LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Recovering an ISMS project

  Quote
Guest
Guest user Created:   May 10, 2018 Last commented:   May 10, 2018

Recovering an ISMS project

I follow your book on ISO 27001, "Secur & simple ...". It is really practical and useful. Thank you for your good advice.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 10, 2018

My company was certified ISO 27001. But because of a bad implementation of my predecessors (previous InfoSec team): an ISMS not in line with IT teams and other business departments. Top management has stopped the certification process. Now, I'm struggling to put InfoSec in a good position in the organization and I need to relaunch security awareness from scratch. I hope that one day I will be able to push again for an ISO 27001 certification.

I should write a post about it. Because definitely a bad ISO 27001 certification project, totally outsourced, with the sole objective of obtaining a marketing advantage, can be a real waste and be really counterproductive for infosec teams.

If you have any ideas for restarting an ISMS project from this kind of situation, I will be grateful.

Answer: To restart an ISMS project after such problems you should focus on solving problems the affected areas are currently undergoing (e.g., low performance on KPIs, unplanned downtime, rework, non compliance fines, missed deadlines, etc.), by means of quick implementation of controls based on solid risk assessments (and less focus on the other elements of the management system).

It may seem odd to start like this, but the point is to try to regain top management commitment and people's trust in information security (few but effective controls will help you with that), and only after achieving that you should try to demonstrate that in the long run the gains can only be maintained with the help of the other elements of the management system (e.g., in internal audit, management review).

This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 10, 2018

May 10, 2018

Suggested Topics

Guest user Created:   Jan 05, 2022 ISO 27001 & 22301
Replies: 3
0 0

Scope of the ISMS