Last Updated on October 7, 2021
Most organizations pursue ISO 27001 certification because they are under pressure from clients, regulators and/or investors to prove they can protect sensitive data. Often, there’s time pressure as well. Deals may be on the line. So let’s get that ISO 27001 certification in hand ASAP and we’ll iron out the details later, right?
Wrong. Trying to rush your ISO 27001 certification process can negatively impact your security posture and increase the risk of failing your certification audit.
To help firms steer clear this and other common misconceptions about ISO 27001 certification, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast in response to customer requests.
How long does ISO 27001 certification usually take?
It’s no surprise that one of the universal questions we get in our ISO 27001-as-a-service practice is, “How long is this going to take.”
As John relates, “’We really need to do it as soon as we can, because we have a contract we’re about to lose. Or ‘We have a contract we can’t win.’ Or ‘We can’t bid on this particular project unless we’re ISO 27001 certified.’”
But ISO 27001 certification isn’t a turnkey effort.
“Probably you could get ISO 27001 certified in three or four months,” says John. “But I wouldn’t advise you to do that, because it’s not going to be a good implementation. It might get certified, but it’s not going to maintain certification. And believe it or not, it may actually negatively impact your overall security posture. And it’s going to cost you a lot of money to fix it after the fact.”
“Getting ISO 27001 certified in most organizations should take… Six months is a pretty quick timeframe,” continues John. “10 or 11 months is typical, and anything longer than that is a little on the slower side. But if you’ve got an organization where there’s a lot of people involved, a large organization with some complexity, it’s not unusual for the project to take a year or so.”
Interdependencies must be addressed sequentially
As the ISO 27001 standard dictates, what you’re certifying is not your controls but your information security management system (ISMS). Like most systems, your ISMS processes interconnect and interoperate.
“The reason I say moving too fast is actually counterproductive is that there are elements of an ISO 27001 management system that are hierarchical and interdependent,” John shares. “As an example, take data classification. We can’t classify data until we understand what data there is. And data classification takes place by asset owners. So, until you have the concept of asset ownership, asset custodians, you can’t actually have data classification. And until you have asset management, you don’t have the idea of asset custodians.
“Those are three distinct controls that we’re configuring and setting up,” John points out. “If we do them in parallel, as you might imagine, you’re going to have things not work quite properly.”
Want to help your organization achieve ISO 27001 certification as efficiently as possible? Then don’t miss the invaluable guidance in this special podcast featuring ISO 27001 expert John Verry: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more meaningful information around how to manager your ISO 27001 Certification? Check out this blog post: Senior Management Can’t Just “Rubber Stamp” ISO 27001 Certification – Pivot Point Security