One of the questions which is most often asked about ISO27001, is how long it takes to implement. There are several factors which will influence the answer:
- The scope for your implementation of ISO27001
- How large your staff is
- How many sites you have and where those sites are
- The complexity of your organisation
- The level of resources you make available to the implementation
- How mature your current information security processes are
- Whether you want to go it alone or use a consultant
- The amount of regulation and legislation that applies to your organisation
- Whether you want to be certified
The scope you define for ISO27001 will clearly have a bearing on how long it takes to implement. The scope needs to be reasonable but may not encompass the whole organisation. For example, a large organisation with multiple business units might scope ISO27001 to only apply to one business unit which will make implementation quicker than if they tried to implement it across the whole organisation with, let’s say, six business units of a similar size.
Larger, more complex, organisations with multiple sites will typically require more time due to the number of systems, processes, and interested parties involved. Organisations with different products or services will multiply this; for example, a law firm which has multiple practices in different countries will take longer than a local law firm which specialises in conveyancing.
The commitment of the organisation and particularly that of senior management will influence the amount of resource allocated to the implementation of the standard. Implementation is going to touch everyone in the organisation from the most senior to the most junior staff member. The more resource that can be committed the quicker the standard can be implemented.
The current maturity of the organisation’s information security systems and processes will determine how much needs to be done to bring the organisation up to the standard required by ISO27001. If the organisation already has a mature information security posture it won’t take as long as those with an immature information security posture. Starting with a gap analysis can help an organisation to identify how much work they must do.
Using a consultant will help to considerably shorten the timescale for implementation. The standard can be implemented with no previous knowledge, but this will inevitably take much longer and will probably involve more feedback from external auditors. External auditors are likely to increase the cost of audits knowing that it’s likely to take them longer to audit your organisation when you haven’t used a consultant to help you implement the standard. Using a consultant who also understands the audit processes will help you to make sure you’re implementing the standard in a way that will make your audits progress more smoothly.
Certification is going to take at least a month. There is a two-stage audit process for initial certification and obviously depending on the results of those audits you may find you have a lot of remedial work to do to get certified or you may not have much.
While the answer to the question isn’t simple, a small to medium sized organisation can expect to get certified within 6-12 months and large organisations could be certified within 12-24 months. It depends on how committed the organisation is, what the priority is for implementation, and whether you want to use consultants or go it alone.