ISO 27001: From Strategy to Implementation – Report

Introduction: The Security Paradigm

The modern business landscape, dominated by the dynamic digitization of operational processes and growing dependence on IT infrastructure, forces organizations to radically change their approach to protecting intangible assets. Information, once an auxiliary resource, has now become critical capital, the loss, breach of integrity, or lack of availability of which can result in irreversible reputational, financial, and legal damage.

In this context, the ISO/IEC 27001 standard, defining the requirements for an Information Security Management System (ISMS), has ceased to be perceived merely as a technical standard for IT departments, evolving into a strategic tool for corporate risk management.

This report constitutes a comprehensive study of the ISO 27001 certification process, with particular emphasis on the specifics of the Polish market, legal regulations such as GDPR (RODO) and the National Interoperability Framework (KRI), as well as real costs and operational challenges associated with implementation.

Chapter 1: Architecture and Philosophy of the ISO/IEC 27001 Standard

1.1. System Foundations: The CIA Triad and the Deming Cycle

The essence of the standard is not to impose specific technological solutions, but to create a management framework. The central point is the CIA triad:

Confidentiality: Ensuring that information is available only to authorized persons.
Integrity: Guaranteeing the accuracy and completeness of information.
Availability: Certainty of access to resources upon request by authorized users.

The operational engine of the ISMS is the PDCA cycle (Deming Cycle):

Plan: Context analysis and risk assessment.
Do: Implementation of safeguards and training.
Check: Monitoring, internal audits, management reviews.
Act: Corrective actions and continuous improvement.

1.2. Organizational Context

The standard requires an analysis of factors influencing the ISMS (Clause 4):

Internal factors: Organizational culture, structure, resources.
External factors: Legal environment (GDPR, KSC - National Cybersecurity System), market, competition.
Interested parties: Clients, suppliers, regulatory bodies (UODO, KNF).

1.3. Evolution to the 2022 Version

The ISO/IEC 27001:2022 version reduced the number of controls from 114 to 93, dividing them into 4 areas:

Organizational Controls (37 controls)
People Controls (8 controls)
Physical Controls (14 controls)
Technological Controls (34 controls)

Chapter 2: Risk Management Methodology

Risk management is the heart of the system. There are two main approaches:

2.1. Asset-Based Approach

A traditional method, preferred in regulated sectors.

Asset Identification: Hardware, data, people.
Determining Owners: Assigning responsibility.
Threat and Vulnerability Identification: E.g., fire, weak passwords.
Risk Assessment: The product of probability and impact.

2.2. Scenario-Based Approach

A modern approach focused on business processes, e.g., "Ransomware attack paralyzing shipments for 48h." It is more understandable for the board ("business language").

2.3. Risk Treatment Plan

Four strategies for handling risk:

Modify: Implementing controls.
Avoid: Ceasing the risky activity.
Transfer: Insurance or outsourcing.
Accept: A conscious decision to take no action.

Chapter 3: Statement of Applicability (SoA)

The Statement of Applicability (SoA) is a document connecting risk assessment with implementation. It must contain a list of 93 controls along with:

Status (applied/not applied).
Justification for inclusion (e.g., result of risk R-12 or GDPR requirement).
Justification for exclusion.
Implementation status.

The "Golden Thread" Concept: The auditor must see a logical sequence: Threat -> Mitigation Decision -> Control in SoA -> Proof of Operation .

Chapter 4: Implementation – Schedule and Stages

4.1. Schedule (Estimates for Poland)

Micro/Small companies: 3-6 months.
Medium companies: 8-12 months.
Large enterprises: 12-18 months.

4.2. Project Phases

Initiation and Gap Analysis: Zero audit (Cost for SMEs: 5,000-7,500 PLN).
System Design: Development of policies and scope.
Risk Management: Workshops, Risk Register, SoA.
Implementation of Safeguards: IT purchases, physical changes, training, penetration tests .
Internal Audit: Verification before certification and Management Review.

Chapter 5: Economics of Certification (Poland 2024-2025)

5.1. Implementation Costs

Consulting (Traditional):
- Micro/Small company: 7,000 - 14,000 PLN net.
- Medium company: 14,000 - 28,000 PLN net.
GRC Tools (Vanta, Drata): Subscription 3,000 - 10,000 USD annually.
Additional costs: Penetration tests (2-8k PLN), training.

5.2. Certification Costs (External Audit)

Estimated costs for a 3-year cycle in Poland:

| Organization Size | Certification Audit (Stage 1+2) | Annual Surveillance Audit | Total 3-Year Cycle Cost | | : | : | : | : | | Micro/Small (<50 emp.) | 8,000 - 15,000 PLN | 3,500 - 5,000 PLN | 15,000 - 25,000 PLN | | Medium (50-250 emp.) | 15,000 - 30,000 PLN | 5,000 - 9,000 PLN | 25,000 - 48,000 PLN | | Large (>250 emp.) | 30,000 - 150,000 PLN | Indiv. valuation | Individual valuation |

Chapter 6: Certification Audit Process

6.1. Stage 1: Documentation Review

Verification of readiness (Scope, SoA, Policies). Result: Report with potential "Areas of Concern". Critical deficiencies block passage to Stage 2 .

6.2. Stage 2: Main Audit

Operational verification ("Show me"). Observation of processes, interviews with employees, checking logs and evidence.

6.3. Non-conformities

Major: Systemic failure (e.g., lack of training, lack of board involvement). Blocks certification.
Minor: Single lapse. Requires a corrective action plan.

Most common errors in Poland: Lack of management involvement, poor supervision of suppliers, clean desk policy violations, untested business continuity plans .

Chapter 7: Market of Certifying Bodies

Choosing an accredited body (e.g., PCA in Poland) is key for the recognition of the certificate. Leading entities:

PCBC, PRS, UDT-CERT (Polish).
TÜV Rheinland/SÜD, DNV, BSI Group (International) .

Chapter 8: Legal Context – GDPR, KRI, NIS2

8.1. GDPR (RODO)

ISO 27001 is recognized as a "best practice" fulfilling the requirements of Art. 32 GDPR. Holding a certificate helps demonstrate due diligence before the UODO (Personal Data Protection Office) and mitigate penalties.

8.2. National Interoperability Framework (KRI)

For public entities, § 20 KRI recognizes a system based on ISO 27001 as meeting legal requirements. A periodic internal audit based on ISO standards is required .

8.3. NIS2 and DORA

New EU regulations strictly link cybersecurity with ISO standards. Certification facilitates demonstrating compliance.

Chapter 9: System Maintenance

Surveillance Audits: Annual check of 30-50% of the system.
Recertification: After 3 years, a full audit (cost approx. 60-70% of the initial audit).

Summary and Recommendations

Business Approach: ISO is a risk management tool, not just IT.
Board Involvement: Key to success and avoiding "dead documentation".
Adaptation to Scale: SMEs should focus on simplicity and automation.
Integration: Combine implementation with GDPR and KRI for cost optimization.
Continuity: Security is built daily; the certificate is just an "exam".

For companies planning expansion or cooperation with the public sector, ISO 27001 is becoming a "must-have" requirement.