Design compliance plan for internal use
Assign topic to the user
I am stuck in between planning
1. how to start auditing all the areas at one go?
2. should I prepare assessments for all areas separately?
3. How should I prepare monthly audit progress reports?
Answer: Compliance plan and audit plan are not the same thing - with compliance plan you implement the framework (i.e. ISO 27001), while during the audit you check whether all the processes are working correctly.
Here are a couple of articles that will help you:
ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
ISO 27001 project How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Thanks for your response.
I want to achieve compliance for one of our clients and we've not been provided any expectations for the same.
I am following ISO27001 as a framework and designed appropriate controls. However, controls are not implemented in fully. I've 2 ways.
1. To define standards for areas and have them implemented first and then do internal audit for those areas.
Challenge here is appropriate teams are not taking the same seriously.
2. WIll start the audit for the areas and highlight the same as findings to have them fixed. Because report is published to management level it would be enforced from top.
Your suggestions would be appreciated on the same.
Kumar, it is neither option 1 nor 2.
You should start with assessing the risks, because the whole idea of ISO 27001 is centered on risk assessment - once you perform the risk assessment you will know exactly which kind of information security standards/policies/procedures you will need to implement. See this article for details: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
To get the support of your management you need to apply the techniques in this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
To see all the detailed steps in the implementation see this article: ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Comment as guest or Sign in
Jan 12, 2016