Guest user Created: May 23, 2017 Last commented: May 23, 2017

Certifying non-IT organization

If I want to implement ISO 27001 to a non IT organization; where most of the requirements are considered as not applicable, is that possible? can they get the certification if they justify the un-applicability of the requirements?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic May 23, 2017

Answer: Yes, you can certify a company if you justify the exclusion of certain controls - this is done through a process of risk assessment, see this article for explanation: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

By the way, the fact that your company is not an IT organization does not mean you will exclude all of IT controls - most of the companies today need to include controls like backup, antivirus, access control, etc. This article will help you with the controls: Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

These materials will also help you learn the basics of ISO 27001 and how to implement i t:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 23, 2017

Expert Advice Community