Implementation duration for ISMS/BCMS
according to your calculator (- Duration of ISO 27001 / ISO 22301 Implementation) we would need 8 months for ISMS or BCMS implementation. How long do you estimate if we implemented both at the same time? Would you recommend implementing ISMS first and then BCMS, or both at the same time in order to use as many synergies as possible?
I ask the same questions regarding ISO 27017 and 27018. Should these be implemented at the same time, or is it better to follow them up according to ISO 27001?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - according to your calculator (- Duration of ISO 27001 / ISO 22301 Implementation) we would need 8 months for ISMS or BCMS implementation. How long do you estimate if we implemented both at the same time?
ISO 27001 and ISO 22301 share many requirements, so a good estimation is to consider from 10% to 20% more time to implement both standards at the same time (this additional will cover the requirements specific to the second standard).
For more information, see:
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2 - Would you recommend implementing ISMS first and then BCMS, or both at the same time in order to use as many synergies as possible?
The order of implementation will depend on your needs. If your priority is information protection, then you should go first for an ISMS. On the other hand, if your priority is to ensure processes and service delivery under disruptive conditions, then you should go first for a BCMS. It is important to note that if you use as a basis for these systems the standards ISO 27001 (for information security) and ISO 22301(for business continuity), you can implement parts of these systems simultaneously because the have many requirements in common (e.g., control of documents, internal audit, management review, etc.).
These materials will provide further information:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/
3 - I ask the same questions regarding ISO 27017 and 27018. Should these be implemented at the same time, or is it better to follow them up according to ISO 27001?
First is important to note that unless you have specific requirements demanding the implementation of cloud security controls, you do not need to implement ISO 27017 nor ISO 27018. They only provide additional recommendations and guidelines to the implementation of controls of ISO 27001 Annex A (Annex A controls are sufficient to cover general cloud security requirements).
Considering that, in case you need to implement controls from ISO 27017 and ISO 27018, it is better to implement them while implementing controls from ISO 27001 Annex A.
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Comment as guest or Sign in
Dec 17, 2020