Various questions about the ISMS

1.       How do I determine/Estimate how long it will take for the project to complete for my presentation to management?
2.       How do I estimate the cost of the ISMS?
3.       I have a scope defined (regulatory based) it is mainly in xxxx and xxx and a XX branch - I need to tell management how I will manage that with the remote resources?
4.       Also Do you offer pre-certification audit services?
5.       How do I ensure that 3rd parties abide by the control standards we expect when providing us IT services, and how can we demonstrate this to Gambling and ISO 27001 auditor authorities?
 

Answers:

1.-  I suppose that your question is related with the time of duration of the implementation of ISO 27001. If so, to determine this time, you need to identify the number of employees, number of departments, etc. This free tool can help you “Free Calculator – Duration of ISO 27001 / ISO 22301 Implementation” : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
2.-  There are als o some questions that you need to consider: the size of your organization, the level of criticality of the information, the technology the organization is using, etc. For more information about this, please read this article “How much does ISO 27001 implementation cost?” : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
3.- From my point of view, here it is important that top management knows the remote resources, but it is not relevant that they know how you will manage them. Keep in mind that in accordance with the clause 5.1 Leadership and commitment c) “Top management shall demonstrate leadership and commitment with respect to the information security management system by ensuring that the resources needed for the information security management system are available"
4.-  No I am sorry, we only offer templates and support for the implementation. But before the certification is necessary to perform the internal audit (the pre-certification is not mandatory), so if you want to perform the internal audit this article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
5.- To ensure that 3rd parties meets your requirements, you can perform reviews periodically (and of course it is very important to have agreements with the definition and level of the services - SLAs). To demonstrate this to the auditors, you need records, for example minutes of meeting. For more information about records, please read this article “Records management in ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/