SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Guest

Defining the implementation approach

  Quote
Guest
Guest user Created:   Oct 03, 2019 Last commented:   Oct 03, 2019

Defining the implementation approach

We are an advertising company with many own entities (we call them agency). Some of them reside in the head office where we provide shared services to them (IT, HR, Finance) and some reside in their own buildings but still use our shared services.
Usually, our clients send us a questionnaire before signing a contract to ensure how we process, store and remove their data upon their request. This process has become overwhelming for us and the management has decided to implement ISO 27001 for the company as it addresses all our clients concerns as well as an extra assurance for our own information security.
Our initial thought is to get certified for the head office and only include our shared services in the scope and other businesses apply for their own certificate later by appointing us as their supplier and SLAs in place, however it may not be a good approach as some of our businesses residing in other buildings have more urgency to get certified.
If we apply for the head office, we are talking about 1300 employees and xyz sites in xyz cities, while nationwide we have 2000 employees and xyz sites. Speaking of sites, there's another concern for us as our backup every night replicates our data to other cities offices, so I assume even if we define the scope for the head office still our data is in other sites will not address clients’ concerns.
It would be great to have your input on the following questions:
• What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?
• Is the initial defined scope practical in your expert opinion?
• Are your templates and services applicable to our company as it's designed for small and medium corporate?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 03, 2019

1 - What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?

 Answer: The most common approaches to implement ISO 27001 are:

  • Use your own staff to implement the ISMS
  • Use a consultant to perform most of the effort to implement the ISMS
  • Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:

These materials will also help you regarding ISO 27001 implementation:

2 - Is the initially defined scope practical in your expert opinion?

Answer: Separated scopes certified at different times is a good approach when you have limited resources and some business units, besides the head office, are more critical than others (you can certify them in the order more relevant to the business).

It is important to note that you do not need to certify other business units after the head office (if ISO 27001 certification is more urgent for business units you can start with them).

For further information regarding scope definition, see:

3 - Are your templates and services applicable to our company as it's designed for small and medium corporate?

Answer: It is true that our templates are designed for companies of up to 500 employees. Therefore, for organizations with more than 500 employees the templates will require you to add more text into some of the documents (e.g. into the Risk Assessment Methodology) to address higher complexity of the company of your size. We do have couple of larger clients who adapted the templates successfully.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 02, 2019

Oct 02, 2019

Suggested Topics