Don’t underestimate the number of stakeholders you will need to consult. In large organisations, stakeholder management can be a large undertaking and key requirement for a successful compliance activity.
Partner with experienced information security providers who know the implication of advice, in particular with respect to the selection of information security controls. Many controls sound like a good idea, but the implementation can be much more challenging.
Start with an understanding of risks and development of a management system before jumping into controls and technology. Investing time up front to understand your risk posture will pay long-term benefits.
Avoid anybody who guarantees certification within 1 month. They can’t! Certification Bodies generally like to see at least 3 months of evidence at the stage 2 Audit to make a recommendation for certification to the Accreditation Body. For smaller scopes, this timeframe may be less, but it is best to plan on at least 3 – 6 months.
Certification Bodies are prevented under another ISO standard (19011) and scheme rules from performing certification and consulting/advisory services due to conflict of interest issues. Some get around this by offering extended pre-assessments of gap analysis. Whilst these may appear cheap, there are limits to the amount of actionable recommendations that can be provided.
You will be entitled to display an ISO 27001 certification mark. The certification mark is tangible proof that you take care of information, are committed to protecting data entrusted to you, and are fulfilling your commercial, contractual and legal responsibilities with respect to information security. A great idea would be to promote this certification on your marketing collateral and website as a source of differentiation from your competitors.