Is ISO 27001 certification just for large organisations? That is quite often a question raised to me or in various public domains. There is for example a discussion going on at the moment on the ISO27000 for information security management LinkedIn forum . In my view the short answer is no. The size of the organisation has no impact on whether ISO 27001 certification is feasible, appropriate or relevant. There might be other things than size of the organisation that will make it relevant or not as I will try to discuss later in this blog.
Sometimes the same question is asked without the word “certification”. ISO 27001 on its own is a standard that provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Or, as I like to think of it, it is really just good practice for anyone who has information where they would like to protect the Confidentiality, Integrity and Availability of that information…and honestly who would not have that need? So I would suggest that any organisation regardless of size should get a copy of the ISO 27001 standard and perhaps as well also the ISO 27002 guideline (code of practice for information security controls). Read these documents and take some best practice into your own organisation.
So what about ISO 27001 certification? Is that feasible for a small organisation? As I have already eluded to above I don’t think size matters when it comes to ISO 27001 certification and it is definitely feasible for a small organisation to obtain ISO 27001 certification. Of course reading between the lines of the question it might be a question that asks if the workload, burden and investment might be too much for a small organisation. I would say that depends a lot on how you approach the task.
If you look at the task of obtaining ISO 27001 certification and split it into some of the main parts such as:
- Design and create the information security management system (ISMS)
- Implement the ISMS
- Obtain certification of the ISMS
- Continuously improve the ISMS
If you then look at this from the perspective of a small organisation then 1) should be a small and simple ISMS reflecting the small size of the organisation. Typically a small organisation does not require as much documentation or as many policies as a large organisation. 2) is a lot easier and quicker in a small organisation as there is less people to train, less assets, fewer and smaller physical sites (typically just one site), etc.. 3) is always based on the size and complexity of the organisation so a small size and less complexity equals fewer audit days (see ISO 27006 for more details) and 4) is often both easier and quicker to do in a small organisation.
So doing the sums I would say that ISO 27001 certification is very feasible in a small organisation, but should you do it is obviously another question. The reason for not just leaving it at what I spoke about above, i.e. just using the standard as a best practice and take what you think adds value without considering certification, could be many things. The typical and number one reason is that a customer or the general market place requires the certification in order for them to do business with you. The customer wants more than your “word” for the fact that the ISMS is in place and are working. They want an independent 3rd party to verify that the ISMS is in place and that it is working effectively and achieving the stated objectives. There is also a lot of value in having a good 3rd party certification body (BSI for example) doing audits of your ISMS. They would not be able to provide any consultancy as they need to conserve their independence, but good auditors will provide you with opportunities for improvement based on best practice they see elsewhere.
So in summary all organisations should use the ISO 27001 standard and if there are compelling reasons they should look to obtain certification by a reputable certification body irrespectively of the size of the organisation.
Some other blogs that might be of interest:
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So if you are considering ISO 27001 call us now to discuss how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.