Search results

Implementing ISO 27001 in a greenfield

1 - What are the key considerations when implementing an ISMF such as the ISO 27001 in a greenfield site – i.e. an organization where there are nothing in terms of security policy or practice. Would we go through the normal workflow of implementing ISO 27001 or are there deviations?

ISO 27001 was designed to be implemented in organizations of any size and industry, so the general steps are the same, including a greenfield site. In fact, in some cases, the absence of previous security policies or practices is good because it does not bring undesired behavior and minimizes resistance to change.

Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

• defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
• development of risk assessment and treatment methodology;
• perform a risk assessment and define the risk treatment plan;
• controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
• people training and awareness;
• controls operation;
• performance monitoring and measurement;
• perform an internal audit;
• perform management critical review; and
• address nonconformities, corrective actions, and opportunities for improvement.

To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This article will provide you a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

2 - Can you suggest any additional resources I could use for greenfield implementation?

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course at this link: https://advisera.com/training/iso-27001-foundations-course/ 

Role of Top Management

Top management has an invaluable role in communicating internally the importance of the environmental management system (EMS), in promoting and in financing the EMS. ISO 14001:2015, clause 5.1, gives some help in answering to your question:

• Top management is responsible for issuing and keeping updated a strategic orientation for the EMS, translating those priorities into a set of environmental objectives
• Top management is responsible for providing resources for the EMS, has a unique role in communicating the importance of the EMS not just by words but by its agenda, by the time used in analyzing performance and asking for improvement.

Please check the following information:

• What are the responsibilities of top management in the EMS according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/01/18/what-are-the-responsibilities-of-top-management-in-the-ems-according-to-iso-140012015/
• To what extent should top management be involved in your EMS after the implementation? - https://advisera.com/14001academy/blog/2016/10/03/to-what-extent-should-top-management-be-involved-in-your-ems-after-the-implementation/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

GDPR Logo

No, GDPR doesn't have a conformity mark as CE.

You can consider enrolling in this free online training:

• EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

• Question about data protection points in a contract

  Of course, it depends on the clause that is drafted in your service agreement. Service providers can be considered processors, if the service requires to process personal data on behalf of the controller (i.e., a marketing agency who process personal data of clients of brands they represent) in that case the content of the clause is often determined by the provisions of Article 28 GDPR.

  As any clause in contracts can be of course negotiated and you can also propose your own clause where you guarantee to your clients your compliance to GDPR (it can bring an added value to your service).

  Here you can find more information:

  • Article 28 GDPR https://advisera.com/eugdpracademy/gdpr/processor/
  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • EU GDPR document template: Processor GDPR Compliance Questionnaire https://advisera.com/eugdpracademy/documentation/processor-gdpr-compliance-questionnaire/
  • EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Administrative fines for lack of compliance with GDPR

  Yes, the company will be sanctioned for non-compliance. 

  Article 83 and 84 GDPR refer to administrative fines up to 10 000 000 Euro or 20 000 000 or to the 2% or 4% of the annual turnover of the preceding financial year, whichever is higher. Therefore, depending on the infringement, administrative fines will be calculated. In the case of negative turnover, the consequences on the company may vary from State to State depending on the internal procedural law. A sanction issued by the Supervisory Authority is considered as debt that may lead to bankruptcy.

  Here you can find more information:

  • The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/
  • Which fines does GDPR designate for companies? https://advisera.com/eugdpracademy/knowledgebase/which-fines-does-gdpr-designate-for-companies/
  • Understanding the Lead Supervisory Authority concept in GDPR https://advisera.com/eugdpracademy/knowledgebase/understanding-the-lead-supervisory-authority-concept-in-gdpr/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//