ISO 27001 for medium-sized companies
Isn't ISO27001 a bit oversized for medium-sized companies with a company size of approx. 270 employees? especially if you are not in system-critical industries?
Assign topic to the user
Please note that ISO 27001 was designed to be applicable to organizations of any size and industry. In short, clauses from 4 to 10 (the ones that are mandatory), requires:
- Definition of the ISMS scope considering relevant internal and external issues and expected results
- Definition of roles and responsibilities regarding information security
- Identification and treatment of relevant risks
- Provision of resources
- Proper operation of controls, and recording of evidence
- Performance review
- Treatment of non-conformities and continual improvement
If you note, these activities should be performed by organizations of any size looking for excellence.
Regarding documents, ISO 27001 requires few documents in clauses 4 to 10, and most of the controls from Annex A do not require documentation such as policies or procedures (although for implemented controls you have to produce records, such as logs, reports, etc.)
What normally varies is that, according to the organization's willingness to take risks, the number of applicable controls will be greater or smaller than to other similar organizations, and this will affect the provision of resources.
Most of our clients are companies smaller than 200 employees, and they do not have much trouble implementing this standard.
These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Oct 13, 2020