Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
percussed
Newcomer II
‎02-02-2018 09:19 AM
‎02-02-2018 09:19 AM

ISO 27001 advice

Hello Community, beginning planning stages to get an ISO 27001 cert. for my smallish healthcare software company. 

 

Wondering if I should attempt to do it myself, using a book, or a kit? Any advice on who's book or kit?

 

Or should I just bite the bullet and hire a consultant? 1st estim. ~80K (good estim?)

 

Should I seek to certify our application first, then the org, or just do both at once?

 

 

 

Little background, CISSP, CEH and limited info sec experience. 6 months at this job, been hardening infrastructure and doing policies. Already HIPAA compliant.

 

 

 

Reply
0 Kudos
5 Replies
dfcooktx
Newcomer I
‎02-02-2018 10:15 AM
‎02-02-2018 10:15 AM

Why the ISO 27001 certification instead of seeking HITRUST certification? HITRUST is more prescriptive to healthcare and the CSF has a cross reference to ISO/IEC 27001, Joint Commission, HIPAA, NIST and even PCI. I think the certification is scalable to organization size as well. Just a thought.
Reply
0 Kudos
jsjj01
Viewer
‎02-02-2018 10:59 AM
‎02-02-2018 10:59 AM

I agree with @dfcooktx.  I work in the Healthcare IT space as well and used the HITRUST cross reference to ensure that I was complying with multiple frameworks.  We did have requirements to be compliant with ISO27002, etc. from our various customers so found it easier to go the HITRUST route.  In a previous role I worked in pharmaceutical IT and managed sites in Europe that required ISO27XXX certification and did use a consultant, ours ended up running a bit higher than the price you mentioned here, but it should not vary too much from that figure.

Reply
Shannon
Community Champion
‎02-02-2018 12:08 PM
‎02-02-2018 12:08 PM

First of all, confirm whether it's mandatory for your company to be certified, the benefits --- essentially compliance and marketing --- and the costs involved, before you take a decision.

 

In a previous organization I was with, we went in for it at the organization level, and it was taken as a project, involving the creation and maintenance of the minimal documentation, the implementation / adoption of processes / procedures, training for a few staff, and so on.

 

 

Limiting the ISMS scope to a single application --- assuming that's feasible --- may be tricky, given that auditors tend to look at every little thing.

 

I would suggest you ensure that your organization has the minimal set of documents they require, & proper controls / procedures running, before taking a shot at it. Doing it through a consultant may be advisable if you don't know about it --- but don't let that stop you from doing your own research.

 

You could check the relevant pages of Adviseria for some more information on this...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Reply
0 Kudos
percussed
Newcomer II
‎02-02-2018 02:05 PM
‎02-02-2018 02:05 PM

Thanks so much!! I'll look into HITRUST.

Reply
0 Kudos
percussed
Newcomer II
‎02-02-2018 03:12 PM
‎02-02-2018 03:12 PM

Thanks so much!! I'll look into the HITRUST crf. I've got a lot of footwork to do before we even approach certification.

Reply
0 Kudos