Quiz Entry - updated: 2026.03.01
What is ISO 27003 and how much effort does ISMS implementation typically require?
ISO 27003 provides guidance for developing an ISMS implementation plan according to ISO 27001 — it contains recommendations, not requirements.
Key facts:
- Provides step-by-step guidance for implementing an ISMS
- Contains only recommendations (no hard requirements)
- Cannot be certified against
Typical implementation effort for a mid-sized company (~250 employees):
- Duration: 12-18 months
- Cost: Several hundred thousand Swiss Francs
Why so expensive? Building an ISMS requires: risk assessments, policy creation, process documentation, staff training, technical controls implementation, internal audits, and management reviews. It's an organization-wide transformation, not just an IT project.
Tip: The high cost is one reason why Scope limitation matters — certifying only a critical department or infrastructure can make ISMS implementation feasible for smaller organizations.