Editor’s Note: This post was originally published in October 2016 and has been updated for accuracy and comprehensiveness.
Actually, a more frequently asked question is: “How fast can I get ISO 27001 certification?”
The answer depends on what is most important in your specific situation: do you want your certification Fast, Cheap, or Good?
As certification becomes a “requirement” to perform work for many companies, one of the biggest concerns many of Pivot Point Security’s potential ISO 27001 consulting clients have is the length of time it takes to get a certificate. There is an old adage in project management: “Fast, Cheap, Good; Pick any two.” The idea is that you pick two, but then the third will be whatever it has to be based on the other two choices. You can have good and fast if you’re willing to spend a lot of money. You can have fast and cheap, but the quality will be poor. You might even be able to get good and cheap, if you’re willing to wait a long time. With some minor variations this basic premise holds true for certification. The biggest caveat with ISO 27001 is that if you don’t at least hit “good enough” you fail to achieve certification.
I want to get ISO-27001 certified FAST (5 – 9 Months)
Sometimes the business risk associated with not having a certificate (e.g., “I’m about to lose a $12M contract!”) is greater than the risk associated with either building an Information Security Management System (ISMS) that is not fully optimized or spending an extensive amount to ensure that you build a great ISMS fast. Under this scenario the only real choice is: Fast, Expensive, & and Good. Usually this means hiring a third-party consultant to provide the expertise and horsepower to move fast without compromising the quality of the ISMS. Pivot Point Security recently utilized this approach with a client in the financial services vertical and they got their certificate in just over five months.
I want to get ISO 27001 certified CHEAP (9 – 24 Months)
When there is less urgency to achieving certification and the budget is tight, CHEAP is the right way to go. Under this scenario the best choice is usually: Slow, Moderately Cheap, and Good. Usually this means hiring a third-party consultant to provide limited expertise on demand to ensure the quality of the ISMS. Pivot Point recently utilized this approach with a client in the eDiscovery vertical and they got their certificate in just under fifteen months. Another option is Slow, Cheap, and Potentially Good. In this scenario, you are going at it completely on your own without the support of a third-party consulting firm. If you have ISO 27001 expertise on staff this is a solid approach. If you don’t have ISO 27001 expertise on staff the danger is that this could become very Slow and/or not very Good. We recently had a language translation client who was successfully certified using this approach in about eighteen months. Late in the process they engaged Pivot Point Security to perform a cursory review of their ISO 27001 artifacts in advance of their certification audit.
I want to get ISO 27001 certified very GOOD (6 – 15 Months)
Being anything less than pretty good is really not an option for certification. We have seen two types of clients who really want to make sure their ISMS is Great rather than Good: clients who absolutely need a certificate to acquire or maintain customers, and clients that really need to mitigate the risk with highly sensitive regulated data (usually PHI/PII). For these clients the focus is on building a great ISMS. Under this scenario the best choice is usually: Moderately Fast, Moderately Expensive, and Really Good. Usually this means hiring a third-party consultant to provide expertise and manpower. However, to achieve a Really Good or Great ISMS you can’t really just throw consulting resources at the project. It’s important that your staff plays an integral role in the development of the ISMS (which is why it’s only moderately fast and moderately expensive). It is only when your team understands the Risk Assessment and was integral to developing the risk treatment plan that they become stakeholders in the operation of the control environment. This is critical to operating the ISMS after the consulting company leaves. We utilized this approach with a healthcare client who was successfully certified in just over six months.
Hopefully this information will help you estimate your timelines. One notable caveat is that a global ISMS scope, multiple/highly complex data flows within the scope, and/or distributed and highly segregated IT responsibilities can significantly impact either the time or the costs outlined above.