https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5981#M645 <P>Hello Community, beginning planning stages to get an ISO 27001 cert. for my smallish healthcare software company.&nbsp;</P><P>&nbsp;</P><P>Wondering if I should attempt to do it myself, using a book, or a kit? Any advice on who's book or kit?</P><P>&nbsp;</P><P>Or should I just bite the bullet and hire a consultant? 1st estim. ~80K (good estim?)</P><P>&nbsp;</P><P>Should I seek to certify our application first, then the org, or just do both at once?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Little background, CISSP, CEH and limited info sec experience. 6 months at this job, been hardening infrastructure and doing policies. Already HIPAA compliant.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 02 Feb 2018 14:19:42 GMT percussed 2018-02-02T14:19:42Z https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5981#M645 <P>Hello Community, beginning planning stages to get an ISO 27001 cert. for my smallish healthcare software company.&nbsp;</P><P>&nbsp;</P><P>Wondering if I should attempt to do it myself, using a book, or a kit? Any advice on who's book or kit?</P><P>&nbsp;</P><P>Or should I just bite the bullet and hire a consultant? 1st estim. ~80K (good estim?)</P><P>&nbsp;</P><P>Should I seek to certify our application first, then the org, or just do both at once?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Little background, CISSP, CEH and limited info sec experience. 6 months at this job, been hardening infrastructure and doing policies. Already HIPAA compliant.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 02 Feb 2018 14:19:42 GMT https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5981#M645 percussed 2018-02-02T14:19:42Z https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5984#M646 Why the ISO 27001 certification instead of seeking HITRUST certification? HITRUST is more prescriptive to healthcare and the CSF has a cross reference to ISO/IEC 27001, Joint Commission, HIPAA, NIST and even PCI. I think the certification is scalable to organization size as well. Just a thought. Fri, 02 Feb 2018 15:15:47 GMT https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5984#M646 dfcooktx 2018-02-02T15:15:47Z https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5986#M647 <P>I agree with <a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1353050705">@dfcooktx</a>.&nbsp; I work in the Healthcare IT space as well and used the HITRUST cross reference to ensure that I was complying with multiple frameworks.&nbsp; We did have requirements to be compliant with ISO27002, etc. from our various customers so found it easier to go the HITRUST route.&nbsp; In a previous role I worked in pharmaceutical IT and managed sites in Europe that required ISO27XXX certification and did use a consultant, ours ended up running a bit higher than the price you mentioned here, but it should not vary too much from that figure.</P> Fri, 02 Feb 2018 15:59:11 GMT https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5986#M647 jsjj01 2018-02-02T15:59:11Z https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5993#M648 <P>First of all, confirm whether it's mandatory for your company to be certified, the benefits --- essentially compliance and marketing ---&nbsp;and the costs involved, before you&nbsp;take a decision.</P><P>&nbsp;</P><P>In a previous organization I was with, we went in for it at the organization level, and it was taken as a project, involving the creation and maintenance of the minimal documentation, the implementation / adoption of processes / procedures, training for a few staff, and so on.</P><P>&nbsp;</P><P>&nbsp;</P><P>Limiting&nbsp;the ISMS scope to&nbsp;a single application --- assuming that's feasible --- may be tricky, given that auditors&nbsp;tend to look at every little thing.</P><P>&nbsp;</P><P>I would suggest you ensure that your organization has the minimal set of documents they require, &amp; proper controls / procedures running, before taking a shot at it. Doing it through a consultant may be advisable if you don't know about it --- but don't let that stop you from doing your own research.</P><P>&nbsp;</P><P>You could check the relevant pages of <A href="https://advisera.com/27001academy/" target="_self">Adviseria</A> for some more information on this...</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 02 Feb 2018 17:08:54 GMT https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/5993#M648 Shannon 2018-02-02T17:08:54Z https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/6022#M649 <P>Thanks so much!! I'll look into HITRUST.</P> Fri, 02 Feb 2018 19:05:50 GMT https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/6022#M649 percussed 2018-02-02T19:05:50Z https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/6074#M650 <P>Thanks so much!! I'll look into the HITRUST crf. I've got a lot of footwork to do before we even approach certification.</P> Fri, 02 Feb 2018 20:12:56 GMT https://community.isc2.org/t5/Industry-News/ISO-27001-advice/m-p/6074#M650 percussed 2018-02-02T20:12:56Z