I (Farzan speaking here) remember when I was first looking to break into cyber security just over two years ago. Reading 100s of job descriptions trying to work out what was needed to enter the industry. I came across “ISO 27001” listed within job duties and required experience.
My immediate thoughts were what is this sorcery, this sort of name for anything computer related sounds like an IT Crowd reference. Something purely technical that should be left to specialists. It just seemed like a random collection of numbers and letters, designed to confuse anyone. Obviously, my impulse thoughts calmed down after a Google search, it began to make (slightly) more sense.
However, here I sit a few years later involved in ISO 27001 engagements, I realise it’s much more digestible than I initially thought.
So what is ISO 27001?
Simply put, ISO 27001 is an internationally recognised standard for establishing, implementing and maintaining an Information Security Management System (ISMS) within a business.
It is one of the most globally recognised standards in regard to information security. For a more in-depth breakdown about the process, you can read about it on our website. In a nutshell, ISO 27001 helps manage information security risk within a business.
With increasing cyber attacks, it provides a holistic and tailored framework for any business of any size.
It even fits small businesses?
Yep you guessed it! Contrary to popular belief, small businesses are susceptible to cyber attacks. As per the 2024 UK Cyber security breaches survey, 58% of UK small businesses identified a breach or attack within the last 12 months.
An effective ISMS helps demonstrate management of cyber security within a small business, bolstering cyber resilience. Whether you’re a business of a thousand or one, it can be moulded to fit your environment.
ISO 27001 offers a range of benefits for small businesses. It provides a structured framework approach for managing information security risk. This can help demonstrate compliance with legal and regulatory requirements. It also helps demonstrate a good security story, often giving you a competitive advantage.
Why is it seen as the gold standard?
ISO is like the tailored suit of compliance, it wraps around your business, rather than wearing something off the rack and trying your best to make it fit…
The ISO 27001 standard highlights key areas of focus to demonstrate good and continuously improving cyber security.
What makes it a great standard to work with is actually how it begins. The first clause you have to focus on implementing is clause 4. This clause is all about understanding your business context. Essentially, everything trickles down from this point. You are able to consider information security risks relevant to your business, as you are conducting thorough analysis of your context.
Something to be mindful of however is compliance is only one way of tackling cyber security. There are many activities that can be conducted outside of the ISO 27001 guidance that offer a unique way of managing your risks.
Compliance will help build a good foundation, however, if you wish to go above and beyond, you should be looking at supplementary security actions. For example, a business involved in software development may look at innovative ways to introduce security within their pipeline, such as trialling different methods of automated testing.
What does the process look like?
As mentioned above, ISO 27001 is designed around the context of your business, alongside setting the scope for the ISMS. From there, the process involves identifying, managing and mitigating information security risk. The risk management stage allows us to design a program around continuous improvement of the ISMS, involving people, process and technology. This will then be audited internally, then audited externally (if you wish to certify) achieving certification to ISO 27001, if your ISMS conforms to the standard.
The four main pillars that the 2022 version of the standard sits under are divided in the following: Organisational, people, physical and technological. As we can see, technological is only one of the pillars within the standard’s focus, ISO 27001 is very much about embedding holistically across a business, rather than being a purely technical-focused standard.
ISO 27001 is typically implemented through the PDCA Cycle:
Plan - What you wish to achieve and how to do it
Do - Implementing what you have planned for
Check - Confirming if things went as planned
Act - Closing the gap between planned and check phase
Once certification is achieved, a big step is demonstrating your commitment to continuous improvement of the ISMS, seen mainly through annual surveillance audits. The certification body will then reassess you on a 3 year interval, as part of the 3 year recertification audit.
There is no defined method for implementing ISO 27001, however, as mentioned above it is typically implemented with the PDCA cycle. The stages typically look something like this:
Understanding the business context - Gathering relevant information, setting the scope, creating an asset register and conducting a gap analysis to see where things stand
Leadership commitment - Top management showcasing commitment by establishing an information security policy and defining the relevant roles and responsibilities
Planning - Conducting a risk assessment and creation of risk treatment plan, identifying and creating policies, conducting the statement of applicability, setting the information security objectives, identifying areas of improvement
Support - Top leadership providing the resources required to implement a functional ISMS, alongside communicating information to relevant parties
Operation - Conducting risk assessments at planned intervals or when significant changes occur, implementing the risk treatment plan actions
Performance evaluation - Monitoring, measuring, analysing, and evaluating the performance and effectiveness of the ISMS, conducting an Internal audit, conducting a management review
Improvement - Addressing any non-conformities and showcasing continuous improvement
How much will it cost?
Costings on ISO 27001 are very dependent on factors such as your business context and the route you choose to take for implementation and if you even wish to certify at the end.
You can implement an ISMS and choose not to certify, however, this would be like England winning the Euros (this has to happen one day right?) and not collecting their medals, you might as well celebrate your hard work.
Depending on how you implement it will also determine if you need someone external to conduct your internal audit. To keep things impartial, anybody who has designed your ISMS cannot then perform the audits, as this would be like marking your own homework!
The costings might look something like this approximately:
Implementation of an ISMS:
Do It Yourself: Free if you choose to implement internally. However, purchasing bundles and templates to guide you typically costs around £500.
Hire an External Consultant: Costs vary, but a small business can expect to pay around £10,000 - £20,000 for implementation, typically spaced out over a year. At Practical Infosec, we give the option to bundle ISO 27001 implementation as part of our Security Journey service, from £1,500 a month.
Internal Audit:
Do It Yourself: If you can use someone in the business who has not been involved with the design and implementation of the ISMS, you can do this in-house for free.
Hiring Someone External: Costs depend on the number of engagement days required (typically around 2-4 days). Companies conducting internal audits typically charge roughly around £2,000 to £6,000 for this engagement. Alternatively, hiring a freelancer can lower the rate, typically costing around £1,000 - £2,000.
Certification and External Audit:
You are not required to certify, but you miss a plethora of benefits by not being officially certified. The stamp of approval offers reassurance of security, competitive advantages, and many more benefits. Typically, certification costs for a small business range between £4,000 - £7,000. You can see a further breakdown here.
Surveillance Audit and Re-Certification Audit costs:
If you choose to certify, then you will have to also conduct a surveillance audit annually to check that you are conforming to the ISO 27001 standard. According to HighTable, the cost of the ISO 27001 Surveillance Audit is roughly 1/3 the cost of your certification audit.
As mentioned above, you also have to perform a re-certification audit every 3 years. This will be the same cost as the certification audit cost.
Continuous improvement
Cyber security is not a one time exercise. It constantly needs adapting as your business changes and as the threat landscape changes. So for this reason, ISO 27001 provides a great framework that lays down a strong foundation for your business to measure, implement and review how you are improving your cyber security measures.
I promise, it may have an intimidating name, but it is very much a standard that blends good security with practicality.
For that reason, Practical Infosec provides consulting around its implementation. Click here to find out more about ISO 27001 For Small Business.
If small business cyber security is an area you wish to focus on, any enquiries about ISO 27001 or anything else, you can book a free call here or get in touch.
Comments