Dejan Kosutic You have this great idea that ISO 27001 will help you achieve compliance, attract new customers, decrease cost of incidents, and streamline your core IT processes? The idea is nice, but when it comes to implementation, things are getting complicated.
First you would have to convince your management (if you are not in top management yourself) that ISO 27001 is really needed in your company. Management is usually overloaded with other commitments and deadlines, and it is not likely that they would like to undertake another project to worry about.
Even if management is eager to do something about information security, the second question arises – how to finance it? At first sight, it may seem that “this paperwork shouldn’t cost too much”, but soon you realise that you have to pay for the consultant, buy literature, train your employees, invest in software and equipment, pay for certification etc.
But let’s say that by some miracle you find the money for it, and then the third question arises: who will actually do it? If you have a frank consultant, he or she will tell you that it is not enough for a consultant to provide you with templates of the documentation, but you must try really hard to customize the documentation according to your situation. But it doesn’t stop here – the consultant tells also that you actually have to do precisely what the documentation (and the standard) tell you to do. And it is a permanent obligation, not a one-time job.
So you come to your colleagues and ask them how you would divide the job for implementing and running ISO 27001, and suddenly they start talking about something else. Even worse, you might ask management to employ an Information Security Manager who, because of lack of such people on the market, doesn’t work for small sums.
So, you end up being appointed project manager for ISO 27001, with small or almost non-existing budget, with a team that does not really want to bother with information security, and management that wants the certificate as soon as possible once the project has started.
Are you still interested in ISO 27001?
To overcome most common problems with the ISO 27001 implementation, check out the Conformio compliance software.
