5 quick questions commonly asked at the start of an ISO27001 project

The following are just some of the questions raised by delegates at our most recent ISO27001 Foundation training course:

  1. How long on average does it take to achieve ISO27001 compliance? It really depends on the company, their size, their willingness and complexity. Typically a medium size company, working without external assistance, can be ready to go for ISO27001 certification 14 to 18 months from project start.
  2. How can I persuade senior management to invest in an ISO27001 project? Information security is a common ‘head in sand’ area for senior management, but as Murphy’s law states – anything that can go wrong, will go wrong – it is just a matter of time. So, boards or senior management that avoid addressing information security are taking a very big gamble  – one day it is likely to come up and bite them – hard.  Getting this message across can be a hard one to crack, however this free green paper: Information Security as a Mindset: Selling it to the Board provides some useful tips.
  3. Why is ISO27001 the best option for addressing information security? Because it is the only specification for information security that provides a definitive list of requirements that must be implemented. Once the requirements are implemented – you will have a complete, best practice information security management system that can be independently audited and certified.
  4. I’m from a small company, is the entire ISO27001 standard still applicable to us? Yes – it is applicable to organisations of all sizes and complexity. However organisations make their own decision on what is included within the scope of their security policy which is usually more straightforward for smaller organisations.
  5. Do I have to seek external certification?  No, you can opt to self-certify. Many organisations comply with the requirements of ISO 27001 without actually obtaining certification – of course the credibility of any claim they make is open to question without external verification. Going the extra mile to gain certification will give you a competitive advantage as it demonstrates to both existing and potential customers that your organisation takes information security very seriously. I often find that delegates on the ISO27001 Certified ISMS Foundation course are pursuing an implementation project for this very reason – they want to win more business.

These Q&As have been kindly supplied by Nick Orchiston, a trainer on the ISO27001 Certified ISMS Foundation Course. This course deals with these and many other issues commonly faced at the beginning of an ISO27001 project.

Nick is a consultant with over 17 years’ of experience in helping organisations from SMEs to global corporations to achieve certification to a range of management standards including ISO27001.

If you’re considering ISO27001 for your organisation and have a burning question drop us an email and we’d be delighted to help!