Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Project Plan

  Quote
Guest
Guest user Created:   May 21, 2020 Last commented:   May 21, 2020

Project Plan

I have drafted my Project Plan.  I have a couple of questions:

1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity.  Should it not include all 3?  My concern is that I am missing something in the project plan because the template does not talk about all 3.

2. I am also confused about Business Continuity.  Does that need to be in or not?  You have taken it out in the demo.

3. There is no section in the Project Plan for training.  Should this not be part of the Project Plan?

4. Should there not be a section on the test audit date as well?

5. It seems like the Project Plan is just about completing the documents and nothing else.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 21, 2020

1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity.  Should it not include all 3?  My concern is that I am missing something in the project plan because the template does not talk about all 3.

Please note that ISO 27017 and ISO 27018 are supporting standards for the implementation of ISO 27001, providing specific guidance and controls for cloud services and privacy in the cloud.

Considering that, the main elements which refer to controls implementation in the project plan are the "Statement of Applicability" and the "Risk Treatment Plan", which are included as deliverables in the Project Plan, section 3.2 (Project results). At this point in the project there is no need (or possibility) to foresee specific controls to be implemented (this definition is made after the risk assessment and risk treatment process).

What you can do to emphasize that your project considers both ISO 27017 and ISO 27018 is to include them as reference documents in section 2.

For further information see:

2. I am also confused about Business Continuity.  Does that need to be in or not?  You have taken it out in the demo.

Business continuity is not necessary to be implemented if you want to be certified only against ISO 27001, so you can delete from the Project Plan elements related to ISO 22301.

What happens with the Project Plan template is that it was designed to be used to implement both standards, and can be customized to fulfill customer's needs. In the comments included in the template you can find which text must be excluded or adjusted if you are going to implement only ISO 27001.

3. There is no section in the Project Plan for training.  Should this not be part of the Project Plan?

Training as a deliverable is defined in section 3.2 (Project results) in the form of the "Training and Awareness Plan", which defines how employees will be trained to execute planned tasks, and how they will be made aware of the importance of information security.

Training for the project team can be defined in section 3.5 (Main project risks) as a treatment in case you have a risk related to untrained personnel in the project team.

For further information, see:

4. Should there not be a section on the test audit date as well?

Please note that there is no "test audit" concept in ISO 27001. What you need to perform is a full internal audit on all mandatory requirements and in all applicable controls, and the definition of audit dates will be covered when filling in the "Procedure for Internal Audit" and its support Annex "Annual Internal Audit Program".

For further information, see:

These materials can also help you regarding internal audit:

5. It seems like the Project Plan is just about completing the documents and nothing else.

First is important to note that this is a common misunderstanding.

Please note that at this stage of the project, without the definition of the ISMS scope and policy, and the definition of the controls to be implemented, there are not many things to do than completing the documents, but once you have the Statement of Applicability and the Risk Treatment Plan you will have a greater level of detail on what needs to be implemented in terms of processes and technologies.

To have a detailed idea of activities involved in the implementation, I suggest you take a look at this free downloadable material: Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

This checklist can help you keep track of all steps during the ISO 27001 implementation project, starting with obtaining management support all the way through to certification audit.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 21, 2020

May 21, 2020