FAQs

Implementation of ISO 27001 reduces risks related to confidentiality, availability, and integrity of information in an organization. It also helps the organization to achieve conformity with legislation regulating the protection of confidential information, protection of information systems, personal data protection, etc., which are already in place in most countries. Finally, implementation of the standard should reduce business costs due to fewer incidents, and improve marketing because of the publicity that can be gained with the standard.

The international standard ISO 27002 defines guidelines for the implementation of controls listed in ISO 27001. ISO 27001 specifies 114 controls that can be used to reduce security risks, and ISO 27002 provides details on how to implement these controls. Organizations can become certified against ISO 27001, but not against ISO 27002.

ISO 27001 is a specification for an information security management system (ISMS) and includes information concerning business continuity management as it pertains to the continuity of the ISMS. ISO 22301 provides a broader specification for a full-blown Business Continuity Management System (BCMS) that addresses the continuity beyond the ISMS .

Absolutely! Some parts of ISO 27001 and ISO 9001 are virtually the same – e.g., documentation management, internal audits, management review, and corrective actions. If the said procedures are already used for ISO 9001, they can also be used for ISO 27001/ISO 22301 with only minor changes. In other words, organizations that have already implemented ISO 9001 will have an easier job implementing ISO 27001.

This depends on a large number of factors, but generally, smaller organizations may need 3 to 6 months, organizations with up to 500 people will need 8 to 12 months, and larger organizations 12 months or more.

No. It is possible to set the scope of implementation for only one part of the organization, which makes sense in the case of larger organizations operating at several different locations and/or in different countries. For small organizations that do business at a smaller number of locations, it is better to implement the standard for the whole organization.

It is almost impossible to calculate the cost before completing the risk assessment. The majority of expenses are not usually related to hardware or software, but to developing procedures and getting them up and running, raising of employee awareness and training of employees, certification, etc. The costs also depend on the size of the company, but not all security controls have to be implemented immediately, and that implementation of some of them may be postponed.

You are required to have a registrar audit your ISMS each year. In each of the first 2 years after your certification, you will require a “surveillance” audit. In the 3rd year, you will require another “certification” audit. The cost of the surveillance audit is generally 60 to 80% of the certification audit.

There is, generally, no direct legal requirement as such. Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders. There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by way of a contract.