1 - How much does it cost for acquiring ISO27001 for small business (approx)
Answer: I'm assuming that on the first part of your question you mean the cost to be certified against ISO 27001.
Considering that, there are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider: - Training and literature - External assistance - Technologies to be updated/implemented - Employee's effort and time - The certification process
2 - how much time does it take to get certified (approx).
Answer: Regarding implementation duration, the duration of the implementation project also varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.
Answer: Regarding the implementation process, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps: 1) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties; 2) development of risk assessment and treatment methodology; 3) perform a risk assessment and define the risk treatment plan; 4) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.); 5) people training and awareness; 6) controls operation; 7) performance monitoring and measurement; 8) perform an internal audit; 9) perform management critical review; and 10) address nonconformities, corrective actions, and opportunities for improvement.