Planning for and Implementing ISO 27001
Charu Pelnekar, CISA,
CISM, ACA, AICWA, BCOM,
CISSP, CPA, MCSE, QSA, is
a director with Professional
Consultant, a consulting firm.
He has skills in business
and technology consulting,
as well as experience with
audits and risk management,
process reengineering, and
business management.
Since 1993, he has worked
in an advisory role with
national and international
corporations across various
industries. He served as vice
president, in 2007–2008,
and as membership director,
in 2006–2007, of the ISACA
Austin (Texas, USA) Chapter.
He can be contacted at
charpeln@hotmail.com.
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
ISO/IEC 27001:2005 Information Technology—
Security techniques—Information security
management systems—Requirements is an
information security management system (ISMS)
standard published in October 2005 by the
International Organization for Standardization
(ISO) and International Electrotechnical
Commission (IEC). 1, 2 The potential benefits3, 4
of implementing ISO 27001 and obtaining
certification are numerous. Implementing
ISO 27001 can enable enterprises to benchmark
against competitors and to provide relevant
information about IT security to vendors and
customers, and it can enable management to
demonstrate due diligence. It can foster efficient
security cost management, compliance with
laws and regulations, and a comfortable level
of interoperability due to a common set of
guidelines followed by the partner organization.
It can improve IT information security system
quality assurance (QA) and increase security
awareness among employees, customers,
vendors, etc., and it can increase IT and business
alignment. It provides a process framework for
IT security implementation and can also assist
in determining the status of information security
and the degree of compliance with security
policies, directives and standards.
The goal of this article is to provide guidance
on the planning and decision-making processes
associated with ISO 27001 implementation,
including associated costs, project length and
implementation steps.
COSTS OF IMPLEMENTATION
Before implementing ISO 27001, one needs to
consider the costs and project length, which are
further influenced by the detailed understanding
of the implementation phases. Any cost is
painful in tough economic times. In today’s
cloud computing environment, organizations
that want to reduce costs without compromising
information security are looking at ISO 27001
certification as a promising means to provide
knowledge about their IT security.
Implementation costs are driven by the
perception of risk and how much risk an
organization is prepared to accept. Four costs
need to be considered when implementing this
type of project:
1. Internal resources—The system covers a
wide range of business functions including
management, human resources (HR), IT,
facilities and security. These resources will be
required during the implementation of the ISMS.
2. External resources—Experienced consultants
will save a huge amount of time and cost. They
will also prove useful during internal audits and
ensure a smooth transition toward certification.
3. Certification—Only a few approved
certification agencies currently assess
companies against ISO 27001, but fees are not
much more than against other standards.
4. Implementation—These costs depend largely
on the health of IT within the organization. If,
as a result of a risk assessment or audit, a gap
appears, then implementation costs are bound
to go up based on the solution implemented. 5
On average, implementation of a system such
as this can take four to nine months and depends
largely on the standard of conduct and quality
and management support (tone at the top6), the
size and nature of the organization, the health/
maturity of IT within the organization, and
existing documentation.
ISO 27001 requires a company to establish,
implement and maintain a continuous
improvement approach to manage its ISMS.
As with any other ISO compliance, ISO 27001
follows the plan-do-check-act (PDCA) cycle, as
shown in figure 1.
The cost factors mentioned earlier are directly
impacted by the inventory of IT initiatives within
the organization. Organizations with COBIT
framework, Statement on Auditing Standards
(SAS). No. 70 Type I and Type II, Payment Card
Industry Data Security Standard (PCI DSS),
National Institute of Standards and Technology
(NIST), or US Sarbanes-Oxley Act capabilities
in place provide a ready inventory of set policies
