3 MINUTE READ
Small and medium-sized enterprises often sell their products and services to larger companies. As part of the purchasing process, these companies usually place requirements on the information security of their suppliers. Especially in areas where personal data is exchanged. For example, in SaaS services or consulting and data analysis services.
SMEs are then usually faced with the decision of going the costly route of information security certification or losing the customer. In many cases, companies opt for ISO 27001 certification in order to be equipped for future customers and markets in perspective. This path and the experiences against the background of SMEs are outlined below.
The ISO/IEC 27001 standard has a compact structure with only about 30 pages. It is divided into chapters 0-3, which provide an introduction, and chapters 4-10, which describe the requirements. Annex A in turn contains the measures from A5 to A18. These are directly linked to the measures and the measure descriptions from the ISO 27002 document.
In principle, all requirements from chapter 4-10 of the standard must be met. However, the requirements in Annex A may not be met under justified circumstances. A risk-based approach is chosen, the central core of which is to ensure compliance with the CIA criteria. These are:
- C: Confidentiality refers to the goal of ensuring that information is not made available to unauthorized persons.
- I: Integrity refers to the goal that information is accurate/correct and complete.
- A: Availability refers to the goal of ensuring that information is accessible to authorized individuals at the time it is needed.
The aim of ISO 27001 is to establish and operate a management system that ensures information security (in the form of the above criteria).
For SMEs, the greatest challenges arise in maintaining the processes and the resources required for this (time, knowledge), creating awareness among employees, and defining which technical measures need to be taken and which organizational measures are sufficient.
The costs for an ISO 27001 certification consist of the costs for the certification audit, the costs for internal resources (employees etc.), the costs for external consulting as well as the costs for the implementation of technical measures.
The certification costs are calculated according to ISO 27006, where the audit time is determined. Factors such as IT complexity and business complexity are taken into account here. The audit time also depends on the size of the company (number of employees). The audit time starts at 5 days and is staggered, e.g. approx. 19 days for companies with 1,000 employees.
In particular, the time that employees have to spend on implementing the management system should not be underestimated. This involves the creation and review of guidelines, the adaptation of own processes, obtaining offers for technical measures, the coordination and implementation as well as the entire project management. Not to be neglected are also necessary trainings to build up and prove competencies in the ISMS team.
In summary, the introduction of an information security management system offers SMEs an excellent opportunity to develop additional customer groups. In view of the resources involved, however, the process must be well planned and should have a time horizon of at least 6-12 months.
Request a quote