What is the best way to approach an ISO 27001 project?

ISO 27001Great question! Too many organizations get this wrong. With the wrong approach you will set back your ISO registration by a year or more, misunderstand the whole point and cause substantial amounts of extra work.

Unfortunately there are many consultants out there who don’t understand this either and they are providing the misdirection.

ISO 27001 is a management system standard. Its goal is to enhance information security but the way it does it is to build a management system that ensures success. It is NOT about information security controls and protecting information. Well, obviously it is about these things but only in outcome terms – not in terms of process.

Too many organizations pass the ISO 27001 project to the information security or IT organizations. Or a consultant is sought with expertise in information security. Typically these sources will focus on technical and security aspects of information security and spend a lot of time and money reviewing your security status, conducting tests and designing solutions. While this is definitely part of the program it is NOT what ISO 27001 is about and it wont get you registered. Further, this is the most expensive part of information security and takes the most time. Delays and cost are a turn off to top management.

The whole philosophy behind ISO 27001 is that you establish processes within your organization so that you understand your information security situation, what that means in risk terms, that your communicate it clearly to those ultimately responsible and take only the actions that you want to. That is it. It is not about physical security, network scanners or patching processes. If any of these are good ideas in your organization the management system will identify them, quantify what that means and allow those responsible to work out the risk return decision.

Addressing the controls can often take years and you don’t need to have done that to get ISO 27001 registered. If you start from the management system direction you can be ISO registered in a few months and have ever improving information security from then on.

The background of the consultant who can do this best is those with more ISO experience than security experience. If your consultant is pressing for too much security then you probably have a long wait and a lot more effort to go before you get ISO registered.

Cavendish Scott has been consulting, auditing and training in ISO management system standards since 1985. Our expertise is in processes and management systems and in the careful and precise interpretation of standards and regulatory requirements into organizational processes and management systems. We guarantee successful ISO registration when we take on projects.