Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Process approach in ISO 27001:2013

ISO 27001: 2013 is said to no longer be used the process approach. Based on that, it means that the ISMS is to apply to the whole organization, or I can continue implementing an ISMS to a specific company process as long as you define (as always should be) the scope where you will deploy.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: ISO 27001 2013 revision is still based on process approach, even though it is not emphasized in the standard itself. However, the process approach should not be mixed with the ISMS scope - process approach means that in order to increase security, you have to implement security activities in your IT and business processes.

Setting the scope in new ISO 27001:2013 is the same as in 2005 revision - you can set the ISMS scope for your whole organization, or for only a part of it - this could be one department, one location, or one processes - however, I wouldn't recommend to set the scope for only one process because this is extremely difficult to achieve.

Quote

0 0

Guest

Guest post Jan 12, 2016

As long as a standard demands establishment and maintenance of a system of interrelated processes, their implementation, their control based on measurable results and continual improvement, it is based on process approach, in my opinion. Also, the process approach should prove to be an enabler to achieve business objectives, including customer satisfaction/ delight.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community