An ISMS (information security management system) in accordance with ISO27001 is a systematic approach to managing information security in an organization. It is based on a set of internationally recognized standards and best practices that help identify, analyze, address, and monitor the risks that threaten the confidentiality, integrity, and availability of information.

Why is an ISMS important for your company?

An ISMS (information security management system) is a systematic approach to ensuring the confidentiality, integrity, and availability of information within an organization.

An ISMS offers several benefits for a company, for example:

  • Minimize risks — An ISMS helps identify, assess, and address potential threats to information security before they result in damage or loss. This reduces risks for the company and reduces liability in the event of security incidents.
  • Legal compliance — An ISMS supports compliance with relevant legal and regulatory requirements for information security, such as the General Data Protection Regulation (GDPR) or ISO 27001, thus avoiding possible sanctions, fines or lawsuits in the event of violations of these regulations.
  • Competitive advantage — An ISMS shows customers, partners and stakeholders that the company takes information security seriously and offers a high level of trust and reliability. This can lead to improved customer satisfaction, loyalty, and reputation, and open up new business opportunities.
  • Increasing efficiency — An ISMS promotes the optimization of processes, resources and activities in the context of information security. This can lead to an increase in productivity, quality and cost savings and strengthen the company's ability to innovate.
  • Faster sales cycle — ISMS certification allows contracts to be concluded faster through faster supplier verification of potential customers.
  • Reputation & Branding — With an information security management system, you build trust and improve your company's reputation.

How can SIDD help me set up an ISMS according to ISO27001?

SIDD can help build an ISMS in accordance with ISO27001 by:

  • Conducting a gap analysis to assess the organization's existing strengths and weaknesses in terms of information security.
  • Creating an action plan to define and implement the necessary measures to meet the requirements of the standard.
  • Training and sensitizing employees to raise awareness of the importance of information security and promote a security culture.
  • Supporting ISMS documentation by helping to create and update relevant policies, procedures, and evidence.
  • Accompanying and advising the company in preparing, carrying out and following up internal and external audits.

Ask for an individual cost estimate!

The costs of an ISO27001 certified ISMS depend on various factors, such as:

  • The size and complexity of the company and its processes
  • The scope and scope of the certification
  • Existing security measures and documents
  • The number and qualifications of employees involved
  • Choosing the certifier and auditors

It is therefore not possible to make a general statement about the costs, as they may vary from case to case. In general, however, it can be said that small companies with fewer than 50 employees and a simple business model can expect costs of between 20,000 and 50,000 CHF. Larger companies with more than 250 employees and a complex IT landscape must expect costs of between 50,000 and 200,000 CHF. These costs include both SIDD's consulting services and the fees for the certification itself.

In order to give you an accurate estimate of the costs for your individual ISMS, we would be happy to offer you a free initial consultation, in which we will discuss your requirements and expectations and provide you with a non-binding offer.

How much effort does a ISMS make?

Operating an ISMS in accordance with ISO27001 requires continuous effort to verify and improve the effectiveness and timeliness of security measures.

This includes carrying out regular internal audits, analyzing security incidents, updating risk assessments and documentation, raising awareness and training of employees, monitoring technical controls, and compliance with legal requirements. The specific effort depends on the size and complexity of the organization, the number and type of processes and information considered, the level of maturity of the existing management system and the specific goals and requirements of the organization.

SIDD helps you to keep operating costs as low as possible by providing you with appropriate tools and methods, helping you plan and carry out the necessary activities, and providing you with regular feedback and suggestions for improvement. As an external auditor, we also relieve you of some of the responsibility and administrative work so that you can concentrate on your core business.

In addition, we optionally work with the Priverion platform using software to enable even more efficient risk management.

What happens after you order at SIDD?

After SIDD has been appointed as an ISMS consultant, onboarding takes place:

Contract signing

We conclude a service contract that contains the framework conditions and scope of our activities. Digital, of course 😉

Kick-off meeting

We conduct a kick-off workshop with you to get to know each other, agree on expectations and discuss the next steps.

Defining the scope

Definition of the area of application, i.e. which areas of the company are covered by the ISMS.

Defining the ISMS policy

Development of an information security policy that sets the company's obligations and goals related to information security.

Risk assessment and risk treatment

· Identification of assets (information and resources), threats, and vulnerabilities

· Development of risk treatment measures to reduce or accept risks

Selecting security controls

· Defining security controls based on identified risks and ISO 27001 requirements

· Integration of appropriate security controls from Annex A to ISO 27001

Preparation of documentation

· Development of documents such as safety policies, procedures, and work instructions.

· Preparation of a risk treatment plan

Implementation and training

· Implementation of established security controls and processes

· Training employees and stakeholders on information security policies and procedures

Monitoring and measurement

· Introduction of monitoring and measurement processes to evaluate the performance of the ISMS

· Review and audit security events

Evaluation of performance

· Conducting internal audits to verify the ISMS's compliance with ISO 27001

· Evaluation of the effectiveness of implemented security controls

Management review

· Regular review of the ISMS by top management

· Identification of improvement opportunities and adjustments to the ISMS

Certification (optional)

Obtaining certification from an independent certification body to confirm compliance with ISO 27001.