Inspire - Imagine - Improve

ISO 27000 Certification

ISO 27000 Certification Services

ISO 27000 Certification

What is ISO 27000?

The ISO/IEC 27000 family of standards helps organizations keep information assets secure.  Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).  An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.  It can help small, medium and large businesses in any sector keep information assets secure.

What is path to Certification?

i3 Design and Consulting 5-Step ISO 27000 Certification Process

i3 Design and Consulting 5-Step ISO 27000 Certification Process

A proven Information Security Management System (ISMS) development and implementation approach is based on project management methodologies.  We use a structured approach  for defining project plans, specific responsibilities and verification of results. The result is a development and implementation strategy that is more efficient and provides for first time compliance or registration to the ISO 27001 requirements.

i3 Design and Consulting uses a five step approach:

  1. System Scope and Project Planning.  In this phase we validate of the current scope, review of all currently developed documentation and data, interview key stakeholders, and develop a PMI/PMBOK-based project plan.
  2. Documentation Development and Tools Implementation.  The objective is to instantiate the process, plan, and tool infrastructure for the ISMS. The key document for the ISMS is the Information Security Framework. The document lays out the scope of the ISMS and maps the process infrastructure and associated relationships. Concurrent to the Framework, we develop and tailor the Information Security Management Plan required policies, processes, procedures, work instructions, plans, forms, and templates.  To support the process implementation, we utilize your existing IT infrastructure to implement simple and easy to use tools.  For most organizations, we configure an existing Microsoft SharePoint portal environment or ServiceNow platform to implement a process asset library, change-tracking tool, incident and problem management tool, corrective action tool, process improvement request tool, and risk management tool.
  3. Training and System Implementation. The objective of this phase is to train your functional staff on the activities and artifacts/records needed to support the ISMS and substantiate the system for audit.  We offer Microsoft PowerPoint or SCORM-compliant Computer Based Training (CBT) process training options.  After completing the training, we work with you to implement the processes and plans.  As execution proceeds, we collect and monitor process and performance data to incrementally improve the ISMS.
  4. Internal Assessment and Management Review. The objective of this phase is to objectively evaluate the ISMS and engage management to improve the system.  We purports the use of process based internal audits versus a simple auditing against the standard.  While both will achieve compliance to ISO 27000 requirements, the process-based approach will provide more useful information on how well the processes are working and improving your organization.  We offer multiple options to complete an internal audit.  For many organizations, we lead the initial internal audit with a customer team.  This provides an opportunity to learn hands-on from an industry expert.  For others, we simply provide training and the audit is done internally by the customer.  We support you to plan and hold a successful management review meeting.  As part of that meeting, executive management reviews the implementation of the ISMS focusing on internal audit results, resources, customer feedback, and the analysis of measurement data.  The results of the meeting are to communicate the status of the ISMS and engage executive management in the improvement of the system.
  5. 3rd Party Certification Audit.  The objective of this phase is to prepare you for the 3rd party certification audit.  We provide recommendations on qualified registrars, prepare the registrar assessment plan with the registrar, and coordinate the scheduling of the audits.  We prepare your external audit representatives and most likely interviewees to increase the comfort level with typical audit questions.   

How long does it take?

At i3 Design and Consulting we specialize in helping organizations achieve their process improvement goals in record times.  Most implementations do not need to take 9-12 months to implement, but they need more than a month.  If you are an organization that requires an ISO implementation, you should be planning no less than three months in advance and if possible begin your implementation 4-6 months ahead of your deadlines.  The driving factors in scoping the timing include:

  • Type of Certification
    • ISO 27000 is a more complicated standard to implement.  Putting the system in place can often take as little a 4-6 weeks (depending on size and complexity), but you will need some objective evidence that the system is operating as intended.  For simple systems, this can be as little as 4-6 months.  Other more complex systems will require more time to instantiate and prove use.
  • Scheduling Auditors.  Qualified auditors can be a scarcity depending on the standard. There are firms that will promise an ISO 27000 (or other) certification but are not qualified registrars.  For certification to be considered legitimate (especially for government proposals), you need to make sure the entity is approved by ANSI-ASQ National Accreditation Board (ANAB).
    • ISO 27000 external auditors are difficult to find and schedule.  Scheduling is done through the qualified registrars.  ISO uses a two-stage audit process with an on-site readiness review followed by the certification audit.  There generally needs to be at least 30 days between these events.  At a minimum, you should have your auditor under contract 90-120 days from the certification audit date.
  • Registrar Quality Review.  Once the audit is complete, the results must be validated by the ISO registrar before the organization officially can claim its qualification.  You should plan for 2-3 weeks for these reviews although they often are completed faster.

Why Use a Consultant?

You don't need a consultant to achieve ISO 27000.  However, if you are attempting this standard without outside assistance, it is highly recommended that you are an expert in IT Service Management, ITIL, and information security.  Using an experienced consultant can significantly improve the implementation speed and the effectiveness of the system.  Our goal is to help your organization improve its business AND ensure you receive your certification.  Our approach focuses on improving your current business processes and functions while using the standards as checkpoints to validate your success.  For each project we identify measurable goals and return on investment expectations.  The intent is to make sure that any process changes brought forth by the introduction of the standards into your environment improve the business performance.

Scenarios to consider a consultant:

  1. The implementation team has limited experience designing and implementing a new system.  To be clear, having worked under an ISO 27000 system is not the same experience as designing and implementing a new system.  Moving forward with limited ITIL or information security experience is not recommended without outside assistance.  Experience with NIST 800-53 auditing and compliance is helpful. 
  2. Your company plans to implement more than one standard (now or in the future).  If you plan to pursue other ISO standards beyond ISO 27000 certification (such as ISO 20000) or implement CMMI, then you should consider implementing an integrated management system.  This is a complex system design and the use of a consultant is highly recommended.  Making appropriate design decisions on your initial ISO 27000 system design can greatly reduce the cost and rework as you add new models and standards to your management system. 
  3. Non-standard implementation.  While the standard can be used for any type of work and has been improved through the years, the standard can be confusing to implement in services-based organizations or when used for back office functions.  Using a consultant with experience in these types of implementations will lower costs and greatly improve the efficiency and effectiveness of the system.
  4. Government contractor.  If you are a government contractor, the interaction of U.S. Government regulations can greatly increase the complexity of the implementation.  Using a consultant familiar with the regulatory aspects of your business can reduce redundancy in your compliance and quality management systems. 

How much does it cost?

We know that companies and budgets vary.  As such, we've created multiple consulting options based on our experiences from working with customers of all shapes, sizes, and situations.  Picking the right engagement strategy is often as important as the engagement itself.  Make an appointment to talk with us about choosing the best option for your company.  If you have already determined your path forward, you can purchase the remote solution and remote consultant options directly on this site and have access to resources today.

 
laptop.PNG
remote dude.PNG
Consultant.PNG
 
 

ISO 27000 Pay-As-You-GO Consultant

Best option for companies that want a complete solution and only need limited expert consulting.  Assumes a 24-week implementation.

$12,500 or 4 payments of $3,125.00 USD
Available for online purchase

Online Resources
Word/Visio Process Templates
Resource Library

On-Demand Training
Editable Process Training (.ppt format)

Expert Consulting
Virtual and online solution includes:
Step-by-Step Weekly Project Plan
Sharepoint Tools
Personal Consultant Assigned
Consultant Email and Phone Support
Coaching Calls with Consultant
Documentation Review

Pay-As-You-Go Package includes 2 hour of setup, 20 hours of consulting support, 4 hours for coaching, and 8 hours of support for documentation review.  Additional hours can be purchased and scheduled as needed directly through the i3 web site.

ISO 27000 Remote Consultant

Best option for companies that want active project management, document development and tailoring, and meeting coordination, but want the lower cost of a generally remote consultant.  Assumes a 24-week implementation.

Make an appointment for a quote

Online Resources
Word/Visio Process Templates
Resource Library

On-Demand Training
Editable Process Training (.ppt format) or
CBT Process Training

Expert Consulting Support
Virtual and onsite solution includes:
Step-by-Step Weekly Project Plan
Sharepoint or ServiceNow Tools
Personal Consultant Assigned
Onsite Gap Assessment
Onsite Coaching with Consultant
Document Development & Tailoring
Internal Audit Support

ISO 27000 On-Site Consultant

Best option for companies that want active on-site project management, document development, and implementation support.  Recommended for complex or integrated systems.

Make an appointment for a quote

Online Resources
Word/Visio Process Templates
Resource Library

On-Demand Training
Editable Process Training (.ppt format) or
CBT Process Training

Complete Consulting Support
Virtual and onsite solution includes:
Step-by-Step Weekly Project Plan
Sharepoint or ServiceNow Tools
Personal Consultant Assigned
Onsite Gap Assessment
Onsite Coaching with Consultant
Document Development & Tailoring
Internal Audit Support- Onsite
Project Management
Support for Meetings and Reviews
Implementation Support - Onsite