Project Plan

1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity.  Should it not include all 3?  My concern is that I am missing something in the project plan because the template does not talk about all 3.

Please note that ISO 27017 and ISO 27018 are supporting standards for the implementation of ISO 27001, providing specific guidance and controls for cloud services and privacy in the cloud.

Considering that, the main elements which refer to controls implementation in the project plan are the "Statement of Applicability" and the "Risk Treatment Plan", which are included as deliverables in the Project Plan, section 3.2 (Project results). At this point in the project there is no need (or possibility) to foresee specific controls to be implemented (this definition is made after the risk assessment and risk treatment process).

What you can do to emphasize that your project considers both ISO 27017 and ISO 27018 is to include them as reference documents in section 2.

For further information see:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
• ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

2. I am also confused about Business Continuity.  Does that need to be in or not?  You have taken it out in the demo.

Business continuity is not necessary to be implemented if you want to be certified only against ISO 27001, so you can delete from the Project Plan elements related to ISO 22301.

What happens with the Project Plan template is that it was designed to be used to implement both standards, and can be customized to fulfill customer's needs. In the comments included in the template you can find which text must be excluded or adjusted if you are going to implement only ISO 27001.

3. There is no section in the Project Plan for training.  Should this not be part of the Project Plan?

Training as a deliverable is defined in section 3.2 (Project results) in the form of the "Training and Awareness Plan", which defines how employees will be trained to execute planned tasks, and how they will be made aware of the importance of information security.

Training for the project team can be defined in section 3.5 (Main project risks) as a treatment in case you have a risk related to untrained personnel in the project team.

For further information, see:

• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

4. Should there not be a section on the test audit date as well?

Please note that there is no "test audit" concept in ISO 27001. What you need to perform is a full internal audit on all mandatory requirements and in all applicable controls, and the definition of audit dates will be covered when filling in the "Procedure for Internal Audit" and its support Annex "Annual Internal Audit Program".

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials can also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

5. It seems like the Project Plan is just about completing the documents and nothing else.

First is important to note that this is a common misunderstanding.

Please note that at this stage of the project, without the definition of the ISMS scope and policy, and the definition of the controls to be implemented, there are not many things to do than completing the documents, but once you have the Statement of Applicability and the Risk Treatment Plan you will have a greater level of detail on what needs to be implemented in terms of processes and technologies.

To have a detailed idea of activities involved in the implementation, I suggest you take a look at this free downloadable material: Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

This checklist can help you keep track of all steps during the ISO 27001 implementation project, starting with obtaining management support all the way through to certification audit.