I have just published a tool developed by Ed Hodgson, Marty Carter and me to
help people estimate how long their ISO/IEC 27001 ISMS implementation projects
will take.
The tool is an Excel spreadsheet (DOWNLOAD). As with the remainder of the ISO27k Toolkit, it is free to
use and is covered by a Creative Commons license. I will roll it into the
Toolkit when the Toolkit is next updated.
The estimated project timescale depends on how you score
your organization against a set of criteria - things such as the extent to which
management supports the ISMS project, and its strategic fit. The scoring process uses a percentage scale
with textual descriptions at four points on the scale, similar to those Krag and I
described in PRAGMATIC Security Metrics. The criteria are weighted, since some are way
more important than others. The scores
you enter either increase or decrease the estimated timescale from a default
value, using a model coded into the spreadsheets.
Ed enhanced my original model with a more sophisticated
method of calculation: Ed’s version substantially extends the timescale if you
score low against any criteria, emphasizing the adverse impact of issues such
as limited management support and strategic fit. I have left both
versions of the model in the file so you can try them both and compare them to
see which works best for you … and of course you can play with the models, the
criteria and the weightings as well as the scores. I suspect that Ed’s version is more accurate
than mine, but maybe both are way off-base. Perhaps we have neglected
some factor that you found critical?
Perhaps the weightings or the default timescale are wrong? If you have successfully completed ISMS implementation
projects, please take a look at the criteria and the models, and maybe push
your numbers through to see how accurate the estimations would have been.
Feedback comments are very welcome – improvement suggestions especially –
preferably on the ISO27k Forum for the benefit of the whole community, otherwise
directly to me if you’re shy.
I’m afraid we haven’t yet managed to figure out how to
estimate the resourcing (man-days) needed for the implementation project, as we
originally planned. A couple of approaches have been suggested (such as
breaking down the requirements in ISO/IEC 27001 to identify the activities and
competences/skills needed) but it will take more effort to turn the suggestions
into a practical tool. If you are inspired to have a go at developing a
suitable tool, please make a start and I can set up another collaborative
project on Google Docs to continue the development. Further general
suggestions are fine but we really need something more concrete to sink our
teeth into – a draft or skeleton resourcing estimator would be good. How would you go about it?
Regards,
No comments:
Post a Comment
Have your say!