When setting out to write any article, it's worth taking a moment to consider who you are writing it for. In this case, for every role/position I came up with, it distilled down to two key drivers:

• ISO 27001 has been identified as supportive for their business growth plans; or

• ISO 27001 has become a requirement for the business to have by one or more key client

It is possible that you are reading this just because you want to do it, or believe it to be a positive thing for your business - but you would undoubtedly be in the admirable minority.

So let's pull both of the above a part to interrogate them further:

A requirement for their business growth

If you have identified ISO 27001 as a requirement for your business growth, then what that probably means is that you have recognised that it is either:

• Something your competitor/s have; or

• Something that you have identified project bids/tenders are asking for

Either way, not having ISO 27001 is going to become a limiting factor at some stage in the not-too-distant future.

Required by one or more key client/s

With the rapid rise in cyber crime, coupled with the introduction of the GDPR, more and more businesses are recognising the value in measurable and externally validated information security.

As such, many (larger) businesses are looking at their supply chain with increased scrutiny where data is involved and seeking some sort of confidence with suppliers around their data processing security. ISO 27001 goes some way to satisfying that scrutiny, providing 3rd party validation of your security posture.

When should you start doing ISO 27001

ISO 27001 requires the implementation of an "Information Security Management System", an "ISMS" (more on this in: What is an ISMS). You can break down the implementation into roughly 4 main chunks (you can read more about it on our ISO 27001 page):

• Initial assessment (sometimes referred to as a Gap Analysis)
  If you do this bit efficiently, it helps to identify the work needed to meet the requirements of ISO 27001. It also helps you to put together an implementation plan and identify what must be done before being audited and what can wait.

• Implementation - putting in place the requirements of the standard
  Depending on the size and complexity of your business, the time to implement the ISMS will vary - I would suggest for micro businesses you should be considering at least 3 months, for larger, more like 12-18 months or longer

• Documentation - developing the required documents to support your ISMS
  The documentation requirements are less than many think - largely due to bloated templates that some providers supply. Regardless, making sure your policies actually describe how you work and that you can provide evidence of them in action - that's where the work is.

• Certification - that's the audit bit
  You will need your ISMS operational and gathering evidence for (we would suggest) a minimum of 3 months before you can be audited. The audit then splits into two chunks - a Stage 1 and Stage 2 audit. These are usually a minimum of 6 weeks apart.

What's my point? Meeting the requirements of ISO 27001 takes a while - you can't decide you want or need it a couple of months before it becomes an absolute requirement. You will be unable to go from a standing start to certified in any less than four months (due to the external limitation of audit spacing and evidence requirements). Given that it will take several months, start as soon as you can so you don't miss out on those large projects or contract renewals!

Then comes the inevitable question - "What does it cost?"
That's a great question and the subject of our next blog...

In conclusion

ISO 27001 is unlikely to be a vanity project. It will almost certainly be a "downward driven" (i.e. required by a customer) undertaking and, to that end, it is often taken on somewhat begrudgingly.

However, done right, it has the potential to improve your business, saving you time, effort, energy and money in lost productivity and overheads. It can put structures in place to protect your business and make it more efficient. It has, in short, the potential for great good - but equally, implemented badly, it will have quite the opposite effect and tie you up in lots of time-wasting red tape.

Our top tip - get a good consultant to help you!

Share this article

If you found this article helpful, please Tweet, Pinterest, LinkedIn, Facebook - do what you do to share it with others you think will benefit from reading it. Thank you!