Guest user Created: Mar 26, 2018 Last commented: Mar 26, 2018

Implementation options

1 - We are a micro business (one employee/director) dealing with large volumes of sensitive personal data in the cloud. Our cloud infrastructure in AWS provides immutable audit trails and automated security alerts etc ie we are as automated as we possibly can be - we use documented Cloud Formation to manage all our infrastructure and audit policies. We are keen to establish ISO 27001 certification. Is it possible to do this without a division of responsibility in the business?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 26, 2018

Answer: ISO 27001 requires the establishment of responsibilities relevant to information security, but the organizations are free to divide them, or not, according to their necessities and perceived risks. So, it is possible to implement ISO 27001 without a division of responsibility in the business, provided that identified unacceptable risks related to not dividing responsibilities are properly treated.

These articles will provide you further explanation about responsibilities in ISO 27001:
- How to document roles and responsibilities according to ISO 27001 https: //advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding responsibilities in ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 - What route to certification do you recommend? How can you help?
Answer: Regarding ISO 27001 implementation, you have three options:
- Implementing with your own employees
- Hiring a consultant
- Implementing by yourself with external support

Each one of them have their advantages and disadvantages, related to time, resources and knowledge. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

Advisera is specialized in the third approach. We offer toolkits with templates and expert support, and also free material in form of articles, papers and webinars, to help you with your implementation project. Please see these materials for more information:
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 26, 2018

Expert Advice Community