cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
percussed
Newcomer I

ISO 27001 advice

Hello Community, beginning planning stages to get an ISO 27001 cert. for my smallish healthcare software company. 

 

Wondering if I should attempt to do it myself, using a book, or a kit? Any advice on who's book or kit?

 

Or should I just bite the bullet and hire a consultant? 1st estim. ~80K (good estim?)

 

Should I seek to certify our application first, then the org, or just do both at once?

 

 

 

Little background, CISSP, CEH and limited info sec experience. 6 months at this job, been hardening infrastructure and doing policies. Already HIPAA compliant.

 

 

 

Tags (2)
5 Replies
dfcooktx
Newcomer I

Re: ISO 27001 advice

Why the ISO 27001 certification instead of seeking HITRUST certification? HITRUST is more prescriptive to healthcare and the CSF has a cross reference to ISO/IEC 27001, Joint Commission, HIPAA, NIST and even PCI. I think the certification is scalable to organization size as well. Just a thought.
jsjj01
Viewer

Re: ISO 27001 advice

I agree with @dfcooktx.  I work in the Healthcare IT space as well and used the HITRUST cross reference to ensure that I was complying with multiple frameworks.  We did have requirements to be compliant with ISO27002, etc. from our various customers so found it easier to go the HITRUST route.  In a previous role I worked in pharmaceutical IT and managed sites in Europe that required ISO27XXX certification and did use a consultant, ours ended up running a bit higher than the price you mentioned here, but it should not vary too much from that figure.

Shannon
Community Champion

Re: ISO 27001 advice

First of all, confirm whether it's mandatory for your company to be certified, the benefits --- essentially compliance and marketing --- and the costs involved, before you take a decision.

 

In a previous organization I was with, we went in for it at the organization level, and it was taken as a project, involving the creation and maintenance of the minimal documentation, the implementation / adoption of processes / procedures, training for a few staff, and so on.

 

 

Limiting the ISMS scope to a single application --- assuming that's feasible --- may be tricky, given that auditors tend to look at every little thing.

 

I would suggest you ensure that your organization has the minimal set of documents they require, & proper controls / procedures running, before taking a shot at it. Doing it through a consultant may be advisable if you don't know about it --- but don't let that stop you from doing your own research.

 

You could check the relevant pages of Adviseria for some more information on this...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
percussed
Newcomer I

Re: ISO 27001 advice

Thanks so much!! I'll look into HITRUST.

percussed
Newcomer I

Re: ISO 27001 advice

Thanks so much!! I'll look into the HITRUST crf. I've got a lot of footwork to do before we even approach certification.