Implementation questions

I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.

I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:

1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?

Answer: The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

To get an insight into the time duration for your organization, please read:
- ISO 27001 checklist: 16 steps for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits

2. Where are and what are our potential financial costs?

Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)

Answer: From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

The internal auditor should come sometime after the implementation of the required controls when at least one cycle of required monitoring and measurement had been performed, so the internal auditor has enough evidence to evaluate if controls are implemented and working as planned.

For further information, see:
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

The certification auditor should come sometime after the performing of the first management review, when at least some corrective actions or opportunities for improvement had been addressed, so the certification auditor has enough evidence to evaluate if all requirements of the standard are implemented and working as planned.

For further information, see:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

At this time Advisera does not perform any kind of audit services.

4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.

Answer: At Advisera’s site, you can find several free-access materials that can help you understand ISO 27001, such as:
- Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 
- Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 
- Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation 
- How to perform an internal audit using ISO 19011 (PDF) https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask

Answer: For an initial view of ISO 27001, I suggest you take a look at these materials:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/