cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
percussed
Newcomer II

ISO 27001 advice

Hello Community, beginning planning stages to get an ISO 27001 cert. for my smallish healthcare software company. 

 

Wondering if I should attempt to do it myself, using a book, or a kit? Any advice on who's book or kit?

 

Or should I just bite the bullet and hire a consultant? 1st estim. ~80K (good estim?)

 

Should I seek to certify our application first, then the org, or just do both at once?

 

 

 

Little background, CISSP, CEH and limited info sec experience. 6 months at this job, been hardening infrastructure and doing policies. Already HIPAA compliant.

 

 

 

5 Replies
dfcooktx
Newcomer I

Why the ISO 27001 certification instead of seeking HITRUST certification? HITRUST is more prescriptive to healthcare and the CSF has a cross reference to ISO/IEC 27001, Joint Commission, HIPAA, NIST and even PCI. I think the certification is scalable to organization size as well. Just a thought.
jsjj01
Viewer

I agree with @dfcooktx.  I work in the Healthcare IT space as well and used the HITRUST cross reference to ensure that I was complying with multiple frameworks.  We did have requirements to be compliant with ISO27002, etc. from our various customers so found it easier to go the HITRUST route.  In a previous role I worked in pharmaceutical IT and managed sites in Europe that required ISO27XXX certification and did use a consultant, ours ended up running a bit higher than the price you mentioned here, but it should not vary too much from that figure.

Shannon
Community Champion

First of all, confirm whether it's mandatory for your company to be certified, the benefits --- essentially compliance and marketing --- and the costs involved, before you take a decision.

 

In a previous organization I was with, we went in for it at the organization level, and it was taken as a project, involving the creation and maintenance of the minimal documentation, the implementation / adoption of processes / procedures, training for a few staff, and so on.

 

 

Limiting the ISMS scope to a single application --- assuming that's feasible --- may be tricky, given that auditors tend to look at every little thing.

 

I would suggest you ensure that your organization has the minimal set of documents they require, & proper controls / procedures running, before taking a shot at it. Doing it through a consultant may be advisable if you don't know about it --- but don't let that stop you from doing your own research.

 

You could check the relevant pages of Adviseria for some more information on this...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
percussed
Newcomer II

Thanks so much!! I'll look into HITRUST.

percussed
Newcomer II

Thanks so much!! I'll look into the HITRUST crf. I've got a lot of footwork to do before we even approach certification.