Implementing ISO 27001 – 3 Basic Approaches

ISO 27001
Written By Simon Hunt
Implementing ISO 27001 – 3 Basic Approaches

So you’ve taken the plunge and decided to implement ISO 27001.  If you’ve reviewed the standard, you’re now probably overwhelmed with the detail in clauses and controls and wondering what is the best way to go about applying the standard in your organisation.

Generally speaking, there are three basic approaches to implementing ISO 27001:

1 ) DIY - Do it all in-house using your own staff
2 ) Consultancy – Use an ISO 27001 Consultant to deliver the project
3 ) Hybrid Approach – Doing the project yourself but taking advantage of some external expertise

The approach that works best for you will depend on a number of factors including: your starting point, the in-house skills and resources available, how quickly you want to complete the project and your budget. Below is an explanation of each of the options, and who would benefit the most.

1) DIY Approach to Implementing ISO 27001

Using this approach, you do not use any external help, relying only on the skills, knowledge and capacity of your existing staff. By following this approach, your staff will carry out the gap analysis, interviews, and create all the policy and procedural documentation.

This approach to implementing ISO 27001 is possibly the cheapest of the 3 options because you’re not paying any consulting fees. Also, writing your own documentation may increase the commitment of your staff towards the process and the resulting information security management system (ISMS). It may also be the slowest option because you’re doing everything, usually alongside other business-as-usual activities. Also, if your staff are not experienced or skilled enough, it could prove to be the most expensive option, in the long run, because of mistakes and incorrect interpretation of the standard.

2) Using a Consultant

If you choose this option, you will hire an expert who has experience in implementing ISO 27001. The consultant will carry out analysis of your company, interviews staff and managers, create bespoke documentation, and manage the project. Basically, implementing the whole standard on your behalf.

If you hire a consultant with the right experience, this approach is likely to be the quickest way to achieve compliance with the standard. As well as knowledge of the standard, the consultant should have the organisational skills to move the project along and experience of working with certification bodies. This is also the best approach, if your staff have no extra time to dedicate to the project.

Consultancy clearly comes at a cost, so this is likely to be a more expensive option. Also, when someone from outside is carrying out the whole project, there is a danger of lower engagement and buy-in. Staff may feel that new policies and procedures are imposed on them, which can make the adoption process more difficult. A good consultant should be an effective communicator and have methods to overcome these kind of difficulties. Effective training will be an important part of ensuring acceptance of the new or updated ISMS.

3) Hybrid – DIY with some Expert Guidance

This is an increasingly popular approach to implementing ISO 27001. It’s combines some of the key benefits of the first two options. There are two main variations of this approach. The ‘Regular’ version is where you get an experienced consultant to carry out a gap analysis of your current situation and help you plan the steps to compliance based on the results of the gap analysis. You then use the plan to work through the implementation in-house. You may also ask the consultant to review progress or carry out a review of the completed ISMS.

In the ‘Lite’ version you typically bring a consultant in at the beginning of the implementation to explain the implementation process and help you plan the steps to compliance. You then work through the plan using in-house resources. In both the ‘Regular’ and ‘Lite’ versions, the consultant may also provide document templates for key policies and procedures required ISO 27001.

The hybrid option is usually less expensive than using a consultant for all the implementation tasks but you get enough expert help in the right areas to ensure a successful implementation. You also get more buy-in from staff as it’s ‘their’ project. And, as the policies and procedures are created (or tailored from templates) in-house, there is increased chance of quicker adoption and better on-going compliance.

It will still, however, be a steep learning curve, and your staff’s ‘day-jobs’ will, inevitably get in the way from time to time, so it won’t necessarily be the quickest way to implement the standard.

Which Option's for You?

Hopefully, you now have a better idea of the possible approaches to implementing ISO 27001 and based on your requirements, in-house skills, staff availability and budget it should be more clear which is the best approach for you. Most organisations now opt for a version of the hybrid approach. Construct IS have experience of ISO 27001 implementations of all shapes and sizes and can provide ‘light-touch’ assistance or provide a complete implementation service as required. Please feel free to contact us to talk through the options.

If you found this article useful, you may like:-

ISO 27001 Implementation Guide – No Sales Pitch
Security Gap Analysis
Implementing ISO 27001 – 3 Basic Approaches
Other ISO 27001 Articles

Simon Hunt
Previous

What should be in my Information Security Policy
Next

Security compliance challenges for SMEs