27001 certification process
Assign topic to the user
In any case, I think the answer is probably somewhere in between, and it’s maybe a shared ownerships. We’re attempting to draw clear boundaries though in terms of who does what, and I was wondering if you’ve ever seen a RACI chart of the various activities that are involved in certification. This would help us to create clear areas of responsibility, but in the end I still believe that security should ultimately “own” this as it’s an information security standard.
Answer: Your assumption about shared responsibilities is right. ISO 9001 and ISO 27001 share a lot of clauses that can be both management by the security team as well as the quality team, and this is cl earer now with the new structure of ISO management standards. I particularly never saw a RACI chart in the way you are asking, but who is ultimately responsible for the ISMS/ISO 27001 project is typically someone responsible for security, generally the CISO (Chief Information Security Officer). Regarding other responsibilities, by following the new structure of ISO management standards, you could consider this:
4. Context of the organization - since in this case the context aims to issues that can prevent the ISMS to achieve its desired outcomes, security team should be accountable for the deliverables related to it (e.g., ISMS scope).
5. Leadership - Security team should be accountable for the information security policy elaboration and definition of security responsibilities, as well as ensuring top management commitment to information security. The quality team should be accountable for the integration of security processes to other organizational processes.
6. Planning - This section refers to information risk management and the security team should be accountable for the deliverables related to this section.
7. Support - Quality team should be accountable for almost all this section (e.g., provision of resources and competences), the exception to communications, because this is related to what, when, to whom, and by whom information security issues should be communicated.
8. Operation - The day to day security activities should be held accountable by the security team and those with defined in the procedures.
9. Performance evaluation - These processes could be integrated to the processes already managed by the quality team, so this team could be held accountable.
10. Improvement - These processes also could be integrated to the processes already managed by the quality team, so this team could be held accountable.
In short, common processes and deliverables already implemented by ISO 9001, like internal audit, control of documents and records, and management review could be designated to the quality team, and those specific related to information security could be designated to security team, but it is important to note that for the processes managed by the quality team, the security team becomes a interested party that should be listened.
This article will provide you further explanation about integrated management systems:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding responsibilities in the ISO 27001 certification process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 18, 2017
 
            
