My question concerns a small company that sells an IT solution to big industrial companies. Some of the prospects are beginning to ask about Information Security Policies and Procedures but the company needs to avoid an overkill project but at the same time make its big customers feel that their investment is safe. The project has to address the fact that the customers need to protect their investment in the projects we sell. I am at loss at what to do...
Considering the scenario you presented, we could point out two main concerns of your customers: the protection of their information that are under your responsibility (e.g., company data, project's requirements, etc.), and that your IT projects solutions are capable to protect their information in their operational environment.
With these concerns, you may consider three options:
- if your company has less than 50 employees, the best approach would be to implement the ISMS in the whole organization, since the effort to implement and manage an ISMS only for a part of such smal l organization wouldn't pay off.
- if your company has 250 to 500 employees, you should consider defining your project scope to implement an ISMS to protect the process you use to develop your IT solution (you can not certify a product or service, only the processes, locations and information related to them).
- if your organization number of employees is between 50 to 250, then you should evaluate your context to see what approach would be best for you.