I'm working through the process with the help of a consultant, and we have some general questions about applying 27K to a small hosting business like mine. I run a small hosting business focusing on email and also offering web hosting and similar services.
1) How should we apply the standard to a small business with limited checks and balances? In my case, there are currently just three of us with access to the systems. As the business owner I have access to basically everything (servers running the services, as well as billing records), and I have one other administrator with admin access to most of the servers, and a support person with more limited admin access. In particular for my access, it's hard to define limitations to access or .
2) How should we describe our use of 27K in our marketing, if we adopt the structure and complete the documentation but don't go through a formal 3rd party certification audit?
1) In your case I think that you need to decrease the number of documents to a minimum, so you only need to d evelop the mandatory documents. Here you can see the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ Remember that you can also exclude controls, for example the A.6.1.2 Segregation of duties (conflicting duties and areas of responsibilities shall be segregated).
2) If you implement ISO 27001 without the certification, you will need to demonstrate to your customers that your ISMS is implemented in accordance with ISO 27001 requirements, and it is not easy. So from my point of view, if you want ISO 27001 for marketing purposes, you need the certificate. Maybe this article can be interesting for you Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/