Planning for ISO 27001 - Part 1

Introduction

ISO/IEC 27001:2005 Information Technology— Security techniques—Information security management systems—Requirements is an information security management system (ISMS) standard published in October 2005 by the InternationalOrganization for Standardization (ISO) and International Electro technical Commission (IEC).The potential benefits of implementing ISO 27001 and obtaining certification are numerous also implementing ISO 27001 enables enterprises to benchmark against competitors and to provide relevant information about IT security to vendors and customers, it enables management to demonstrate due diligence. And it also can foster efficient security cost management, and compliance with laws & regulations, a comfortable level of interoperability due to a common set of guidelines followed by the partner organization. It also helps in improving IT information security system quality assurance (QA) and increase security awareness among the employees, customers and the vendors, etc., and it can also increase IT and business alignment. And it also provides a process framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with the security policies, the directives and standards. Many software development companies, custom application development companies, web application development companies etc are leveraging benefits of implementing ISO 27001.

Costs of Implementation

Before implementing ISO 27001, one needs to consider the costs and project length all of which are further influenced by the detailed understanding of the implementation phases. Also in today’s cloud computing environment, the organizations that want to reduce costs without compromising information security are looking at ISO 27001 certification as a promising means to provide knowledge about their IT security. Implementation costs are driven by the perception of risk and how much risk an organization is prepared to accept. Companies such as software development companies incur various costs while implementation. In total four costs need to be considered when implementing this type of project:

1. Internal resources—The system covers a wide range of business functions which include management, human resources (HR), IT, facilities and security. All these resources will be required during the implementation of the ISMS.

2. External resources—Experienced consultants will save a huge amount of time and cost. Also they will prove useful during internal audits and ensure a smooth transition toward certification.

3. Certification—Only a few approved certification agencies currently assess companies against ISO 27001, although fees are not much more than against other standards.

4. Implementation—These costs depend largely on the health of IT within the organization. Thus if, as a result of a risk assessment or audit, a gap appears, then the implementation costs are bound to go up based on the solution implemented.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)