a risk & compliance services that includes Data Protection and Cyber Security. The Cyber Security team provides consulting services for ISO 27001 implementation. Our Data Protection services provides expertise in global data protection laws.
Risk and Compliance | DataHub Consulting
International Organization for Standardization
ISO/IEC 27001 Standard – Information Security Management Systems
Microsoft and ISO/IEC 27001
ISO/IEC 27001:2013 Information Security Management Standards – Microsoft Compliance | Microsoft Learn
We do not employ salespeople; our team are all experienced technical specialists that can talk you through any of our services.
Contact us