Optimising ISMS management effort
Assign topic to the user
Answer: Considering the number of documents you could advise him to review the need for them considering:
- standard mandatory requirements (I'm assuming his ISMS is ISO 27001 certified, if not please disregard this)
- contracts, statutory and other legal requirements
- results of risk assessments
- organization own decisions to adopt them (generally this are the main cause of too much documentation)
If a document is not supported by neither of these reasons, your client can consider to exclude it from his ISMS. The documentation review could also consider reducing the number of documents by merging related information into fewer documents (e.g., backup and log guidelines could be merged into IT operational procedures).
As for the question of too heavy information security policies and procedures, you could advise him to define high l evel guidelines to be followed by all organizational units and let them define implementation details according their local requirements (the "plan globally, implement locally" approach). This way there are much more chance the security effort will be compatible to the risks they face.
These articles will provide you further explanation about optimising ISMS management:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
These materials will also help you regarding ISMS management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Dec 28, 2016