Defining the implementation approach
We are an advertising company with many own entities (we call them agency). Some of them reside in the head office where we provide shared services to them (IT, HR, Finance) and some reside in their own buildings but still use our shared services.
Usually, our clients send us a questionnaire before signing a contract to ensure how we process, store and remove their data upon their request. This process has become overwhelming for us and the management has decided to implement ISO 27001 for the company as it addresses all our clients concerns as well as an extra assurance for our own information security.
Our initial thought is to get certified for the head office and only include our shared services in the scope and other businesses apply for their own certificate later by appointing us as their supplier and SLAs in place, however it may not be a good approach as some of our businesses residing in other buildings have more urgency to get certified.
If we apply for the head office, we are talking about 1300 employees and xyz sites in xyz cities, while nationwide we have 2000 employees and xyz sites. Speaking of sites, there's another concern for us as our backup every night replicates our data to other cities offices, so I assume even if we define the scope for the head office still our data is in other sites will not address clients’ concerns.
It would be great to have your input on the following questions:
• What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?
• Is the initial defined scope practical in your expert opinion?
• Are your templates and services applicable to our company as it's designed for small and medium corporate?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?
Answer: The most common approaches to implement ISO 27001 are:
- Use your own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
2 - Is the initially defined scope practical in your expert opinion?
Answer: Separated scopes certified at different times is a good approach when you have limited resources and some business units, besides the head office, are more critical than others (you can certify them in the order more relevant to the business).
It is important to note that you do not need to certify other business units after the head office (if ISO 27001 certification is more urgent for business units you can start with them).
For further information regarding scope definition, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
3 - Are your templates and services applicable to our company as it's designed for small and medium corporate?
Answer: It is true that our templates are designed for companies of up to 500 employees. Therefore, for organizations with more than 500 employees the templates will require you to add more text into some of the documents (e.g. into the Risk Assessment Methodology) to address higher complexity of the company of your size. We do have couple of larger clients who adapted the templates successfully.
Comment as guest or Sign in
Oct 02, 2019