Safely move on from COVID-19

Migrating your ISMS to

How to Migrate Your ISMS to

Having made the decision to improve your ISMS and identified the future benefits from doing so (perhaps from using our business case builder materials), the next questions are likely to be more practical.  Questions are going to include how much of the ISMS to change, when to make it happen and what steps should be taken.

Moving to is simple and migration can take very little time with a quick ‘lift and shift’ approach to better ways of working in minutes, hours and days, not weeks.  Alternatively, it can also be a great opportunity to take a slower approach to change and review parts of the ISMS as a migration takes place over time e.g. rework policies, risks and other areas for a fresh approach to the whole ISMS not just the technology and administrative management. 

These general approaches are described further below and of course, there are always other options in between too! It’s faster than switching your utility supplier and we can help you as much or as little as you need.  Joking aside, even though adopting is quick and easy we recognise that there can be a bit to do in changing an ISMS so have set out to make it as easy as possible on the platform and help you as much or as little as you need in transferring any information you’d like to move in to our service.  

Unlike other technology systems there is also no need or expectation for any physical consulting or extra cost beyond either.  If however there are capacity constraints and a need for extra help during the change, from low-cost administrative resource shifting from one system to another (if not able to be data mapped and migrated) through to technical experts and specialist ISO advisers, our partners can help too. Organisations can also ramp up additional users and add-on features if required to avoid expense or waste until they are needed. 

What are the Triggers and Drivers for Migration of an ISMS?

In addition to good continuous improvement in line with ISO 27001 and other standards, we’ve identified a few triggers for what might compel an organisation to improve their ISMS and migrate to  These triggers are also likely to dictate the pace of change and how a migration might take place.  Examples of triggers for change and moving to an all in one place we’ve seen include:

  • External drivers including more standards to maintain, and more regulations to demonstrate compliance against. There are more people to involve, more coordination (usually with less time for the person or people responsible for managing the ISMS)
  • A desire to achieve a formal certification such as ISO 27001, meaning a need to demonstrate more transparency, visibility and control of the existing management system (which is much harder with lots of documents, spreadsheets, papers etc to keep up to date manually). Smart customers and more assertive certification auditors are seeking much more assurance than before.
  • General improvements as the organisation changes and grows. The ‘homegrown’ self developed Sharepoint, Google or Folder driven ISMS that has worked until now needs to be upgraded or changed as it causes compliance and control challenges with higher maintenance issues.
  • An existing ISMS software is too expensive, the product is perhaps too hard to use for infrequent users.  Maybe the supplier is not maintaining or updating its feature set or perhaps the application is not secure enough to meet your needs as cyber crime and customer demands increase.
  • ISO 27001 certification stage 1 failure, stage 2  failure, surveillance audit non conformances or recertification requirements.  Receiving a bunch of non conformances, corrective actions and improvements might not be easily addressed without a wholesale change and it’s a good time to take a step back and consider whether implementing a new service will get better overall results.

When to Migrate the ISMS and how to do it?

The migration timelines are going to be determined by your triggers or drivers for change. In simple terms, there are two logical approaches; the Urgent and Important Fast Initial Change, versus the Important Slower Overall Change.

Option 1 – Urgent and Important Fast Initial Change

When there is a more urgent need for change we generally suggest a pragmatic ‘lift and shift’ to address the immediate issues and achieve quick wins whilst retaining what works now too. This achieves momentum, gains the buy-in of the stakeholders quickly and shows interested parties that action is being taken where it is needed the most.  As is visible and transparent, with built in progress and tracking, it is easy to show the work being done too!  We then suggest the organisation continues improving beyond the immediate issues in a normal improvement cycle more befitting the organisation culture, resources and need for change.  This can be done very quickly too, minutes, hours and days, not weeks.

For example an organisation came to us shortly before a recertification audit, having almost forgotten their previous audit stated numerous reasons why their existing ISMS was close to failure and needed improvement. They knew they would fail if they did not take some action quickly.  We showed them how much was achievable in that time (a lot), they got started almost immediately afterwards and achieved their recertification goal in days.

Inside that very short window they quickly:

  • Migrated all their existing yet poorly coordinated and badly managed (yet still relevant) documentation on to – at that stage retaining the old word documents and excel sheets but demonstrating they were being controlled and managed more effectively with reviews, approvals and simple reminder processes.
  • Closed gaps and issues where they saw policies and practices could be improved by Adopting and Adapting actionable documentation – these included a better risk methodology, security incident, corrective action and improvement trackers as well as the preconfigured information asset inventory.
  • Subscribed to the supplier management feature, added all their key suppliers basic contract and contact details, and adopted the proposed policy for supplier management in Annex A 15.1.  It immediately addressed an issue in their earlier audit.
  • Switched to use our inbuilt risk map and treatment plan instead of their excel sheet.  Given the urgency they added in the more significant risks, relating them to the information assets and connected them to the existing policies they’d uploaded or adopted.
    The old risk map was uploaded for audit reasons and (initially) lower likelihood & impact risk work. An improvement was captured on the Corrective Actions & Improvement Track to demonstrate to that further risk migration work was being done over time and the core goal (from a previous audit) of improving the approach to risk management was achieved. All risks then had treatment clarity, reviews planned, owners assigned etc in line with the ISO 27001 standard.
  • Automated the Statement of Applicability and moved away from an awful and hard to understand or control word document. At one glance the auditor would see they are in control of their SOA.
  • The customer continues to use the service and has evolved its use over time to avoid old ways of working and now includes other features we have developed since they started.  These include the staff compliance Policy Pack service and the new ISMS overview reports.

Option 2 – Important Slower Overall Change

If the need for change is less urgent, a more considered and thoughtful approach can also be considered. For example, one customer wanted to avoid contaminating their shiny new with old documents and took its time over the change, imagining get small amounts done regularly but not intensely.  They planned then reviewed each of the old documents (one of which was over 100 pages long – and the manager responsible admitted it had probably never been read by anyone but her!) Converting that content into digestible, meaningful policies accessed via Policy Packs has improved their staff engagement and compliance significantly (meaning they are a much safer organisation as a result and their incidents have dropped significantly). The ISMS management also took the opportunity to reconsider all their risks, information assets and work lost on old spreadsheets.  They took advantages of the better ways of working and now have got meaningful risks to manage against up to date information assets with clarity on the policies in place to ensure protection. At every stage of the migration it was clear to see as the progress reporting and visual nature of the platform shone a light on where they had got to, and what was left to achieve.

How much of the ISMS should you change?

Whilst offers an all in one place for success with information security management and compliance, we recognise that many improvers and experts have parts of an ISMS that might work well already.  As such is modular meaning you don’t have to subscribe to (or use) everything and can easily add your own tools and methods inside and alongside too.  For example if you have got an effective security incident policy, procedure and tool already that’s great, you can use that instead of our pre-built approach and link it up with  It is the same with other parts of the platform too.

Whether you are going for a fast change or a slower move over time, you’ll have the ISMS in change for a period. has date and time stamps, controls and visible means of seeing when work started in the platform so that’s great for showing when change actually happened.  We suggest you also summarise key milestones as part of your management reviews too e.g. switched to Supplier Management in from February 2018.  Where appropriate it could also make sense to break down specific areas of improvement or change as improvement items in line with clause 10 of ISO 27001 (the auditors will love you too – but you probably knew that before we did;)

Everyone we helped go for an ISO 27001 audit passed first time. You could too.


Phone:   +44 (0)1273 041140