The ISO 27001 Tool Kit –Buyer Beware…

Nov 21, 2018

Archived Blog & News

The content in this blog was accurate at time of publishing, however as standards (and the understanding of their application) change, some of this information may no longer be applicable.
If you have any questions on this or the other topics we’ve covered; please get in touch and we can discuss any queries you may have.

Google “ISO 27001 Tool Kit” and you’ll be faced with a page of “too-good-to-be-true” offers. ISO 27001 certification is simple:

  • Download some templates and fill in the relevant blanks.
  • Call the certification auditor.
  • “Tick, tick”. Done.

We produce our own kits, too. Are we simply denigrating the opposition in this blog? No – sharing just concern and warning of the “one size fits all” concept. Creation of our toolkit has grown out of our successful consultancy work with many types of businesses.

We thought that all companies offering kits were of a similar profile to us. It appears not. How do we know?

A customer brought an ISO 27001 tool kit to us, having faced serious challenges.  We analysed the templates. More significantly, we studied the guidelines that came with it. Sharing our concerns via this blog seemed helpful.

What’s Good About ISO 27001 Tool Kits?

Purchase is quick and easy. No consultant’s fees to worry about. Your company may do other things “in-house”, so why not this task? You’ll get lots of useful-looking templates. Therefore, the sheer quantity will be both impressive and vaguely daunting. Surely nothing will be missed out by such a quantity of controls and guidelines?

Happily, all should be well in the hands of an experienced manager who knows his or her way around the current generation of revised ISO standards, knows what to include, at what depth, and what to leave out.  Consequently, they will tailor the documents to fit the business and it’s needs via a well-constructed ISMS. Job done.

What’s Bad?

Quantity exceeds quality. Therefore, they are very, very generic. Knowing how to customise and meet the precise requirements of your business is a vital aspect of their successful use. Quite simply, what to leave out, and how to fine-tune what’s left for relevance. Sadly, creating something large, comprehensive (but irrelevant) is a common error. Unfortunately, obtaining certification is not dependent on sheer volume of documents. Harsh but true. Alarmingly, some kits appear to be written by those with no obvious experience of implementation and audit of ISO standards. (Always ascertain the background of the author before buying!) Worse, by the time you’ve bought a kit, and realise it’s shortcomings, it’s too late.

Can They Be Made To Work At All?

Yes. By creating simple, easy instructions on how to control the relevant aspects of your business, and the templates to document it. That’s it, in essence. Hence, it needs to address the risks arising from your specific enterprise in respect of information security. No more, no less. Don’t create documents for non-existent risks and processes in the hope of impressing the auditor.  I was once an auditor. It won’t work.

What Goes Wrong (and why it shouldn’t).

To reiterate, the created ISMS has poor relevance to the enterprise. The certification auditor spots this immediately. ISO 27001 certification is not awarded. Ironically, of the 114 controls in ISO 27001, companies are often unknowingly applying half of them through good practice, and they simply need formalising. In my experience, a poor-quality tool kit, badly-applied, forces best practice into a documented strait-jacket. This then becomes less than “good”. A skilled consultant will identify how to weave current informal compliance into the fabric of a relevant ISMS, preserving what is admirable, and formalising it.

What Do You Offer and How Does It Differ?

Considering the ISO 27001 tool kits we’ve analysed, and the poor applications we’ve witnessed, our kit is firmly aimed at successful certification. It’s primary intent is to be used in the real world, not simply generate documents (and income). Once again, if you are buying, check the author’s track record.

Can We Help?

We offer a tutorial on use of our very own tool kit, and a guide in the implementation of the system through an hour of free consultancy. Once again, it’s the application of the toolkit materials, and the guidance contained with the kit that is the key weak spot of any ISO 27001 tool kit. Let the buyer beware.

Meanwhile, if we can help at all, even if you are struggling with someone else’s ISO 27001 tool kit, please get in touch with us.