Hope you are doing well.
This is ***, one of the participants during the yesterday’s webinar - ISO 27001/ISO 22301: The certification process. At this point I would like to express my great thanks and appreciation to you, because without your free ISO27001 courses and free webinars I wouldn't be right now in my company's ISO27001 project team.
The reason I'm writing to you now is because I'd like to hear your input on a discussion I had just 2 days during our ISO 27001 Implementation meeting here in the company where I work. Based on the defined ISMS scope , primarily we need to prepare for now, only the IT Department for ISO27001 certification. (Afterwards we shall continue with other departments, currently the urgent need is the IT, where I ' m also a member of as a system/network/security engineer).
The project team consists of 6 people. Yesterday during the discussion, all other 5 members were insisting that there is no need to cover any section from ISO 27001 – Annex A.7: Human Resource Security, while me, from the other hand I was trying to convince them that yes, definitely we need to cover this control not only because is part of the Annex A but because is directly related with IT areas as well.
It was impossible to convince them, they still insist that the ISMS scope and the certification goal is the IT, not the HR. And now I'm wondering, indeed they are right and I'm wrong? I'm really confused and for sure i do not want to make any bad impression just from the very first beginnings.
Your insights are valuable, and your assistance/guidance as always are greatly meaningful to me dear Dejan.
Please note that the decision about including or excluding controls needs to be based on the results of risk assessment and applicable legal requirements, and it seems neither of you took these into consideration.
So, our recommendation for your team is to see first which risks and legal requirements are relevant to your scope, and based on them identify which controls are applicable.