Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Team in charge of implementation and maintenance of the ISMS

  Quote
Guest
Guest user Created:   May 18, 2023 Last commented:   May 18, 2023

Team in charge of implementation and maintenance of the ISMS

We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".

We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.

We don't want only one person to approve this, whether it is the IT manager or the CTO.

We are a 50-user *** company.

It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.

We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation. 

Do you think that is a good idea?

Is it in-line with the standard?

If so, is it best described in "05_Information_Security_Policy_27001_EN"?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 18, 2023

From your question it is not clear whether you are asking about responsibilities for approving policies and procedures, or for responsibilities that are specified in information security documents.

1) Responsibilities for approving policies and procedures:

In smaller companies, one person usually approves documents, while there are usually 2 or 3 persons that are reviewing the documents before they are sent for approval.

2) Responsibilities specified in information security documents:

In the top-level Information Security Policy you should define:

  • one person in charge of coordinating the ISMS
  • one sponsor from the top management team

For detailed policies like Backup Policy or Access Control Policy, different people will have different responsibilities - e.g., the person in charge of doing the backup might be a different person from the one in charge of approving access.

The standard allows collective decision-making, however having a 3-person committee that decides about everything is impractical.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 18, 2023

May 18, 2023