Choosing ISO27k products


On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification.

It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.  For example:
  • A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary;
  • A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative;
  • An organization that is 'surrounded' or owned by ISO27k-certified organizations may be under more pressure to implement than a pioneer, especially if there are commercial pressures or contractual/regulatory obligations in this area (e.g. for privacy reasons);
  • A patently insecure organization that has suffered one or more serious infosec incidents, breaches, compliance failures etc. is likely to be under more intense pressure to reform and 'get secure' than one which is (or believes itself to be) relatively secure, doing OK at the moment but maybe looking into ISO27k as a strategic opportunity, supporting other initiatives and complementing other management systems maybe;
  • A mature, specialized, narrowly-focused, relatively simple and stable organization (such as a steel mill) probably needs far less flexibility in its ISMS than one which is highly dynamic, growing fast, chasing different markets and proactively innovating (such as manufacturer of IoT things).
Also, despite the additional wording in the original query, I'm not at all sure what a 'complete package' is. That might mean any of the following, alone or in combination:
  • Documentation e.g.:
    • Sets of ISO27k and possibly other standards (the core set of ISO/IEC 27000, 27001, 27002, 27003 and 27005 are almost universally recommended);
    • Generic template/skeleton ISMS documentation such as scope, SoA, RTP etc.;
    • Generic infosec policies and procedures etc.;
    • Generic project/program plans, frameworks etc.;
    • Generic, structured methods/approaches etc.;
    • Tailored documentation to suit the general type/size of business, industry etc.;
    • Bespoke or heavily customized documentation, competently tailored to suit a particular organization;
  • ISMS-related consultancy-type services of various kinds e.g.:
    • Training and awareness services for individuals, teams or the entire organization;
    • Help with the program and project governance and management aspects e.g. planning, resourcing, metrics, targets, project risk management;
    • Mentoring, guidance and advice for the CISO/ISM, ISMS implementation project manager/team and perhaps others e.g. senior management, risk management, IT audit, IT, Facilities, HR, Operations, Privacy ...;
    • All manner of gap analyses, reviews, audits, benchmarks etc. to assess and report on the current situation and help determine future directions, priorities etc.;
    • Full-time hands-on ISMS project and program management leading to permanent ISM and CISO roles;
    • Part-time local and/or remote support, advice, mentoring etc. for the permanent on-site team - including perhaps assistance with the recruitment and training of such a team;
    • Business development consultancy e.g. help to re-position and market the organization as an ISO27k-certified secure, trustworthy, reliable supplier or whatever;
  • Systems e.g.:
    • IT systems specifically supporting an ISO27k ISMS, or any kind of ISMS, or more generally information risk and security-related;
    • Document Management Systems, possibly pre-loaded with [generic but hopefully customizable, relevant and suitable] ISO27k ISMS documentation;
    • Learning Management Systems, possibly pre-loaded with ISO27k-related training materials, courses, tests etc.;
    • Private, hybrid or public cloud-based apps;
    • Structured methods, frameworks and approaches in this area, with or without IT components; 
  • Something else!
Some of those options above are much more valuable than others (note: 'valuable' is not the same as 'expensive': some are free!). Comprehensive materials and support services might suit your organization (if you can afford them, and if they cover all your requirements!), but you might be better off with an appropriate selection and combination of point-solutions addressing more specific weak-points and needs, complementing and reinforcing the organization's existing resources and capabilities.

Lastly, I'll throw-in another important factor to consider: the nature, quality and value of the products (both goods and services) depends heavily on the suppliers or sources - their competence, experience, expertise (both depth and breadth), quality assurance, creativity and so forth. Are they new to the market, full of brash enthusiasm and bright ideas but short on history and perhaps credibility? Are they old, established, set-in-their-ways maybe? Are they ISO27k specialists (e.g. they ONLY offer ISO27k training courses), broader ISO27k and infosec suppliers (e.g. they provide training plus consulting plus systems) or generalists (e.g. the auditing/accounting/business consultancies)? Are they well-known and highly respected in the field with glowing customer references, or relatively unknown with dubious credentials? Oh and are you certain the products on offer are what will actually be delivered (avoiding the old bait-n-switch scam)?  

I hope this general advice helps. I appreciate that it raises far more issues than it answers ... but hopefully those questions and considerations are a lot more useful than the alternative "Well, it all depends!"