There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority choose to proceed to have this independently assessed for ISO 27001 certification to give their stakeholders, customers and employees confidence in their approach. This evidence demonstrates a responsible approach to information security, which is important for customer confidence, legislative compliance and also helping to keep the organisation safe from the ever-increasing range of cyber threats.
Whilst some organisations will complete their ISMS implementation and certification project entirely through internal resources, this is unusual as there are some great methodologies, tools and resources available. These can help increase the chances of improving cyber resilience and certification success. It is important to understand that time and effort will be involved to develop the “information security culture” that is required to achieve ISO27001. That’s why we’ve created an ISO27001 checklist to help your organisation to adapt.
Most organisations will typically take between 9-12 months from project inception to the completion of certification activities. This is only a guide however. It will vary depending on the complexity of the business, the number of employees and the amount of resources and time that has been assigned to complete the project.
So how much will this cost? That depends on the cost of the organisation’s labour resource, the use of external specialists, expenditure for implementing controls, fixing risks, undertaking technical tests and the certification process itself. Most credible UKAS audit companies will charge in the region of GBP £5,000 for initial certification, and an ongoing day rate for surveillance audits each year. This is neither a quick nor cheap activity to undertake, but the value of the benefits of customer confidence and business resilience are widely acknowledged as far outweighing the costs of achieving an ISO27001 certificate.
We’ve been implementing successfully certified information security management systems for over twenty years. Our experience over that time has allowed us to develop and deliver a variety of resources, which continue to support successful ISO27001 certification projects to this day. It’s also why many of our new customers are pleased to have been referred by those we already work with.
… with our extensive free resources, which provide a solid foundation for customising to meet your organisation’s specific information security and risk management requirements. Be wary of suppliers who may claim that they can write documentation without taking time to understand the nature of your business, or those who may have pre-prepared documentation that is claimed to be fit for all purposes.
It’s embarrassing and time-consuming to find out that your ISMS documentation is not meeting the mandatory requirements of ISO27001 during the certification phase. If you require support in customising Activ documentation please get in touch – we have a number of experienced and friendly partners who would be pleased to assist you.
The main elements of the ISO27001 standard are to implement approaches to the management and delivery of effective systems for the identification, management and treatment of risks – both to information assets (data) and any supporting assets upon which they rely for their security (e.g. premises, hardware, software etc). That’s why we developed Activ Secure, which has at its core our proven risk management methodology and workflows.
Already deployed in many countries around the world and with a healthy portfolio of successful customer certifications to its name, Activ Secure provides an intuitive and user-friendly means of complying with Sections 6.1.2/8.2 (Information Security Risk Assessment) and 6.1.3/8.3 (Information Security Risk Treatment) from the standard (as well as many others!) The best means of seeing Activ Secure in action is to explore our demonstration environment or ask us for a guided tour. We also have training materials available to help you and your colleagues become familiar with the many features of Activ Secure quickly and easily.
If you would like a helping hand with setting up or using Activ Secure, our experienced team would be pleased to discuss your requirements with you.
The journey towards ISO 27001 does not need to be daunting. Our advice is always free, and our services are here to help you when you need them.
Andy Beverley, Activ’s Group Software Development Director is an entrepreneurial software developer with a solid technical background. This, coupled with a strong entrepreneurial flair has led him to become involved with multiple tech start-ups, one of which was InfoSaaS which later became Activ.
Andrew is the man behind the Activ product in terms of software conceptualisation, design, and development, and is the longest-serving member of the Activ team. Andrew was first employed to create a database for cost management and has previously been directly involved in the production environment of BS5750, prior...
Owen Roberts-Thomas is Activ’s Legal Team Manager. As well as being the man behind the Legislation Outlook, Owen’s team can provide expert legislation-related advice to our Activ Comply clients. Owen’s legal expertise lies in the environmental, health and safety and information security management fields, and...
