ISO 27001 Information Security Management System – Planning and Implementation Cost

ISO/IEC 27001:2005 Information security management systems—Requirements is an Information Security Management System (ISMS) standard published in October 2005 by the ISO and IEC. There are many benefits of implementing ISO 27001 and obtaining certification. With Implementation of ISO 27001 can authorise enterprises to standard against competitors and to provide relevant information about IT security customers, and it can enable management to reveal.

With the help of ISO 27001 anyone can improve IT information security system quality assurance (QA) and increase security awareness between employees, customers, vendors, etc., and also it can increase IT and business alignment. And it also delivers a process framework for IT security implementation and can also help to discover the status of information security and the degree of compliance with security policies, directives and standards.

Costs of Implementation

Before implementing ISO 27001 certification, there is required to consider the costs and project length, which are further affected by the detailed understanding of the implementation phases. Organisations that want to decrease costs without understanding information security are looking at ISO 27001 Certification to provide knowledge about their IT security.

The Implementation costs are managed by the awareness of risk and how much risk an organization is prepared to accept. There are four costs need to be considered when implementing this type of project:

1. Internal resources— the resources will be needed in the implementation of ISMS are management, human resources (HR), IT, facilities and security and these are the resources which covers a wide range of business functions.
2. External resources—the experienced consultants will save maximum amount of time as well as cost.
3. Certification—only a few approved certification agencies currently evaluate companies against ISO 27001, but fees are not much more against other standards.
4. Implementation—Implementation costs depends upon health of IT within the organization.

Information Security Management System—Planning for ISO

ISO/IEC 27001 with its compared document, ISO/IEC 27002 (ISO/IEC 17799), details 133 security measures. These sections specify the best practices for:

• Business continuity planning
• System access control
• System acquisition, development and maintenance
• Physical and environmental security
• Compliance
• Information security incident management
• Personnel security
• Security organization
• Communication and operations management
• Asset classification and control
• Security policies

The ISMS may be certified as adaptable with ISO/IEC 27001 by a number of accredited registrars. The ISO/IEC 27001 certification such as other ISO management system certifications, usually involves a 3-stage audit process:

1. Stage 1—Informal review of the ISMS that includes checking the existence and completeness of key documents such as the:
   1. Organization’s security policy
   2. Risk treatment plan (RTP)
   3. Statement of applicability (SOA)
2. Stage 2—Independent tests of the ISMS against the requirements specified in ISO/IEC 27001.
3. Stage 3—Follow-up reviews or periodic audits to confirm that the organization remains in compliance with the standard.

Independent evaluation necessarily brings some diligence and formality to the implementation process, and it must be approved by management. ISO/IEC 27001 certification should help to satisfy most business partners of the organization’s status. An organization would choose to be certified against the ISO 27001 standard to provide confidence to their customers and partners.

About The Author

Charles Wilson is an independent ISO 27001 Information Security Management System consultant based in USA. He is an expert who guides clients with step-by-step system implementation, data security training, system awareness as well as internal auditor training and preparation of documentation for quick certification.

For More Details visit: