9 practical tips for getting started with ISO27001

This advice is what I have been giving to organisations of all sizes (3 people to 100,000+ people) for the last 10 years. In all cases this is to both get the certificate and also get real benefit from “doing” ISO27001.

This advice applies to organisations of any size including ones with as few as 2 people.

General advice and top tips

1) Read this very short (2 pages) overview of ISO27001: https://www.dhirubhai.net/pulse/what-iso27001-all-why-should-i-do-without-jargon-chris-hall-1e/

2) Be very clear about why you are doing it and the benefits it will bring. I.e. are you really committed to this? If not then you are not likely to be successful.

3) Make sure you understand that this will cost you real money. As a minimum you need to pay to get a certificate but you are also likely to need some external help of some kind. However, the main “cost” is your time to do the things that ISO27001 insists that you to do.

4) Get some external help. You can go it alone but be prepared for a lot of work and spending time on maybe getting things wrong the first time and things that you didn’t really need to do. If you get external help then this will cost real money but may well end up being better value. Watch out though because a lot of external consultancy advice from even very well established and well-known companies is very poor. This external help can vary from (say) 1 day a month - “are you still going in the right direction” through to someone “project managing” and “doing” the whole thing.

5) Avoid organisations that sell you document sets of templates/examples for implementing ISO27001. The main problem is that these are almost always way over the top as they are designed for generic businesses and will not work properly for your business. They all significantly over complicate it all and produce far too much documentation.

6) Read pages 11 to 17 of ISO27000 (free). This contains some definitions and a brief overall summary of how ISO27001 works. This is here: https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip

7) To get an idea of what ISO27001 is asking you to do read this article which gives a plain English guide to the detailed requirements. https://www.dhirubhai.net/pulse/plain-english-guide-meeting-iso27001-requirements-chris-hall/

8) Read sections 4 to 10 of ISO27001:2022. Not free. Available from lots of web sites. The master site is ISO. https://www.iso.org/standard/27001 . Not exactly very clear or easy reading but you must still have a copy. Read sections 4 to 10 in conjunction with the article referred to in tip 7. Ignore Annex A for now.

9) Start contacting certification bodies. One of the first things you should do is start contacting certification bodies who will come and audit you and issue you a certificate. You should do this early because whilst it can take as little as 30 days to implement ISO27001 for a small organisation, getting the certificate might take longer as this is dependent on the availability of the certification auditors. Some guidance on this is in https://www.dhirubhai.net/pulse/how-choose-iso27001-certification-bodyregistrar-chris-hall/

Summary

Keep it simple.

Bonus tip: Read some of my articles about ISO27001. This is a list of them: https://www.dhirubhai.net/pulse/list-chris-hall-articles-chris-hall-j671e/

Chris

#iso27001 #chrishalliso27001