You have been told...
that the implementation of an ISMS can be accomplished quickly?
that you only need a few policy templates?
that ISO 27001 is almost identical to ISO 9001?
that effective risk management can be implemented quickly?
that you do not have system and/or software development in the company?
Then please be skeptical! The introduction of an ISMS based on ISO 27001 always involves considerable effort, which is influenced by many factors. The costs of implementation vary as much as the organizations and their business areas. Unfortunately, this individuality applies not only to the introduction, but also to the operation of an ISMS. Despite many factors, the effort can be roughly estimated if certain uniform parameters are taken into account. I will discuss these uniform parameters identified during my work below and provide you with an initial orientation for a rough estimate of the effort.
For better comprehensibility, I would like to point out that the introduction and maintenance of an ISMS always takes place in steps and can be divided into specific sections:
Initial works
Regular work
Before implementing the ISMS, management must determine who will be responsible for introducing and maintaining information security in the company, what rights and obligations they have in this role, and who will support them as a deputy. This role is usually referred to as the information security officer (ISO) and is located outside of IT, as it monitors the work of IT. Furthermore, information security is thematically superior to data protection and IT security, as data protection only focuses on the protection of personal data and IT security focuses on the security of IT systems and the data processed there, while information security holistically addresses all of a company's assets that are worth protecting (information, data, processes, systems, people, products, tools, buildings, properties, etc.).
For this reason, the ISB should be directly subordinate to the management in both organizational and disciplinary terms and should have or obtain one or more recognized qualifications in the field of information security before starting work:
ISO 27001 Lead Implementer (PECB, BSI Group, etc.)
Certified CISO/ISB (TÜV, bitcom, etc.)
Certified Information Security Manager (ISACA)
Since the introduction of an ISMS also involves the creation of guidelines, directives, work instructions, concepts or similar specifications in the context of information security, the author of said documents should always take the following basic steps into account during his work and repeat them whenever the subject area changes. Only then can an efficient and adequate creation of specifications for the organization be ensured:
Identify generally accepted best practices in the subject area as well as legal, regulatory, industry-specific, corporate and contractual requirements that impact the specification to be created.
Identification of interested and affected parties and the associated scope of the specification to be drawn up.
Research and recording of the current status of the relevant topic area in the organization and the affected business processes.
Together with my introduction, this brings us full circle, because without sufficient qualifications it is difficult or even impossible to know and take into account the "best practices".
Basis of the estimate Since the effort is significantly influenced by factors such as the number of employees, heterogeneity of the IT landscape and IT processes, number of locations and the proportion of IT applications with confidentiality and high availability requirements, I assume the following in my estimate:
Homogeneous IT landscape and IT processes, no other locations and IT applications with only normal confidentiality and high availability requirements.
Average risk landscape.
Templates are used to create guidelines.
Tools such as risk management software, asset database program, SIEM, computer based training software, etc., are not used.
Consulting services are not used.
The activities I have mentioned are deliberately aimed at a practical implementation of the ISMS and therefore go beyond the basic requirements of the standard.
Initial work of the Information Security Officer (ISO)
Initial activity of the information security officer Internal effort in person-days (PT), use of templates . | Company with 25 employees | Company with 100 employees | Company with 5000 employees |
Establish and approve a document control procedure and records management guidelines. | 2 | 3 | 5 |
Determination, definition and description of the ISMS scope. (based on ISO 27003) | 2 | 3 | 4 |
Creation and release of an information security policy that takes into account the corporate objectives, business and IT strategy in the information security objectives and defines the global information security requirements within the company. (including improvements) | 2 | 3 | 5 |
Establishment and approval of a methodology for risk assessment and risk treatment. | 3 | 5 | 8 |
Carrying out a comprehensive risk assessment based on the defined methodology. | 8 | 10 | 20 |
Preparation of a statement of applicability. | 2 | 2 | 2 |
Preparation and coordination of a risk treatment plan. | 8 | 10 | 15 |
Initiate and control the recording of all assets. | 2 | 3 | 5 |
Identification and confirmation of asset owners. | 0.5 | 1 | 3 |
Creation and approval of guidelines for the classification of information and assets. | 2 | 2 | 5 |
Determining who may use the assets and how. | 2 | 3 | 8 |
Creation of appropriate guidelines for entry, access and entry. | 3 | 5 | 8 |
Establishing guidelines for the use of mobile devices, home offices and private devices. | 1 | 1 | 3 |
Establishing guidelines for the use and creation of passwords. | 0.5 | 1 | 3 |
Determination of monitoring and measurement results in the ISMS context. | 1 | 1 | 2 |
Establishment of guidelines for conducting internal audits and creation of an audit program for the coming years. | 1 | 1 | 2 |
Conducting a full internal audit and preparing reports. | 4 | 5 | 6 |
Conducting a management review and documenting the results. | 1 | 1 | 1 |
Evidence for recording nonconformities and corrective actions taken as well as the associated process description for determining, implementing and evaluating corrective actions. | 1 | 1 | 3 |
Control logs of security-related user activities, security events and security incidents. | 2 | 3 | 5 |
Control of documentation of evidence of training, skills, experience and required qualifications of the persons working within the scope of application. | 0.5 | 0.5 | 1 |
Preparation and control of training and awareness-raising measures in the context of information security. | 3 | 5 | 10 |
Determination and approval of guidelines for the disposal and destruction of assets. | 0.5 | 1 | 2 |
Creation of guidelines for working in security areas (areas with assets that require protection). | 1 | 1 | 2 |
Determination and approval of requirements for tidy workplaces and measures when leaving the workplace. | 0.5 | 1 | 3 |
Creation and approval of guidelines and procedures for change management. | 2 | 3 | 7 |
Establish and approve policies for backup creation, protection, transportation, storage and methodology. | 1 | 2 | 3 |
Recording of all paths for information transmission within the scope of application and determination of permissible use. | 3 | 5 | 9 |
Establishment and approval of processes, procedures and measures to maintain information security in adverse situations, embedded in the organization's business continuity management system. | 3 | 5 | 15 |
Documentation/creation of the exercise plans, test plans, maintenance plans, review plans and evidence of implementation contained in the Business Continuity Management System. | 6 | 10 | 20 |
Estimated initial effort in person days (PD): | 69.5 PD | 98.5 PD | 183 PD |
Note: This is only a rough overview of the activities!
Initial work of the organization
Initial activities of the organization Internal effort in person days (PD), without tool support . | 1000 assets | 5000 assets | 10,000 assets |
Identify and record assets in a database/registers. (Asset Owner; manual; 10 minutes per asset) | 20.5 | 104 | 208 |
Allocation of responsibilities and classification of "disputed" assets. (Asset Owner) | 0.5 | 1 | 3 |
Estimated initial effort in person days (PD): | 21 PD | 105 PD | 221 PD |
Note: This is only a rough overview of the activities! By using tools and establishing uniform procedures, synergies can be achieved. Management should set a criticality level above which assets must be recorded and protected.
Regular work of the organization
Regular activities of the organization Internal effort in person days (PD), without tool support . | Pursue with 25 Employees | Pursue with 100 Employees | Pursue with 5000 Employees |
Updating the asset database/asset registers. (Asset Owner; approx. 4x per year) | 4 | 8 | 40 |
Carrying out an event-related risk assessment (Asset/Risk Owner; approx. 10x per year) | 5 | 5 | 5 |
Conducting internal ISMS audits. (Qualified and independent auditor; approx. 1x per year) | 4 | 5 | 6 |
Checking compliance with technical specifications. (IT security; approx. 4x per year) | 4 | 8 | 20 |
Conducting regular backup recovery tests. (IT operations; approx. 4x per year) | 2 | 3 | 16 |
Evaluation of logs of security-relevant user activities and security events (IT security; approx. 12x per year) | 12 | 20 | 64 |
Checking and documenting compliance with security policies and standards as well as any other security requirements. (Manager; management span 25; approx. 4x per year) | 2 | 5 | 200 |
Updating evidence of training, skills, experience and required qualifications of persons working within the scope of application. (Human Resources Department; 4x per year) | 2 | 4 | 12 |
Implementation of the exercise plans, test plans, maintenance plans and review plans contained in the Business Continuity Management System. (Departments, once a year) | 8 | 12 | 64 |
Estimated regular effort in person days (PD) per year: | 43 PD | 70 PD | 427 PD |
Note: This is only a rough overview of the activities! Synergies can be achieved by using tools and establishing uniform procedures.
Regular work of the Information Security Officer (ISO)
Regular activities of the information security officer Internal effort in person days (PD), without tool support . | Pursue with 25 Employees | Pursue with 100 Employees | Pursue with 5000 Employees |
Review of all managed ISMS relevant documents for validity, timeliness and appropriateness and update them if necessary. (approx. once per year) | 3 | 5 | 10 |
Preparation and moderation of regular risk assessments. (approx. 4x per year, excluding special events) | 6 | 8 | 12 |
Updating the risk treatment plan. (approx. 4x per year, excluding special events) | 4 | 4 | 6 |
Checking the asset database/asset register for up-to-dateness. (approx. 4x per year) | 4 | 4 | 6 |
Review and evaluation of the results of the internal ISMS audit. (approx. once per year) | 4 | 4 | 6 |
Review of evidence provided by management regarding compliance with security policies and standards as well as any other security requirements in information processing. (approx. 4x per year) | 4 | 4 | 6 |
Check test results for compliance with technical specifications. (approx. 4x per year) | 4 | 4 | 6 |
Reviewing backup recovery test results. (approx. 4x per year) | 4 | 4 | 6 |
Collection of monitoring and measurement results in the ISMS context. (approx. 4x per year) | 8 | 8 | 20 |
Preparation, implementation and documentation of planned management reviews. (approx. 2x per year, excluding event-related processes) | 1 | 1 | 4 |
Completion/verification of nonconformities and effectiveness of corrective actions taken. (approx. 4x per year, excluding event-related processes) | 8 | 8 | 12 |
Control of log evaluations and tracking of security-relevant user activities, security events and security incidents. (approx. 12x per year, excluding event-related processes) | 25 | 40 | 70 |
Checking the evidence of training, skills, experience and required qualifications of the persons working within the scope of application. (approx. 2x per year) | 1 | 1 | 3 |
Preparation and implementation of training and awareness-raising measures in the context of information security. (approx. 2x per year, excluding event-related processes) | 4 | 10 | 60 |
Updating/supplementing the channels for transmitting information within the scope of application. (approx. 2x per year) | 2 | 3 | 6 |
Checking the Business Continuity Management System test results. (approx. 2x per year) | 4 | 4 | 10 |
Estimated regular effort in person days (PD) per year: | 86 PD | 112 PD | 243 PD |
Note: This is only a rough overview of the activities! Synergies can be achieved by using tools and establishing uniform procedures.
Individualization
Hardly any company has a homogeneous IT landscape and IT processes, just one location and IT applications with only normal confidentiality and high availability requirements. So that you can adapt my estimate to your circumstances, I recommend using the following values:
Initial activities of the organization | surcharge |
Homogeneous IT landscape and IT processes | 0% |
Heterogeneous IT landscape and IT processes | 25% |
Per additional location | 5% |
IT applications with only normal confidentiality and high availability requirements | 0% |
IT applications with predominantly high confidentiality and high availability requirements | 15% |
IT applications with predominantly very high confidentiality and high availability requirements | 30% |
