Expert Advice Community

Guest

Implement ISO 27001 in a small business

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Implement ISO 27001 in a small business

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 13, 2016

I'm working through the process with the help of a consultant, and we have some general questions about applying 27K to a small hosting business like mine. I run a small hosting business focusing on email and also offering web hosting and similar services.
1) How should we apply the standard to a small business with limited checks and balances? In my case, there are currently just three of us with access to the systems. As the business owner I have access to basically everything (servers running the services, as well as billing records), and I have one other administrator with admin access to most of the servers, and a support person with more limited admin access. In particular for my access, it's hard to define limitations to access or .
2) How should we describe our use of 27K in our marketing, if we adopt the structure and complete the documentation but don't go through a formal 3rd party certification audit?
 

Answers:

1) In your case I think that you need to decrease the number of documents to a minimum, so you only need to d evelop the mandatory documents. Here you can see the list of mandatory documents “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ Remember that you can also exclude controls, for example the A.6.1.2 Segregation of duties (conflicting duties and areas of responsibilities shall be segregated).
2) If you implement ISO 27001 without the certification, you will need to demonstrate to your customers that your ISMS is implemented in accordance with ISO 27001 requirements, and it is not easy. So from my point of view, if you want ISO 27001 for marketing purposes, you need the certificate. Maybe this article can be interesting for you “Should your company go for the ISO 27001 / ISO 22301 certification?” : https://advisera.com/27001academy/iso-27001-certification/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016

Suggested Topics

Guest user Created:   Dec 05, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk analysis

Guest user Created:   Jun 02, 2018 ISO 27001 & 22301
Replies: 1
0 0

Control of documents