LOGBOOK

HELP

Quiz Entry - updated: 2026.03.01

What is ISO 27003 and how much effort does ISMS implementation typically require?

ISO 27003 provides guidance for developing an ISMS implementation plan according to ISO 27001 — it contains recommendations, not requirements.

Key facts:

  • Provides step-by-step guidance for implementing an ISMS
  • Contains only recommendations (no hard requirements)
  • Cannot be certified against

Typical implementation effort for a mid-sized company (~250 employees):

  • Duration: 12-18 months
  • Cost: Several hundred thousand Swiss Francs

Why so expensive? Building an ISMS requires: risk assessments, policy creation, process documentation, staff training, technical controls implementation, internal audits, and management reviews. It's an organization-wide transformation, not just an IT project.

Tip: The high cost is one reason why Scope limitation matters — certifying only a critical department or infrastructure can make ISMS implementation feasible for smaller organizations.

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Mar 01, 2026