Are you aiming to get an ISO 27001 certificate soon? Are you wondering whether you need special software and/or an external consultant to pass the audit and warrant getting the certificate?
This article tells you the conditions under which you need the specialty software and/or external consultants. The last part guides you in making decisions about these to achieve your goal of ISO certification.
What does the market offer to help you?
By simple online search you will find tons of vendors who can help you obtain the certificate. Their service is one of the followings:
- Policy document templates and implementation toolkit; or
- Cloud-based software to manage all policies, documentation, and evidence collection; or
- Advisory services to implement ISO 27001 controls until successfully pass the audit; or
- Combinations of the above.
SaaS as the recent hype
The usage of cloud-based software, known as SaaS (Software as a Service), in this industry is hyped and, therefore, growing fast in the past few years because of two reasons: an increased demand for compliance towards ISO 27001, SOC 2, etc. and a relatively complicated way of work using the old-fashioned tool such as spreadsheets.
Using large funding from Venture Capitals (VCs), some vendors develop their own SaaS. Both the VCs and the vendors believe that compliance requirements have become utilities where every business must adhere to in order to succeed in the digital business.
But if we could turn back the clock to let’s say 5-10 years ago, we would find many organizations able to pass the ISO 27001 audit and obtain the certificate without such specialty software. It might be a painful journey through spreadsheets and lots of emails and phone calls, but it could be done.
A variety of cybersecurity consultants
External consultancy services to help organizations implement ISMS (Information Security Management System) based on ISO 27001 is also growing rapidly. We are one of them. Some consultants stay independent; some are part of value added services provided by the software vendors. Either way you will always find someone who can help implement the controls described in the ISO standard.
But do you really need the SaaS and the consultant to succeed? Yes and No.
Why?
If you believe that you or your team members have enough time and resources to understand the ISO standard requirements, it can be done with the existing software you have. Perhaps combine it with purchasing document templates to speed up the process.
Although it may sound biased, we believe that the ISO 27001 (together with ISO 27002) documents are self explanatory and relatively easy to follow. With help from online discussion forums, it still can be done and you will successfully pass the audit. Don’t be afraid about minor non-conformities, because there’s no such thing as 100% compliant or secure.
A specialty software and an external consultant can be of tremendous help when time is limited and you don’t have dedicated resources to manage the implementation project.
What you need to keep in mind is that ISO 27001 is not a one-time audit process. The audit is carried out annually. Hence, if you choose assistance from the software and external consultants, you will pay them continuously.
Alternatively, you hire a consultant for a certain period of time as a learning curve for your team. Pick a consultant who is keen to coach and guide you doing the task independently.
In short, what you can do:
- Figure out which standard your organization needs to comply with.If it’s only ISO 27001, you can get ahead with a tool you already have such as Spreadsheet, Sharepoint, JIRA, and Trello. If there are more than one standards, then you have to find out the similarities and differences between them to decide the most efficient approach you will take to comply with those standards.
- Download the standard and read it through. Check yourself, together with your team, if everybody is confident to do it themselves without external help. For ISO 27001, don’t forget to also download the ISO 27002 document. It will help you gain more understanding of the controls to be implemented.
- Calculate the costs vs. value that compliance software will bring to your organization. The costs include among others: license and subscription fees, additional cost for extra support during implementation, and reduced working hours of your employees as they learn the software.
- Lastly and most importantly, use these efforts to acquire the certification as an opportunity to really improve your company’s IT processes and controls.
If things at your firm are more complex than mentioned above, you can book a free 30-minute consultation here (no strings attached). Book here.
Related articles that may be useful for you:
ISO 27001 or SOC 2 - Which one should small business choose first?
Are all ISO 27001 certificates the same?
Are all ISO 27001 certificates the same? (Part 2)