Hello Community, beginning planning stages to get an ISO 27001 cert. for my smallish healthcare software company.
Wondering if I should attempt to do it myself, using a book, or a kit? Any advice on who's book or kit?
Or should I just bite the bullet and hire a consultant? 1st estim. ~80K (good estim?)
Should I seek to certify our application first, then the org, or just do both at once?
Little background, CISSP, CEH and limited info sec experience. 6 months at this job, been hardening infrastructure and doing policies. Already HIPAA compliant.
I agree with @dfcooktx. I work in the Healthcare IT space as well and used the HITRUST cross reference to ensure that I was complying with multiple frameworks. We did have requirements to be compliant with ISO27002, etc. from our various customers so found it easier to go the HITRUST route. In a previous role I worked in pharmaceutical IT and managed sites in Europe that required ISO27XXX certification and did use a consultant, ours ended up running a bit higher than the price you mentioned here, but it should not vary too much from that figure.
First of all, confirm whether it's mandatory for your company to be certified, the benefits --- essentially compliance and marketing --- and the costs involved, before you take a decision.
In a previous organization I was with, we went in for it at the organization level, and it was taken as a project, involving the creation and maintenance of the minimal documentation, the implementation / adoption of processes / procedures, training for a few staff, and so on.
Limiting the ISMS scope to a single application --- assuming that's feasible --- may be tricky, given that auditors tend to look at every little thing.
I would suggest you ensure that your organization has the minimal set of documents they require, & proper controls / procedures running, before taking a shot at it. Doing it through a consultant may be advisable if you don't know about it --- but don't let that stop you from doing your own research.
You could check the relevant pages of Adviseria for some more information on this...