I’m currently undertaking an ISO 27001:2013 project which is in the planning stage, I spoke to my boss about how I was going to implement this, stage by stage e.g. get project buy in and how to start scoping the ISMS etc.
It was mentioned, however, that he just wanted me to go straight in and start writing out the polices, my questions are as follows which hopefully you can give me some guidance on:
1 - Firstly, is this even possible or the right way? I’ve gone through a few training and webcasts you’ve provided, I was under the impression that you had to complete this, stage by stage, rather than jumping straight into the polices
Answer: It is possible to start writing out the polices, but it is not the right way, and not recommended, because the chances are that the policies will not cover all the aspects where you need to protect information, conflicting rules will impair processes performance, and you will have a lot of rework to do to correct things (and this rework will certainly take more time then following the implementation step by step).
2- Is this even possible to write the polices without any real scope, apart from wanting to implement these into the IT dept, which again, I was under the impression that this wasn’t supposed to just be an IT project
I did try and explain about the different steps involved but I wanted to get your guidance on what I have mentioned above.
Answer: Without an stated scope you will have to consider at least that all the organization is covered by the ISMS, and depending on the size of the organization and your real needs for security, the difference may mean a lot of unnecessary effort spent to write policies involving people and business units that will not use them, again resulting in losses that can be prevented by following the implementation step by step.
Regarding designating the IT as responsible for information security, you should try to argument that information can exist outside information systems (e.g., in paper reports, whiteboards, on people talking), and in these situations the IT will not have the resources or authority to protect information, so the best course of action is to designate information security responsibilities considering where the information can be (e.g., HR can be responsible for information security related on hoe employees handle with information).