ISO 27001 confirms an organisation has adopted an effective information security process and is popular with businesses. As an Information Security Management System (ISMS), it covers much more than just IT, ensuring small, medium and large organisations adopt physical and technical controls to:
- Deliver an appropriate level of information security to improve credibility
- Assist with decreased security incidents and IT downtime
- Develop work processes to be more efficient and increase the ability to win new business.
It is possible to adopt the ISO 27001 principles (compliance) without becoming certified ISO 27001 (accredited). Adopting the systems and processes of ISO 27001 can deliver the advantages of operating an ISMS. However, to qualify for the 'Certified ISO 27001' badge, you will need to be audited by an external evaluator.
External accreditation to ISO 27001 means:
- You conform to industry best practice and the 114 controls under ISO 27002:2013
- A professional commitment to managing customers data and improving your security
- Peace of mind to customers and business partners
How much time does it take to build an ISMS?
During the construction and review phases before an audit, our time will depend on the following:
- C-Suite/Board meeting to understand your drivers and explain the process/outcomes
- Document requirements
- Meeting times/frequency, including project management
- Risk assessments (variable based on the complexity of the organisation)
- Implementation of controls (this may include new technologies/services)
- Staff training
- The launch of the ISMS, including ongoing evaluation and corrective actions – see diagram below as an example of how a first 'cycle' may validate ISMS operational costs.
Small organisations with knowledgeable staff may be successful with 5-7 days of assistance. However, larger businesses may require more support over a longer timeframe.
When will we be ready for audit?
Building your ISMS to achieve ISO 27001 could occur in under 3 months for a start-up, although timeframes between 6 to 12 months are typical.
To be accredited with ISO 27001, an external audit is required. An audit can typically take anything between 3 and 15 days, depending on the size and complexity of your organisation.
Give us a call at Cydarity for a dedicated support partner in building your ISO 27001 ISMS.
Lifecycle of an ISO 27001 project
Why act now?
The challenging business environment brought about by COVID-19 resulted in businesses being focused on their ‘core’ elements. The UK regulator recognised this, resulting in the ICO statement on 15 April 2020. However, as we return to normality, businesses will be expected to protect their systems and data appropriately, and increasing scrutiny may be applied.
What are you doing over the next few weeks to be proactive?