Are you looking to implement ISO 27001 for the first time in your organisation? Perhaps you also need an independent certification against the recognised information security standard to satisfy your customers and external auditors?
With many moving parts and lots of common mistakes associated with building an information security management system (ISMS) there is help at hand. But with so much help just a mouse click away, it is important to find the right ISO 27001 implementation solution for your learning style, career goals and organisational delivery needs.
Searching online for ways to learn about how to implement ISO 27001, you’ll encounter a popular approach called the Certified Lead Implementer ISO 27001 course, and related programmes such as Implementing ISO 27001.
Lead implementer courses for ISO 27001 are offered by numerous information security training organisations and advisory firms. Some of these lead implementer courses are available online and some are classroom delivered. What they both have in common is that they are generally intensive, expensive and typically offer a ‘qualification’ from an exam at the end. Fees range from around £1,500-£2,500 per person, taking between 3-5 days to complete.
When we did our own ISO 27001 implementation back in 2011 it became clear we could spend a lot of money and time on the theory side including getting some of the team trained up. Fees were not quite as high as they are now but we could have easily spent several thousand pounds, and lost many days out, as we wanted everyone on the same page for the implementation.
Having considered the options at the time we decided to ‘action learn’ i.e. teach ourselves whilst on the job and ensure the ISMS solution fitted the way we wanted to work. After all, we are business professionals used to implementing projects and the standard seemed to be straightforward, even if there was lots to it (about 140 activities in fact!) At the time none of us anticipated that we’d end up doing another implementation or wanting a career implementing ISO 27001 information security management systems. How wrong we were, but more of that later!
What is typically included in an ISO 27001 Lead Implementer course?
You’ll encounter variations on the theme but generally an ISO 27001 lead implementer course will cover the following topics:
- Understanding information security management
- Understanding information security management systems (ISMS)
- Benefits and purpose of an ISMS
- Key concepts and language, glossary of ISO 27001
- Requirements and Annex A controls within ISO 27001
- Understand ISO 27002 and how it fits with ISO 27001
- Implementation options for how to build an ISO 27001 certified ISMS
- Project planning and work breakdown for ISO 27001 implementations
- Preparing for ISO 27001 ISMS Stage 1 and Stage 2 audits
- Continual improvement and ongoing monitoring of an ISMS
- ISO 27001 lead implementer multiple choice exam and CPD points
The courses are usually quite intensive powerpoint slide oriented, led by the tutor with some group work if in a classroom delivered programme. One 3 day course we reviewed had around 500 very text heavy slides so the phrase ‘death by powerpoint’ came right to the forefront of my mind! That is a new slide being presented every 2 minutes. It has little chance of being retained at the time, let alone being recalled during the actual implementation sometime in the future!
Looking at the pros and cons of ISO 27001 Lead Implementer courses
Whilst this approach doesn’t reflect my preferred learning style, and we found better returns for our limited budget, it no doubt works for some. So what are some of the other pros and cons of ISO 27001 lead implementer and implementation courses?
What are the benefits of ISO 27001 Lead Implementer courses?
- A chance to learn from an experienced practitioner tutor*
- Workshop with other newcomers on thorny topics (in the classroom)
- Receive a lead implementer study guide or ‘manual’ on ISO 27001 implementation (some of the PPT slides)
- Get a certified ISO 27001 lead implementer qualification and certificate at the end if you pass the exam**
*If you opt for this approach remember to check that the tutor is an experienced practitioner and has kept their implementation experience up to date given new ways of working.
**Check ISO 27001 lead implementer exams, qualifications and certificates are worth the paper they are written on too. Some organisations mark their own homework and issue certificates themselves or through companies that might not be well recognised.
For those looking at doing multiple implementations in the future having the certificate and qualification may be a benefit on the CV in job searches. However for information security professionals there may be other certified courses for ‘business as usual’ practices that offer a better RoI. For other business professionals who are not looking for a career in ISO 27001 implementations, the cons may outweigh the pros.
What are the downsides of ISO 27001 Lead Implementer courses?
Aside from the death by powerpoint comment above, and unproductive time in classroom waiting or on breaks, some of the more obvious cons we found around exploring lead implementer courses include:
- ISO 27001 lead implementer courses are expensive for one person (let alone a team) both in terms of the direct cost, time out of the office and expenses involved if offsite classroom training is chosen.
- ISO 27001 espouses the importance of leadership and team working and it should be business led, affecting the whole organisation. Just training up one individual as a lead implementer to then cascade those 500 slides and 3 intensive days into bite sized chunks for other team members is a recipe for failure or frustration.
- In lead implementer courses you learn lots of good but generic information about implementing ISO 27001. You’ll need a management system as part of the implementation and without that practical consideration the course may remain quite theoretical.
- Some of the ISO 27001 technology is partially complete, and the documentation toolkits aligned with lead implementer courses may well be out of date or inappropriate for your organisation so you risk implementing old fashion methods.
- Understanding concepts like Statement of Applicability are very important. However the methods used to prepare and produce them have changed and can be simplified massively with technology – avoiding the need to waste precious time.
- You still have to do the ISO 27001 implementation and may want to refer back to the learning materials. That is not so easy if they are dissociated from the way you are implementing in your organisation.
In summary, whilst there are some benefits from ISO 27001 lead implementer courses, the downsides can make them an unattractive and frustrating investment. Bringing in specialist consultants may also be an option for capacity constrained organisations but in ideal circumstances you’ll have the learning materials to hand as you actually go through each step of your ISO 27001 implementation.
You’ll want something that can keep the whole team on the same page, something that does not cost a fortune for an exercise your organisation hopes to do only once, succeeding on the first attempt.
Why should you be penalised for having more people involved in the implementation? After all ISO encourages it and your business risk will reduce from that as well as enabling the lead implementer/s to share their experiences. They can debate practical implementation with their work colleagues, not academically theorise with individuals from different organisations.
What alternatives are there to ISO 27001 Lead Implementer courses?
Alternatives include doing it yourself and action learning in the way we chose to 8 years ago. Hiring consultants and physical coaches is also another option, where perhaps this is more suitable than lead implementer training if you are capacity constrained and budget is less of an issue. Of course you still need to fully understand and own the information security management system to avoid expensive ongoing consulting fees, and will need to show the leadership and spirit of the ISO 27001 standard is being applied for success in external audits.
Fast forward 8 years and there is now another alternative too. I mentioned before that we didn’t anticipate doing more than one ISO 27001 implementation. However our business strategy changed where we developed ISMS.online with all it’s powerful features and complementary ISO 27001 documentation that is easy to adopt, adapt and add to during an implementation. That makes a great difference to ISO 27001 implementation and ongoing management success without any other investment. What became clear though is that we were still missing something for organisations with staff who had never been involved in an ISO 27001 implementation before.
Rather than simply build a lead implementer course ourselves and encounter the downsides above, we reimagined the goals, which are not just about implementation, that is just a part of the journey. The organisation’s goal is having a certified ISMS that your organisation stakeholders can trust which delivers on its business case promise, ideally at a lower total cost and risk than alternatives.
So we looked at how we could help achieve that goal and overcome the downsides of lead implementer courses. We also wanted to ensure that any physical consulting or coaching investments were at the high value add end, not wasting precious budgets on things that can be automated and where possible have knowledge transferred in lower cost, sustainable ways.
This ISMS.online website includes a lot of free resources to help the journey for newcomers, trying to demystify much of what has been out of reach in the past. Building on that and ISMS.online itself we developed the Virtual Coach, a complementary ISO 27001 implementation support service that helps organisations achieve the goal of an ISO 27001 certified information security management system. Check out our Virtual Coach and see if that is a better alternative for what you are trying to achieve.