Expert Advice Community

Guest

Implementation duration for ISMS/BCMS

  Quote
Guest
Guest user Created:   Dec 17, 2020 Last commented:   Dec 17, 2020

Implementation duration for ISMS/BCMS

according to your calculator (- Duration of ISO 27001 / ISO 22301 Implementation) we would need 8 months for ISMS or BCMS implementation. How long do you estimate if we implemented both at the same time? Would you recommend implementing ISMS first and then BCMS, or both at the same time in order to use as many synergies as possible?

I ask the same questions regarding ISO 27017 and 27018. Should these be implemented at the same time, or is it better to follow them up according to ISO 27001?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 17, 2020

1 - according to your calculator (- Duration of ISO 27001 / ISO 22301 Implementation) we would need 8 months for ISMS or BCMS implementation. How long do you estimate if we implemented both at the same time? 

ISO 27001 and ISO 22301 share many requirements, so a good estimation is to consider from 10% to 20% more time to implement both standards at the same time (this additional will cover the requirements specific to the second standard).

For more information, see:

2 - Would you recommend implementing ISMS first and then BCMS, or both at the same time in order to use as many synergies as possible?

The order of implementation will depend on your needs. If your priority is information protection, then you should go first for an ISMS. On the other hand, if your priority is to ensure processes and service delivery under disruptive conditions, then you should go first for a BCMS. It is important to note that if you use as a basis for these systems the standards ISO 27001 (for information security) and ISO 22301(for business continuity), you can implement parts of these systems simultaneously because the have many requirements in common (e.g., control of documents, internal audit, management review, etc.). 

These materials will provide further information:

3 - I ask the same questions regarding ISO 27017 and 27018. Should these be implemented at the same time, or is it better to follow them up according to ISO 27001?

First is important to note that unless you have specific requirements demanding the implementation of cloud security controls, you do not need to implement ISO 27017 nor ISO 27018. They only provide additional recommendations and guidelines to the implementation of controls of ISO 27001 Annex A (Annex A controls are sufficient to cover general cloud security requirements).

Considering that, in case you need to implement controls from ISO 27017 and ISO 27018, it is better to implement them while implementing controls from ISO 27001 Annex A.

These articles will provide you further explanation about ISO 27017 and ISO 27018:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 17, 2020

Dec 17, 2020