Setup of Governance, Risk and Security department
I have been tasked to setup the IT Governance, Risk and Security department from zero and was wondering what approach to take to make it easy to adopt as well as practical being practical and allow me to introduce polices, guidelines to mitigate risks as I go along.
Assign topic to the user
Broadly speaking, to set up a new department in an organization is very similar to the implementation of a management system, and you should consider:
- the identification of a clear reason why you need this new department (e.g., it will fulfill a business need, it will give a market advantage, it will comply with legal requirements, etc.).
- the definition of objectives, goals, and targets
- the performing of risk assessment, to identify relevant risks related to the achievement of objectives, goals, targets.
- the definition of an action plan, considering the activities the department must perform (e.g., risk management, audit, controls implementation, employees training, etc.), which competencies you need (i.e., job descriptions), how many people will be required, and how it will be its internal organization (i.e., hierarchy). At this point, you will define which policies, guidelines, and controls to implement to mitigate risks to the achievement of objectives, goals, and targets.
- the identification of requirements related to space, equipment, and facilities.
- how to fill job vacancies (e.g., internal placement, or external hiring)
- the definition of a specific budget
- top management approval of the proposed department
For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
The concepts in these articles, although applied to ISO 27001, can be used to set up a new department from zero.
Comment as guest or Sign in
Sep 30, 2020