Frequently asked questions about ISMS.online for ISO 27001:2013

ISMS.online believes that ISO 27001 can be achieved affordably, especially when utilising the tools and features that a platform such as ISMS.online has to offer. When taking into consideration your organisation’s certification budget, you should consider the costs of implementation, as well as the costs of certification. You can find out more about ISO 27001 certification costs here.

Yes, if you have subscribed to the ISO 27001 solution then your platform comes pre-configured and ready for you to easily follow the requirements and Annex A controls. It saves you time and effort in comparison to setting up your own complicated folder structures, permissions and version controls, which we know from our own experience doesn’t work well in practice.

It also means that everyone with access to your online ISMS, including (for example) auditors, can easily recognise the structure and numbering of the standard and gain confidence that the way you are working is more likely to be compliant.

And of course, if you are new or improving your approach to ISO 27001:2013 we also provide a set of actionable documentation (things you can use in practice, unlike basic templated documents available in off the shelf toolkits) that give you a head start of up to 77%. With that, you will get great guidance on how to Adopt, Adapt and Add to that documentation for meeting your own business goals.

We also pre-configure all the other ISMS elements you need for success; these include risk registers, interested parties map, asset inventory, incident management and corrective action tools, supply chain management, audit and ISMS management reviews. Finally, you can follow our Virtual Coach programme and accelerate your path to success quickly, focusing on what you need to do, without worrying about wasting time on how to do it.

If you aim to be independently certified e.g. by UKAS, you will need to show the licence for operating to ISO 27001. If you are just aiming to be compliant, not independently certified, then you don’t need to show that licence to anyone. We still recommend everyone buys at least a single user licence (this costs about £100) to ensure they are operating in a compliant fashion.

For organisations that are new to ISO 27001 we also suggest purchasing the ISO 27002:2013 guidance (also about £100), as it complements our own Virtual Coach programme.

These documents should be purchased through the official ISO store, where you will then get a watermarked licence version downloadable for your organisation’s use:

ISO 27001:2013
ISO27002:2013

If you have purchased the standards, this can be evidenced in ISMS.online by uploading documents or adding a hyperlink to the standard. This will enable you to display where you were drawing that insight from if asked by an external auditor.

In summary, our documentation and complementary tools, frameworks and methods give you a head start up to 77% progress, so you can quickly Adopt, Adapt and Add to the solution.

Unlike other documentation toolkits you might see online, our package differs as follows:

Actionable Where appropriate we go beyond generic descriptions of policies and controls into also providing you with the ability to demonstrate your work in practice. Every tool, framework and feature on the platform is complemented by a pragmatic policy and procedure. Living and breathing the documentation is the most important part, so it needs to be simple, actionable and easily managed. Without an easy to use technology system around it, you’ll probably get stuck with a bunch of files that are a nightmare to use, organise and control!

Addresses Management Requirements: Other document toolkits typically focus on the Annex A controls. Given we take a business led approach to information security, we have a major focus on helping you meet the Management Requirements. ISMS.online comes with all the policies, guidance and tools needed to allow you to quickly complete that with confidence and run the business the way you want to.

Up to 77%, not 100%: Much of your ISMS can draw from the proven practices and experiences of others, but some parts will be unique to your organisation and its desired ways of working. Other documentation providers may claim you get everything you need, but in reality you don’t, and you’ll need to change parts to make it work for you. You may also have much of the remaining 23% covered with your existing working practices (e.g. password policies), and find it’s a case of simply documenting them in ISMS.online!

We also offer guidance inside ISMS.online for all Management Requirements and Annex A areas. By following that, and ISO 27002 along with the Virtual Coach resources, you’ll have everything you need to get to 100% quickly.

You will see that any gaps focus around the more technical aspects of ISO 27001 that will be unique to your business. Many of our policies can be adopted straight out of the box. These are more likely to be those around how you manage your ISMS using the features and tools of the platform. You may feel some policies need ‘tweaking’ to reflect your own corporate style and, of course you may choose to adapt them to meet your own approach.

Find out more in our short video

In this example of Annex A 18.2.2, you will see we provide some tips which you can delete once you have understood them. You can also see the use of hyperlinks which are a common feature throughout the platform and reflect our holistic approach to the ISMS. This makes the auditor’s job much easier as they can navigate to relevant areas within your ISMS and can clearly access the whole ISMS in one secure place.

In this example, you can also see the small blue icon on the left indicating the Virtual Coach….that’s how simple it is to access expert help when you need it most!

Where you should start with your implementation is one of the most common questions we get asked by those setting out on their ISO 27001 journey. This question is why we developed our ISO 27001 Virtual Coach programme and Assured Results Method (ARM).

Included in the Virtual Coach is an excellent ISO 27001 Preparation Project that will give you a level of understanding and context before launching into your implementation where, of course, there is further expert guidance for each of the ISO 27001 requirements and Annex A controls.

Virtual Coach utilises our Assured Results Method, our proven path to success for your ISO 27001 implementation activity. ARM provides a pragmatic risk-based approach to your first ISMS implementation. Our tried and tested method takes the best aspects from common practices for fast and effective ISO 27001 success.

Yes. If you have already got other systems and specialist tools e.g. for ticket tracking, and want to use those instead of our integrated ones, that is easy to do.
Simply adapt any of the policies we have written with our tools in mind (if you don’t already have your own) and then link to your tool instead of ours. Whilst we offer an ‘all in one place’ solution, we also recognise that other applications exist so you can adopt as much or as little of ISMS.online as you need for success.

The short answer is yes, and we can help you bulk upload large volumes of risks and map them to our tool if you need that done. The risk tool is so easy to use it takes seconds to add to. You might actually want to take the opportunity of reviewing your existing risks and refreshing them in ISMS.online.
There is also a comprehensive bank of common risks that you can draw down from with suggested links to Annex A controls. This can save you weeks of work when you are starting out!

However, if you have a large number of risks please get in touch to see whether we can script an import programme.

It depends! Anyone that suggests it might take just a few days to achieve ISO 27001 from a zero start point is probably misleading you, but with the right resource commitment and online solution, it could be weeks rather than months or years. If time is of the essence, then we can always help you speed that up. By using the platform, you can immediately demonstrate to your stakeholders that you are on the road to success – much more effectively than by using anything else.

The bottom line is that ISMS.online helps you get to the goal an awful lot quicker and at a lower cost, with fewer specialist resources than other methods.

• Considerations affecting the time you need to invest include:
• Your starting point and experience around information security
• The complexity of the scope of your ISMS
• If a compliance or independent certification is required
• If you have external drivers or internal ones
• Is it the number one priority for everyone, or will you fit it in when you are not doing everything else?
• The tools and systems you use for success

If you are seeking compliance alone, then you may want to avoid some of the investments, e.g. the external audits and deem yourselves compliant much more quickly. However, if your driver for achieving ISO 27001 is external, e.g. to meet a customer requirement or part of GDPR assurance, then you are much more likely to need independent certification so those external stakeholders can trust it!

Having an online integrated ISMS makes everything quicker and easier to achieve but if the organisation does not treat it as a priority, then expect it to drift. We recognise that other priorities exist too, so have done the following to make your implementation as smooth and as quick as possible:

• Show progress and performance at all stages of the implementation – research shows the power of small wins motivates better outcomes more quickly
• Got you to a massive headstart with up to 77% progress that you can easily Adopt, Adapt and Add to
• Complemented ISMS.online with an always-on Virtual Coach service that is there when you need it, at any time of day or night

As a final comment, the saying ‘married in haste repent at leisure’ comes to mind too. Your most significant investment in the ISMS is going to be in its ongoing management and sustainability, especially if your goal is an independent certification and a trusted, safer organisation. You need an online platform that drives down ongoing management costs and does the heavy lifting on insight, reporting, reminders and other value-add services, so you can make better decisions and limit wasteful administration.

Our Assured Results Method (ARM) helps you achieve ISO 27001 success fast and effectively. ARM uses a risk-based approach so you can pragmatically implement your ISMS and achieve certification in a timeframe that suits you. Read our Customer Case Studies to see how we’ve helped organisations just like you achieve their goals quickly.

We do not offer certification. If certification is your goal, we recommend you obtain independent certification so your customers and other stakeholders can trust it. If you are based in the UK you can find a list of UKAS accredited organisations who are able to provide independent certification.

Equivalent certification bodies exist internationally and their sites will also offer a list of accredited auditors as well. For example, in the US it is ANSI-ASQ National Accreditation Board (ANAB).

We suggest you speak to 2 or 3 organisations on the list, looking to see how much experience they have in your sector, your size organisation and where they are based (which will affect things like expenses for onsite audits). It is important to select an external auditor who would be a suitable match for your profile otherwise you might find they are too expensive and not empathetic to your sector or size idiosyncrasies.

Be aware – There are non accredited firms that will provide organisations with a ‘certificate’, typically after having sold them a bunch of policies or consulting work first! You wouldn’t expect someone to be able to mark their own homework and have that trusted by others so please avoid these type of certificates.

They really are not worth the paper they are written on and smarter buyers (perhaps your customers) will not accept anything other than an independent certification, meaning you will have potentially wasted time and cost.

You may be seeking certification of your ISMS to the ISO 27001 standard. There are many organisations that offer a certification service.
But not all Certification Bodies are created equal!

It is possible for any unaccredited organisation that has knowledge of Information Security Management to audit your ISO 27001 and award you a certificate.

However, this will not satisfy more savvy buyers, particularly if you are engaging in business with the UK government. They will be looking for an accredited certification. In the UK, the only recognised accreditation body is United Kingdom Accreditation Service (UKAS). In the US it is ANSI-ASQ National Accreditation Board (ANAB).

If offering the assurance that you can be trusted with information security is important to you, make sure the Certification Body you choose is accredited. Lists of accredited Certification Bodies are available on the UKAS and ANAB websites as above.

We certainly take a huge amount of the legwork out of implementing ISO 27001, giving you a step-by-step method to follow and many of the requirements, policies and controls to easily Adopt, Adapt or Add. We also save you a huge amount of time versus building your own ISMS and ensure you have a simple pragmatic way to manage your ISMS on an ongoing basis.
You can even opt for our effective Virtual Coach Programme that provides expert implementation guidance, eliminating or reducing the need for expensive consultancy services. And if required we and our partners can also provide that consultancy and delivery support (less expensively of course, not least because you need much less of it!)

Paying lip service to information security is not an option for achieving a certified ISMS, so your leadership will need to ‘demonstrate’ management commitment to it (which we also make far easier with ISMS.online collaboration tools). It will also need to provide access to relevant resources in the company to ensure your policies and controls reflect the relevant culture and risk appetite.

If your organisation does not have the capacity or desire to actively manage your ISMS then using a Virtual Chief Information Security Officer (VCISO) is simple with ISMS.online. Simply ‘team’ them into your ISMS and the rest can be done remotely or at least with very infrequent onsite activity. Increasing numbers of our partners are developing VCISO services through ISMS.online so get in touch if you’d like to learn more about that.

Perhaps a better question is, ‘do I need ISO 27001 consultancy’? Unlike some other ISMS services on the market, you don’t have to pay for any consultancy if you don’t need it. You’ll want to ensure that you have the Confidence, Capability and Capacity to successfully implement your ISMS and we can help with all of those over the whole life if you need it, without a consultant in sight!

Joking aside, we see 3 areas where consultancy help might be required:

• Confidence issues: Follow our Virtual Coach Programme and implement ISMS.online in the manner we suggest and you’ll see that confidence grow very quickly. Optionally complement the Virtual Coach with other physical support too.
• Capability issues: There are lots of acronyms, strange language and other mysterious issues that might cause you to think you are not capable. Virtual Coach and the materials inside ISMS.online will mitigate a large amount of the capability issues, and if you need further help, just get specialist help by exception from us or one of our partners.
• Capacity issues: We’ve done all we can to help save time and keep your resource investments to the ‘must do’ aspects that are unique to your organisation. If capacity is still an issue, or you perhaps want to outsource more of the implementation or ongoing support anyway our partners can help there too.

Of course, it is advantageous, but it isn’t necessary. We’d suggest you reconsider the effort and expense of an ISO 27001 lead implementer course. There is an alternative approach that will increase your confidence and capability to achieve your ISO 27001:2103/17 certification goals faster, and at a fraction of the cost of alternatives. We call it the Virtual Coach.

Virtual Coach has been put together to help you work at the pace you want to progress your ISO 27001 implementation. It is always available online, 24/7, directly inside ISMS.online. Right there when and where you need it during your delivery activity, whether working alone or in a team.

If you are interested in what the Virtual Coach has to offer, book a chat with us.

Failure is a big word, and while there are firms out there that will sell on fear of failure, we see hope as a better way – and that old saying of ‘failing to prepare’ rings loud for your ISMS. If you have a systemic issue (e.g. complete lip service to your ISMS policy stuck on a shelf somewhere) then the failure of an audit is more likely, but there are levels of failure, and you’d be going some to fail completely!

There are different types of audit and different severity levels within audits that could lead to failure of different types. Let’s just break them down a bit to understand what ‘failure’ could mean:

Internal audits: You’re expected to undertake internal audits through the lifecycle of your ISMS to demonstrate it conforms to the requirements and is delivering on its promise. ISO 27001: 9.2 covers that off. If you need an external audit for independent certification, not doing the audits will likely lead to a significant non-conformity failure – so please do your internal audits!

As it says on the tin, these audits are internal, usually conducted by your resource. So you also have the chance to cheat and not ‘fail’ them if you want, but cheating is not a good idea! The aim is to also treat these exercises as learning opportunities as well as celebrating success for things working well.

External Auditors will want to also see the results of your internal audits and perhaps drill into some samples. They will quickly smell a rat and dig deeper if you have no issues reported at all. You can follow the language of external auditors in your findings and talk about minor/major non-conformities, corrective actions, observations and broader improvements.

If you are using ISMS.online you’ll be able to follow our pragmatic internal audit policy, use the audit area to show your workings, and link that easily to the corrective actions and improvements Track if you need to conduct more significant action post-audit.

External audits: Unless you have given the right to audit to a customer, we’ll assume that your external audit is for ISO 27001 independent certification. The external audit follows a lifecycle and includes:

• Stage 1 audit
• Stage 2 audit
• Surveillance audit
• Re-certification audit

At any stage, an auditor could ‘fail’ you in this journey, but it’s rarely a straightforward fail unless you are missing something fundamental in your ISMS or your ISMS has not been managed very well over its life. We have helped mitigate both those factors by architecting the ISMS.online environment to help you focus on the things that matter and clearly show your progress.

Stage 1 audits are looking more at the desktop review of your ISMS, and asking some of the fundamental questions about the goals and checking that you have the right intent, scope, leadership commitment etc. They will want to be sure that your ISMS is complete in terms of the describing requirements, objectives, risks, information assets, policies and controls, statement of applicability etc.

They will want to see that your early-stage activity around the ISMS is working, e.g. management reviews are being undertaken, staff managing the ISMS are trained and competent. Feedback comes in the form of a report with levels of ‘failure’ in the language of non-conformities, minor, major and more general opportunities for improvement. You might get a clean bill, or be asked to make a few changes before progressing. It can be scary like sitting your driving test, but remember you are in a great place to demonstrate you are in control of your ISMS. Assuming you get through that then you go to Stage 2 audit.

Stage 2 audits are where the external auditor is testing and examining your ISMS in practice. This audit includes sampling your audits, reviews and incidents, undertaking interviews and observations with staff in scope, testing processes to see they demonstrate what was described in the ISMS policies and controls. For this reason, it is so so vital that you have actionable policies and controls, designed to work the way you want to, securely.

If your ISMS has inconsistencies in the description of policy and demonstration of practice, then you’ll see those non-conformities appear. The severity of the non-conformity and the number of them in total is what will lead to an auditor giving you a certificate and time to improve certain parts for the next surveillance audit, or deciding not to issue a certificate at all, i.e. failure.

Surveillance audits are more like Stage 2 audits and will have focus areas where auditors are being asked to look more deeply, e.g. around supply chain, GDPR related matters etc. And then the cycle goes again with a more in-depth re-certification audit at the 3rd year. None of this should be surprising or hard to achieve successful outcomes if you are following the management practices in ISMS.online and have developed your ISMS policies and controls with your culture and the end-users needs in mind.

All of the above and more is covered in our Virtual Coach programme. If you need any further help at any stage of your implementation, we are available with simple and flexible support packages to suit the requirement.

ISO 27001:2013 9.3 clearly describes what goes into a management review, but still many people forget to cover those things off or show their records well enough. In our experience, it’s about getting two things right:

• Content
• Process

In terms of content covered in the review, ISO 27001 9.3 says the management review shall include consideration of six elements as follows:

• The status of actions from previous management reviews
• Changes in external and internal issues that are relevant to the information security management system;
• Feedback on the information security performance, including trends in:
  • Non-conformities and corrective actions
  • Monitoring and measurement results
  • Audit results; and
    • Fulfilment of information security objectives
    • Feedback from interested parties
    • Results of risk assessment and status of risk treatment plan
    • Opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

When ISO says ‘shall’ it generally means ‘must’ and when it says ‘consideration, it means you must be showing your working on those six elements and retaining evidence as documented information.

Frequency of management reviews is important as well. Too frequent and it’s costly to run if you have to bring everyone involved together for meetings and production of reports etc. Whereas too infrequent and you are probably losing control of your ISMS. You will suffer either in having assets at higher risk, or end up with a more significant maintenance overhead than a ‘little and often’ alternative would deliver.

There is no requirement for the maximum frequency, but the minimum frequency for a formal ISMS Management review is annual.

If you are running an ISMS online with all those areas covered as part of your integrated system, the actual process of conducting the Management Review become easy too.

ISMS.online also has pre-configured workspaces where you are encouraged to follow the management review agenda that aligns with ISO 27001:2013 9.3, and you can quickly link to evidence from the initiative areas, saving a considerable amount of time in the production of reports.

One of the other things that work well with ISMS.online is the work that gets done in preparation for management reviews, online discussions, tasking, external documents being uploaded to aid decisions, and a future schedule of reviews. All the actions and decisions are easily noted too – no need for tedious reports and minutes to follow weeks later; it all happens in real-time. The auditors love to see that level of engagement and take great confidence from the process and content demonstrating your ISMS is working.

ISO 27001 is a management system for organisations of any size, from 1 person up. It therefore does not dictate the specific ‘roles’ required although there are information security management responsibilities that need to be allocated. Many organisations integrate these responsibilities into existing roles, and others may decide that it deserves specific attention on its own. Other initiatives like GDPR can also be factored into the work too as there are many overlaps. Roles and responsibilities take on two forms during the life cycle:
During first implementation to get to a steady state operation
Ongoing management and delivery of the ISMS thereafter
You’ll want to ensure that you have the Confidence, Capability and Capacity to successfully implement your ISMS and we can help with all of those too over the whole life if you need it:

Confidence issues: Follow our ARM approach using guidance from the Virtual Coach Programme and implement ISMS.online in the manner we suggest and you’ll see that confidence grow very quickly.
Capability issues: Virtual Coach, and the materials inside ISMS.online, will mitigate a large amount of the capability issues. If you need further help, get it by exception from one of our partners or us.
Capacity issues: We’ve done all we can to help you save time and keep your resource investments to the most critical work. However, if capacity is still an issue, or you want to outsource more of the implementation, or get support with ongoing management (e.g. as a virtual CISO), our partners can help.

The current version of ISO 27001 remains the 2013 variant. That is the 27001 version we have developed ISMS.online around today and we will continue to update the services as and when changes or new variants are released.
You’ll have the option of staying with the current variant or migrating as and when new versions are released. This could be as simple as you tweaking existing frameworks if changes are minor, or for more substantial changes we will look to offer help to customers and keep your costs of change to a minimum.

After all, we will also need to migrate our own ISO 27001:2013 certified ISMS too! Bear in mind that ISO is well versed in evolving its standards and migration periods can be 2-3 years meaning plenty of time for a shift if you need a bit longer to change.