ISO 27001 is one of the most important security frameworks in the world. Any business that wants to operate internationally, especially if they have contracts with certified brands or international governments, or they want to open the door to those contracts, will need to achieve ISO 27001 certification.
There’s just one problem: it can take a long time to achieve.
How long? Well, depending on who you ask, it can range anywhere from two months at the absolute short end, to as much as four years on the outside. Of course, it can technically take an endless amount of time if no one is on board and no one buys in, but we’re ignoring the orgs that don’t really want to achieve compliance, just look like they’re working at it.
Businesses already have a hard time planning for the future more than a few months out. When it comes to something as important and detailed as ISO 27001, it’s usually best to get it done as soon as possible. That way, you don’t lose details or let systems fall by the wayside as you go. It’s easier to keep everything in scope in mind while you work when you’re pushing deadlines.
It’s easy to say that, but a lot harder to do. So, how do you speed up the ISO 27001 process? Here are our top tips.
BLUF - Bottom Line Up Front
ISO 27001 is a key security framework for international business operations, crucial for gaining contracts with certified brands and governments. Achieving certification can take from two months to four years. Key strategies to speed the process include securing executive support, setting realistic budgets and timelines, prioritizing employee training, using software effectively, and possibly hiring consultants. Centralize documentation with tools like the Ignyte Platform to streamline compliance tasks and audits.
Get Buy-In from the Top
If you talk to anyone in charge of ISO 27001 compliance about their experience or any contractor working with companies to prepare them for ISO 27001 compliance, they’ll all say one thing.
Executive buy-in is by far the single most important factor for success.
If your executive team is under the impression that they’re already pretty secure and that achieving ISO 27001 compliance is a simple matter of filling out a few forms and submitting them, you’re going to be in for a very hard time.
Executive buy-in is critical for three things.
- Budget approvals.
- Timeline expectations.
- Permission for systems changes.
We’ll talk more about the budget and timeline shortly, so let’s look at the third for now. Establishing an ISMS and making sure your systems, policies, and networks are secure is the key part of ISO 27001 compliance. If every single change needs to be reviewed and re-reviewed by the leadership and fought for permission the whole way, it’s going to be a long and tedious process to achieve certification. That’s if it’s even possible. No small number of organizations have talked a big game about ISO 27001, only to never make tangible progress.
The only exception to this is if you’re already in a very good position, security-wise. If you’re already CMMC or FedRAMP compliant, for example, then something like 75% of the word is done for you already. You’ll still need to do the rest of the work, and identifying what work still needs to be done is a whole process, but it’s better than starting from scratch.
Set Realistic Budget and Timeline Expectations
Budget and timeline are two numbers that often shock executives when they’re discussed.
A fast, relatively cheap ISO 27001 implementation, from the initial self-analysis to the ISMS development to the tech and policy changes, training, and final review, will cost somewhere in the neighborhood of $50,000. That same fast process can take 6-12 months easily, and that’s with a small organization with agile administration, proactive training, and relatively few systems to secure.
The larger the organization, the more people involved, the more training necessary, and the more systems the ISMS has to secure, the more both of those numbers are going to go up. Huge organizations can take well over a year and six figures. Even the annual recertification audits can cost $10,000 to $15,000 easily, and more if the company is large enough.
There’s an inclination in business to downplay the realities of a situation in order to get better approval. It’s easy to want to tell the CFO that it’s only going to cost $30,000 and the CTO that it’s only going to take three months.
The problem that arises if you downplay the costs involved is that when you inevitably fail to meet deadlines and go over budget, you look a lot worse, and the prospect of achieving compliance immediately falls off the rails. It’s universally better to set more realistic expectations, make sure everyone involved is on board, and if you come in sooner or under budget, great.
Establish a Culture of Employee Training
ISO 27001 can be very broadly broken down into two components: technological and physical security, and human security.
Generally speaking, it’s a lot easier to set up technological security measures than human security measures. You can lock doors and require badging to get in, but you have a harder time training people not to hold the door open for one another. You can lock down accounts with multi-factor authentication, but it’s a lot harder to prevent account sharing for simple tasks. You can put controlled information behind a need-to-know screening, but it’s a lot harder to get people not to start sentences with, “I really shouldn’t say this, but…”
One of the steepest cliffs to climb with ISO 27001 compliance, then, is making sure that your employees are trained properly. Depending on the person and their role, this might be just a few simple policies, or it might be a large and detailed manual of elements to learn. Since training takes time, the more you need to cover, and the deeper the detail, the longer it will take.
Fortunately, you can mitigate some of this through proactive training and messaging that emphasizes how important compliance is, as well as the possible penalties for violating compliance.
Don’t Expect Software to Do It All for You…
Another significant issue that crops up with businesses seeking ISO 27001 compliance is the assumption that software can automate it for you.
Don’t get us wrong; this isn’t a problem with the businesses. This is a problem with the software companies using messaging like “ISO 27001 Made Easy” and other overly-simplistic taglines.
Software can handle some automation. They can have built-in lists of devices or systems and software, along with checklists of what needs to be done to secure them. You run an app, you plug in a list of your systems and devices, and it does whatever automated checking it can, gives you a checklist of things to check manually, and feeds you a report on what passed and what failed.
Do you see the problem?
You don’t know what you don’t know. If you rely on software to do your reviews and self-assessments, you can end up in a situation where you think you’re passing, but there are huge gaps in your ISMS. Elements you think are secure but aren’t accessible to the software, so it can’t tell you about them. Elements that change more frequently and can be insecure in alternative modes. Elements that aren’t always present, like devices checked out of the office. All of these can trip flags and cause problems, but won’t be seen by the software.
You can be very confident in being very incorrect, and it’s a rude awakening to reach the point of paying for a $10,000 final audit only to fail miserably because you relied on software to do the work for you.
In a lot of cases, the programs you might use are also going to be finicky and tricky to use. There are common reports of any new connected device triggering a full re-audit, for example, wasting time and resources. This might be an issue with specific apps over all software, of course, but it’s an example of what else can go wrong.
…But Don’t Write It Off Completely
While it might sound like we’re down on apps and software, the truth is we’re just tempering expectations. In fact, in a modern business with numerous interconnected devices and systems, it’s almost mandatory to use a decent piece of software to help do auditing regardless.
The point is not to say that software is bad. The point is to remind you that software is a tool, not a solution. You still have to go through ISO 27001 page by page, evaluate every security control in how it relates to your business, and develop your statement of applicability. You still need to perform an assessment of your current security posture and a gap analysis between where you are and where you need to be.
Effectively, you can use a piece of software to do a lot of the work that can be automated. Once it’s done, you can then fill in the gaps around it, both with other aspects of your digital and physical systems that the software can’t touch and with your personnel security and training.
As with any tool, ISO 27001 helper programs are only as good as their access and their ability to be used. If they can’t give you a full overview, don’t treat them like they can. If they can’t make configuration changes and can only report on gaps, use those reports.
There are no shortcuts to good security and security compliance. Your organization will need to put in the work, and a program can’t shortcut that for you.
Consider Hiring an Experienced ISO 27001 Consultant
Depending on the scope and scale of your business, the information you handle, and the compliance needs you have, it might be a very significant amount of work. In fact, one of the biggest issues that many businesses face when it comes to ISO 27001 compliance is even knowing where to begin.
To that end, there are a lot of companies out there that offer consulting. These organizations may also double as full certification auditors, though they generally can’t both consult for you and perform the full audit. The point is that they know their way around ISO 27001, and they know how to perform internal and casual assessments that can figure out your baseline and where you need to go to achieve compliance.
This is a trade-off. On the one hand, a consulting firm can dramatically speed up the process of achieving compliance because they know what they’re doing; they have processes for analyzing, documenting, offering reports and instructions, and re-evaluating systems along the way.
What you save in time, you make up for in money. Consulting firms aren’t exactly cheap, and retaining their services for ~6 months can be a significant expense.
For some companies, saving time by spending money is the best option. For others, budgets are tight and a cheaper, longer, DIY process may be more ideal. It’s up to you and your executives which option is better for your company.
Centralize Records with the Ignyte Platform
At Ignyte, we’re experts in all of the major security frameworks, both domestic and international. That includes ISO 27001. We’re here to help in several different ways.
First, you can browse this blog and check out our variety of educational posts on ISO 27001. For example, here is an analysis of the changes between ISO 27001:2013 and ISO 27001:2022 and what you would need to know to update. For more general use, here is a guide on what is involved in the ISO 27001 audit process. Reading our resources is one way we can help.
Another option is to reach out and contact us directly. While we’re not going to offer full consultations for free under the guise of a phone call, we can help advise you on the steps you should take and the expectations you should set.
Third, and most importantly, our Ignyte Platform was designed specifically to help businesses work on compliance with security frameworks internally. It functions as a centralized record-keeping and collaboration tool armed with modules and checklists to help you achieve compliance in any of over 50+ frameworks or as a free-form tool. With it, you can ensure your documentation is kept in one place, securely, and with the most updated iterations of your ISMS on hand. It makes the process of achieving compliance, performing internal assessments, and even completing the final audit much easier.
If you’re interested in seeing what our platform can do for you, by all means, book a demo today so we can show you the ropes.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.