The business in question has high requirements for information security due to the sensitive nature of their work. The company has 5 people on staff and work with consultants from time to time. Is there another information security standard that can be used instead of ISO 27001 for a business of this size?
1
-
The UK has Cyber Essentials as an "entry level" cert. However, it's not intended for businesses that do sensitive work.– paj28Commented Jan 11, 2021 at 15:31
Add a comment
|
5 Answers
"OK, we can't achieve this standard, so let's look for a standard that we can achieve without much work"
is pretty much the opposite of a security-aware organization's mindset, though I'd agree (after 5 min of lecture) with the presumption that 27001 might be a bit much work – but then you'll have to just live without that certification.
Instead of trying to find an arbitrary certification that fits your organization, you might simply want to look into the standard and apply as much as possible to the 5-person-organization. A certification is worth nothing, to be honest, from a security perspective, but will cost you a lot of money. Actually adhering to sensible practices practically pays for itself.
answered Feb 21, 2017 at 16:24
-
I disagree with this sentiment somewhat. We've been certified a while with ISO 27001 but it's been a PITA for our business structure, and auditors often suggest problems that don't really apply to our business. We actually wish there was a standard available that better represented fully remote companies (as we are), as the current standard is extremely annoying around requiring "sites" to audit. It is grounded in traditional business structures.– OddmanCommented May 30, 2023 at 4:20
The primary question is if you are aiming towards a certification of any kind.
If certification is not your goal, you can simply pick ISO27001 and approach it as a framework that you pick & choose from. Apply the risk-based approach of the SOA aggressively and exclude any controls that do not address a serious risk.
If you do want to get a certification, I recommend asking around your local certifiers. You didn't include a country in your question, that makes it difficult to point anywhere. I know that in Europe, several testing organisations also offer custom certifications and you should be able to find something among those. They will be happy to help you pick the right one, I'm sure.
You can implement ISO 27001 for any size of organization, as long as you want to build a system of processes to secure your information.
In your case, the documentation will probably be minimal (One document containing policy and procedures, with SoA embedded, and a risk register).
ISO never asks you for huge documentation.
You could use the NIST CyberSecurity Framework
As a framework, it's flexible, simple to understand and measure against and measuring adherence would be an excellent step in any Information Security program.
If you want to go into a lot more detail to increase maturity having completed the above, you could look to NIST's Security and Privacy Controls for Federal Information Systems and Organizations (see http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf).
I appreciate this answer relates to a UK organisation (and that this is also quite an old question!) but IASME Governance is a new alternative here in the UK. It is much stricter than ISO in terms of requiring proof that you are secure, not just that you're trying to be secure. Someone once told me that they had ISO companies who found IASME hard to achieve.
There is nothing stopping someone outside the UK at least completing the stages - however the GDPR section may not be applicable.
IASME is promoted as an alternative to ISO 27001 and costs a lot less to achieve. It isn't as comprehensive in terms of policies but covers the main key security elements affecting a business, such as home working, backups, business continuity etc.
