What about this ISO 27001
I am often asked about ISO 27001. The first question on ISO 27001 is usual I need it for a client, can I have it now? This is an interesting proposition. A business would like to immediately implement ISO 27001, implement the ISO 27001 risk management policy, process, risk register, risk treatment plan, implement the ISO 27001 Information Security policy that may fundamentally change the way people work. Whilst at it to immediately implement 133 core controls in ISO 27001 that range from change control, asset management, internal audit. Oh and ISO 27001 requires the gathering of evidence to prove that all of this is working in an effective mature way. Have a guess which way the answer might go?
There are businesses that will do it and say yes. But the value of the certificate issued in audit terms are usually not worth the paper they are written on.
The second question is then, how long will ISO 27001 take?
The usual implementation time line to implement ISO 27001 is around 9 months. It varies depending on the existing controls but on average, 9 months for ISO 27001 implementation is a good estimate. As a rule you will need at least 3 to 6 months minimum for the collection of ISO 27001 evidences. These are the proofs that the ISO 27001 framework is implement and more importantly being operated effectively. It is assessing if the standard is in place and working.