ISO 27001 implementation project
Assign topic to the user
1. Would it be a good idea to start with a narrow scope and then extend it with time? (The top management is only interested in certification)
Answer: Depending upon the size of the organization (up to 50 employees) it may be better to include all the organization in the scope, because the effort to separate the elements of the scope from other elements of the organization may be not worthy. In other cases you can start with a small scope and extend it over time, if this is interesting for the top management.
These articles can provide further information:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2. How would i split the tasks among my team? For example should i ask one person to perform the risk assessment a nd then another person to perform the risk treatment? Or should these tasks be shared among the team?
Answer: This will also depend on the size of the organization's scope, and the size of the implementation team.
A common approach is to establish a project team which will divide the project among themselves, but you have to note that there will be some tasks that still for people outside of this team - e.g. performing a risk assessment for particular departments, reviewing specific documents, etc.
This article will provide you further explanation about defining responsibilities on project implementation:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/
Comment as guest or Sign in
Jun 28, 2019