Management support and approval for an ISMS
Assign topic to the user
So, i want to ask that which approach you suggest? Or am i misunderstanding the idea?
Answer: The key words here are "support" (referred in the Secure & Simple book) and "approval" (referred in ISO 27003).
When we speak about 'obtaining management support' we mean selling an idea to convince that doing something, in this case implementing ISO 27001, is a good thing. It is more focused on presentation of benefits to attract attention and get an opportunity to present something more detailed.
On the other hand, when we speak about 'obtaining management approval' we mean about more formal and structured presentation, ex plaining the details on how ISO 27001 can be implemented, to obtain authorization to allocate resources and start the implementation work.
So, my recommendation to you is first get attention from your top management on how ISO 27001 can benefit your organization, and obtain their support, and after that work on the details on how to implement ISO 27001, to get their authorization to start the work.
This article will provide you further explanation about management support for an ISMS:
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
This material will also help you regarding management support for an ISMS:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Hello,
Your answer have been really helpful. By following the steps in Kosutic's book, i just successfully presented the benefits of ISMS and convinced senior management. I just want to ask that, what 'Get formal approval for the project' means in 'Appendix G Project checklist...' section in the book, i mean is there a document/template for this approval?
Thanks in advance.
A formal approval means any documented form used by the organization to record the decision to support the project and to communicate this decision through the organization. This may be a memo template generally used by the organization or the project charter in cases where an organization makes use of project management practices. I suggest you to take a look at our free Project proposal for ISO 27001 / ISO 22301 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword
This document contains sections where you can include all the initial relevant information of the project and record the support decision of your management.
Thank you again for your help. I want to ask another question (which i also posted on community page yesterday). I'm trying to prepare the interested parties and “List of regulatory, contractual and other requirements” list prior to defining the scope. It is easy for me to list some interested party requirements when the interested party needs something, such as customers (i.e. they need you to protect their information) or government agencies (i.e. they want you to comply with the laws & regulations) etc… But i dont know how to list the requirement when an interested party impacts organizations information security, for example an employee working in a public place and connecting to organizations network remotely, or supporting company personnel connecting to organizations wireless network, or an untrained employee clicking on a link in a phishing mail etc.
Hi, an answer to this question was posted under the title "Compliance List"
Comment as guest or Sign in
Jul 07, 2017