Frequently Asked Questions

How much does it cost to implement an ISMS and achieve ISO 27001 Certification?

  • The pricing is all over the map, and no firm should provide you with specific pricing until they know more about your current state, and other factors (see below).
  • The amount you invest on your ISMS in order to obtain ISO 27001 certification varies depending on a variety of factors, like:
    • Scope:  You can scope the ISMS in a manner where if you design it right for your business you can obtain certification for a smaller scope, and then leverage your “Proven Process” to increase scope on your own or limit the costs of scope expansion if you go with a firm like Orange Parachute to help you out.  For small and mid-size business, the scope is usually focused on client specific requirements such as tangible and intangible assets that they share with you.  You can limit this initial scope if this is driven by only one client specifically, but still build it the right way to gain the benefits of a “Proven Process”.  Orange Paracute helps you to determine the right scope the first time as part of our Phase 1.
    • AVOID: checklist approach, generic approach, software/SaaS products, etc. An ISMS (Information Security Management System) is a process-approach (not a software product) and should be customized for your business to gain the multitude of benefits that come from great process, not least of which is a risk-based approach, the power of informed decision, and a sustainable ISMS that meets the spirit and intent of your business vision for brand protection.  The only benefit from a checklist or generic approach is the certification itself, and as your clients begin to become more educated and stringent about how they ensure governance over their vendors, it’s only a matter of time before you have to completely rebuild your ISMS from scratch because you didn't do it right the first time, and this will certainly add to your budget requirements.  Why not do it right the first time and position for long-term sustainability so you can address new security and privacy requirements efficiently and effectively and actually save time and money?  For companies touting software products to assist with ISO 27001 certification, again, it's a process approach, so what we see happen all the time is those software products become shelfware.
    • Resources/People Commitment: Here at Orange Parachute, we always say that we can work with any budget, the common sense being how much work do you want to do on your own, vs. how much you want us to do. For businesses that can afford to assign staff to an ISMS implementation effort, it is common sense that provided that staff has the right expertise, more work can be done on your end, and therefore, the cost would go down.
      • Pros: Dedicating more staff toward the project will be a lower cost model for your initial ISMS.
      • Cons: It will most likely take longer than 6 to 8 months (we've seen in-house implementations stretch out to 2+ years), so unless you have ample time, it may not fit your strategy for brand protection.
      • Cons: Individuals must either be subject matter experts in ISMS/ISO 27001 OR be available to take direction from your consultant and then apply their own knowledge of security controls and cultural situations at your business in order to be successful. Unfortunately, this is often wishful thinking, as people usually have a lot on their plates above and beyond the efforts required to build and sustain an ISMS that is ISO 27001 certified.  This con is amplified if your dedicated staff doesn’t have a strong background in information security management.
      • Cons: Another con is that there is always the risk of your internal staff turning over (functional roles do change in business quite often).  Leaving your business or moving into another area of your business and taking that privileged knowledge with them will negatively effect your ISMS and sustainability will be a risk.

What is an ISMS (Information Security Management System)?

A structure (i.e. “framework”) under which to integrate people, process, and technology in order to direct and control the activities required to preserve confidentiality, integrity, and availability of information assets.

How long does it take to implement an ISMS?

For our turnkey solution, we've completed this task in as little as ten weeks, however, the normal timeline is 6 to 8 months.  We've seen it take up to 2 years for clients who attempt to design and implement their ISMS on their own.  We've also seen clients fail entirely trying to do it themselves.  It's certainly an area most companies wish to outsource, hence the reason our small business exists. 

Why would I want an ISMS?

You may already have one, although it may be informal. A formalized ISMS will improve efficiency, effectiveness, and usability of your security program, resulting in increased program visibility, informed decision making, speed to compliance, and conformance or certification to an international standard (ISO 27001) that is highly considered the fastest growing global standard for validating information security practices/programs. This is just a sampling of benefits, as there are too many to list here.

What is ISO 27001?

A risk driven, process based approach to information security management. It’s also the only internationally recognized standard with auditable requirements to which an organization can certify its information security management program.

What is ISO 27002?

A collection of suggested information security controls with implementation guidance. It is commonly misrepresented as being an audit guide, when in fact it’s a suggested set of controls.

How does an ISMS provide information security metrics?

An ISMS provides the structure and context to produce metrics (i.e. gather metric data, extract information, and provide strategic intelligence). The idea of data/info/intelligence is VERY powerful when discussing metrics that matter. Also, this process based approach, when applied to an operational area, gives the guidance needed to understand what data to capture since a process by definition has a critical success factor, and key performance indicator. The KPI tells us what data (metric) to capture.

What is informed choice decision making?

Decisions based upon facts rather than assumptions.

What is a risk driven approach?

Informed choice decision making based upon risk.

What is a process based approach?

The definition and deployment of business processes with measurable metrics.