ISO standards for Operations Security and Security Incident Management

1. To meet the ISO standards for Operations Security and Security Incident Management, is implementation of a cybersecurity tool necessary?

Answer:  ISO 27001 does not prescribe technologies or tools to be used. The need for their use should be evaluated considering the results of risk assessment and applicable legal requirements (e.g., laws, regulations, or contracts). If there are no relevant risks, nor legal requirements, demanding the application of cybersecurity tools, you do not need to implement them.  

For further information, see:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. How much history of “records” is needed to show the auditor evidence of newly formed operational processes?

Answer: Please note that ISO 27001 does not require a minimum period of records (i.e., a minimum period of the ISMS operation before the certification), however, some certification bodies do have such requirements and some don't, so you should contact your certification body to confirm what criteria it applies. 

This article may also help you:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

3. Typically, once the ISMS prep is completed, how long after can a company get certified?

Answer: A company can request a certification audit as soon as it has all required documents and records to evidence the controls are implemented and working properly, and that the ISMS is being managed. The proper timeframe to request a certification audit will depend on the criteria used by your certification body.

4. Typically, for a small company, less than 20 employees, 5 sites, how long does ISMS project take?

Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for clients of this size our ISO 27001 Documentation Toolkit usually finish the implementation in 4 to 6 months.

To see how documents compliant with ISO 27001 looks like, please see the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How long does it take to implement ISO 27001 https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/

These materials will also help you regarding ISO 27001 implementation:

- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

5. What are some examples of the information assets for the inventory list for a small company?

Answer: Here's an article that suggests the assets for different categories:

- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding identification of assets:

- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

- Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/