ISO27001: Questions we are often asked: #1 “How long does it take?”

Where do you work?

I sit in an office surrounded by our sales advisers, who answer enquiries. Although we all like to think that we are individuals – something that I value highly, I am struck by the regularity with which certain questions are asked by those who call us in response to web pages and email broadcasts.

“ISO27001 certification in 3 to 6 months – is that really possible?” is a common theme, usually resulting in a response that inevitably begins with the caveat: “Well, it depends on your scope… exactly what is included…” and progresses to: “We will need to assess your IT system and set-up…”. It’s true that a medium-sized organisation can take on average between 14 and 18 months to complete the process, especially without our support.
Large organisations can take years to bring every aspect of their business operations in scope – although thankfully, it doesn’t have to be that way.

Most people calling want a simple answer, which isn’t always possible at the time, and yet – in the majority of instances – the resulting proposal guarantees certification within a short timescale that genuinely surprises.

Please do call my colleagues now, and find out for yourself: 0845 070 1750

How can we help you to achieve certification in weeks or a few months at most in the majority of cases without cutting important corners in process?

Answer: 135+ successful projects to date. A number that’s rising fast, making our consultants some of the most experienced in the world when it comes to ISO27001 compliance / accredited certification to the standard.

Whatever the size of your organisation, we would love to talk to you today. But if you’re not 100% certain whether you want to pick up the telephone right now (please do – we are here!), then come to one of our UK Events.
In association with some of the leading UK certification bodies that are accredited by UKAS to issue ISO27001 certificates, we are providing you with the opportunity to learn first-hand from the world’s leading experts.

We would of course welcome you if you work for a global corporation, – we have after all consulted for many household names over the years, – although you don’t need to be FTSE 500-listed to benefit from our skills. Through experience of our recent programme of ISO27001-themed events, we know that the delegates often come from smaller enterprises, some qualifying as micro businesses (1 person for instance!) and others that fit the SME category – small to medium-sized enterprises of 20 to 250 people.

These SMEs whose senior and middle managers seek ‘Practical Guidance for Senior Managers’ – all for just £35+VAT per head to cover the cost of a buffet lunch, tea and coffee – are representative of the bulk of the UK supply chain. They know that their future orders depend in part on cyber security – proving that they are not the weak link that cannot be trusted.

Whether you think that’s it fair for big companies to be suspicious of smaller ones or not, it’s worth reflecting on the fact that over 90% of the private sector consists of companies that have fewer than 50 employees. SMEs are important suppliers, making up more than 80% of the UK GDP. However, recent research by University of Worcester and others indicates that small businesses have a generally low awareness of information security and related legislation: few have had a risk assessment, few have put in place any security policies or procedures and not many have trained their staff in security. This creates a potentially serious weakness in the supply chain that is not being adequately addressed, and larger companies know this. The damage that can be done to a global brand as a result of a breach is a big risk that market leaders are no longer prepared to accept.

In addition, there are more subtle weaknesses emerging as the hackers get smarter. The military, public sector and large businesses generally have the resources to protect their own environment, but there is growing evidence that smaller businesses are being deliberately targeted by sophisticated cyberattacks as a route into valuable sources of IP, identities of key personnel and analysis of ICT to provide deeper penetration of information systems in larger businesses. Put simply, SMEs are vulnerable.

Establishing an inclusive security governance structure is key to ensure that the right conversations are taking place to address cybersecurity needs. The answer is to adopt a standard – and that standard is ISO27001.

Our consultants can undertake the whole job for you, or transfer the knowledge to your team so that you can manage your own ‘ISMS’ without needing us again. Having said that, our clients regard IT Governance as a lifelong partner in their programme to manage information security risks. This is partly because we are friendly, capable and work hard and smart, but also because the cyber world is growing fast and changing all the time.

For example: the recently-published BIS 2013 Information Security Breaches Survey Technical Report states that more than three quarters of respondents now use outsourced services. Worryingly, 4% of respondents have detected a security or data breach that affected a cloud-based service they use. Given that only 23% get reports of breaches from their provider, this suggests the actual breach levels may be much higher. Sadly, breach information is often only requested after a major breach has occurred.

And it’s not just what’s happening in the cloud or the world outside that you need to assess. Incredibly, 36% of the worst security breaches in 2012 were caused by inadvertent human error (oops!) and a further 10% by deliberate misuse of systems by staff. Can you show that you have policies in place to stop this? Ones that don’t just rely on your technical controls?

Email me today. I will supply you with a full Agenda for our Event on the 12th of June at BSI’s Global Headquarters in Chiswick – free of charge!

Better still, book now! Follow this link and sign up while there are still places available. I promise you, it will be a day that could not only save your business (you will see why when you’re there), but may well be your ticket to some very lucrative contracts that you thought were impossible.

£35 and a day of your time: too much to ask? There is growing evidence that smaller businesses are being deliberately targeted by sophisticated cyberattacks as a route into valuable sources of IP, identities of key personnel and analysis of ICT to provide deeper penetration of information systems in larger businesses. So in Churchill’s words: ACTION THIS DAY!

Assure your customers and secure your and your clients’ confidential data.
Join us at BSI in London on June 12th, and put your question to our experts.

Register online or call: 0845 070 1750.

This is a rare opportunity to participate in a day of highly-informative talks, practical workshops and one-to-one advice sessions to learn how your organisation will benefit from ISO27001 information security and the steps that you need to take to implement/maintain your ISMS – don’t miss out!

Share now…

Share on Twitter Share on Facebook Share on LinkedIn