ISO 27001 implementation

It was mentioned, however, that he just wanted me to go straight in and start writing out the polices, my questions are as follows which hopefully you can give me some guidance on:

1 - Firstly, is this even possible or the right way? I’ve gone through a few training and webcasts you’ve provided, I was under the impression that you had to complete this, stage by stage, rather than jumping straight into the polices

Answer: It is possible to start writing out the polices, but it is not the right way, and not recommended, because the chances are that the policies will not cover all the aspects where you need to protect information, conflicting rules will impair processes performance, and you will have a lot of rework to do to correct things (and this rework will certainly take more time then following the implementation step by step).

2- Is this even possible to write the polices without any real scope, apart from wanting to implement these into the IT dept, which again, I was under the impression that this wasn’t supposed to just be an IT project

I did try and explain about the different steps involved but I wanted to get your guidance on what I have mentioned above.

Answer: Without an stated scope you will have to consider at least that all the organization is covered by the ISMS, and depending on the size of the organization and your real needs for security, the difference may mean a lot of unnecessary effort spent to write policies involving people and business units that will not use them, again resulting in losses that can be prevented by following the implementation step by step.

Regarding designating the IT as responsible for information security, you should try to argument that information can exist outside information systems (e.g., in paper reports, whiteboards, on people talking), and in these situations the IT will not have the resources or authority to protect information, so the best course of action is to designate information security responsibilities considering where the information can be (e.g., HR can be responsible for information security related on hoe employees handle with information).

These articles will provide you further explanation about implementing ISO 27001:
- The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding implementing ISO 27001 (you may present them to your boss):
- Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/