|Need help preparing for ISO 27001? (c)Scott Adams|
Like other ISO standards, some organisations choose purely to implement the standard in order to benefit from what it contains, while others decide they also want to get certified to reassure customers or clients that its recommendations have been followed. There are many Information Security standards out there (within specific industries, or for specific countries), ISO 27001 is one of the more widely recognised. 360is have been working to help companies implement the technical controls within ISO 27001 and its predecessors since the mid 90's. While we don't certify you against ISO 27001, we can help you prepare for your certification and pass your annual audits by having a strong Information Security posture.
What is an ISMS?
The Information Security Management System is a system in the broadest sense of the word. It is a mixture of people, processes, and IT systems (hardware, software, products and services) which allow you to manage risks relating to sensitive company information so that it remains secure. An ISMS isn't just a product you buy, or a configurational change you make. Rather like a religion with rites and ceremonies, it is something you must observe every day.
Control-Point Versus Procedural Standards
There are 2 kinds of IT Security standards in this world, there are those that are control-point based and there are those that are procedure-based. ISO 27001 is control-point based, meaning that it tells you what controls need to be in place to ensure the right outcome. It is not a prescriptive "how-to" for the configuration of your IT. A control-point standard can be said to apply across a broad range of organisations with different sizes and operational patterns because the standard steers clear of the minutiae. Procedure-based standards can struggle to cater for such a broad range of organisations. However, IT staff find control-point standards harder to implement in technical configuration. 360is helps companies translate the control-point objectives of ISO 27001 into practical, technical configuration, procedures, and documentation.
How Much Does ISO 27001 Cost?
The cost of getting ISO 27001 certification depends on:
- The size of your company and scope of the ISO 27001 certificate
- The maturity level of your ISMS
- The gap between the current state and the desired state of the control environment
- The in-house capability/capacity to develop the ISMS and close the gaps
- How quickly the certificate is required
If you are a large organisation, wishing to certify the whole of your operations, and you have not previously invested much in ISMS, or people with the skills to build and operate such a system, then you are going to have to spend more getting ISO 27001. These costs come from 3 places:
- The first is the cost of getting your ISMS up to scratch, "pre-certification"
- The second is the certification process itself
- The third is the cost of your annual certification audit in years 2 and beyond
Given the fact that there are so many variables, we will use a real client of ours as an example:
- 50 staff, 1 office, in the UK
- Processes sensitive data, some personally identifiable information, for medium sized banks
- Co-locates at two UK data centers
- Provides software (SaaS) at these data centers
- Has a control environment that, while previously subject to external review, would still be best referred to as immature and non-fully documented
- Has staff that are technical but not ISO 27001/ISO 27002 aware
- Pressure from clients for independent attestation, some ask for ISO 27001
- Need to achieve certificate (without great disruption to business) within 1 year
- Requires a fair degree of ISO-27001 consulting to prep for the certification audit
The “external” costs to become ISO 27001 certified were:
- Pre-certification Part 1: £15,000 (Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Part 2 Remediation Plan)
- Pre-certification Part 2: £15,000 (Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
- Certification Audit: £15,000
- Total cost for ISO 27001 certificate: £45,000
To this one-time cost we can add the annual external audit in year 2 (£5000) and internal ISMS audit (£5000) in year 2.
Of these costs, the pre-certification is likely to be by far the greatest, unless you are already well prepared. It is also possible that pre-certification costs for your organisation could be significantly higher than those shown here. We have known organisations need up-to £50,000 of pre-certification work on their existing ISMS. Finally, you should also consider the omissions below carefully:
Omissions: We ignore other associated annual costs such as annual penetration testing, maintenance and support costs of the ISMS infrastructure, and the cost of any staff (new or existing) or training required to operate the ISMS. We ignore the costs of new products (hardware/software) or services which you may need to build an ISMS if you do not already have something suitable to work with. If your organisation is very large or very complex, you will have a lot of Information Security to manage. The cost of the management systems/software may be significant.
ISO 27001 is not a one-time exam, it is more like a religion. It is a commitment to do things the right way every day, and to submit to regular audits to confirm you are observing the religions practices every day, not just when the vicar comes to tea. The total cost of ISO 27001 certification is dependent in large part on the status and strength of your existing ISMS, which should not come as a surprise.
If you would like help preparing for ISO 27001, straightforward advice on improving your Information Security posture, answering Information Security challenges from clients or the regulator, talk to us.