We are in the planning stages of implementation of ISO27001 and are using Conformio to plan the project. I have a questions about the Free Calculator – Duration of ISO27001/ISO22301 Implementation tool. What does the tool use as a definition of implementation complete? For instance is Risk Assessment complete, procedures written and employees trained the definition of complete? Or does complete also include 3 months of the system in operation or is it ISO certification or some other measure? Would appreciate some additional insight into the definition of project complete
Answer: The calculator considers as required time for implementation the performing of at least one cycle of the Information Security Management System, which starts with organization's context understanding (standard's clause 4.1), goes through implementation, operation and control of the system, and finishes with the outputs established in the management review of the system (standard's clause 9.3), covering decisions related to continual improvement opportunities and a ny needs for changes of the information security management system.
Basically, the calculator will tell you the time needed for your company to become ready for the certification.
The 3 months of the system in operation is required by some certification bodies, but not all. Therefore, our calculator did not take this time into account.