How to Get My Small Business ISO27001 Compliant without Breaking The Bank

• 

  Lord Fart Bucket on 25/07/2023 - 12:18

  Weird question… is there a need to be ISO27001 compliant? Can you outsource it?

  • 

    knasty on 25/07/2023 - 14:01

    Yes, unfortunately it's a contractual requirement (and becoming more prevalent with large clients). Can outsource the basics but still need to adapt templates etc to the particular business.

• 

  ymidk on 25/07/2023 - 12:36

  +3

  Read the standard in the first instance, then develop a statement of applicability. Documentation is pretty basic (like most ISOs) - meaning you are probably capable of creating it all from scratch. It's a requirement of your customers because they think that you going through the process improves your IS understanding and, therefore, introduces less risk to their operations.

  I helped a friend get his startup ISO aligned for a big 4 bank contract. The most tedious part was convincing them to actually read the standard. Because they were only 3 guys, their statement of applicability was tiny and they were done in about a day (tho.. they were exceptionally smart and talented).

  • 

    knasty on 25/07/2023 - 14:03

    Thanks. Yes agree that the SoA is key but I'm already aware that I'm going to have at least 15+ policies that will be required. That's where I'm looking to get best bang for buck (in both $ and hours) from templates which will give me 80%+ of what I need from a content perspective.

    • 

      nicktork on 25/07/2023 - 15:51

      +2

      You're not reinventing the wheel with ISO27001, the controls you have in place are probably the same as most other businesses of the same type. ChatGPT is pretty good at writing policies like that.

• 

  Muzeeb on 25/07/2023 - 13:05

  +2

  To save most a quick Google…

  ISO 27001 is an information security management system (ISMS) internationally recognised best practice framework and one of the most popular information security management standards worldwide.

  • 

    knasty on 25/07/2023 - 14:03

    Cheers.

• 

  vr0ssi46 on 25/07/2023 - 13:27

  You don’t. 27k and low cost don’t mesh.

• 

  DJR9000 on 25/07/2023 - 17:47

  +2

  we went thru this at work (50-100 employees depending on the year of our cert). Initially we consulted out for it and then set up an ISMS inside our enterprise Confluence wiki - along with a few regular meetings of the ISMS, auditable actions for user account deprovisioning and access reviews, that kind of stuff.

  The consulting work was good as it built up the framework of who owned what and what the risks, controls and information assets were, the internal audit was more extensive than the external audit but we passed. 2nd time came around and rather than try and get it all done then also add in things like SOC Type 2 we went to Vanta who have an automated platform for all this.

  I really don't know the pricing of vanta but i don't think it was too bad for us given most of our business and staff are in the USA.

  I know that doesn't help greatly but i think you could definitely just start with the "keep it simple" approach - build up your ISMS in something like confluence or even just a teams folder, assign some regular tasks , keep documentation trails and engage an auditor to give you the cert. Definitely just keep things to the bare minimum to make it easy on yourself but when it comes to things like IT policies lean on existing standards such as Essential-8 and ITIL

  • 

    knasty on 25/07/2023 - 18:49

    Thanks for this. Yes I saw Vanta and it looked good but intend to take a KISS approach initially.

• 

  urahara on 25/07/2023 - 18:00

  What is the cost of doing yourself vs hiring professional ?
  How much times does it save you ?
  What is your level or urgency ?