Advertisement
How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards
Mods please check the Moderators Group for an important update on Mod tools. If you do not have access to the group, please PM Niamh. Thanks!

ISO-27001

  • #1
    Moderators, Regional Midwest Moderators Posts: 22,758 mod Clareman


    I'm looking into the process in getting a company certified in this and there seems to be a lot to it but tool-kits seem to be the way to go, does anyone have any experience in this and would you recommend a toolkit? It doesn't matter if there is a cost to the tool-kit.


Comments



  • Hi

    A toolkit can give you a leg up in terms of your documentation. However, no toolkit can do the grunt work that's needed.

    We did our ISO 27001 five years or so ago without a toolkit. However, we did have a consultant come in once a week for a few months to guide us through the process.

    I bought a toolkit a few months ago to give me a head-start in documentation for GDPR. However, it only really acts as a guide for the real work that we have to do. I'm mostly creating my own documention but I'm basing it on parts of the toolkit.

    In short, toolkits have their place but there isn't any real shortcut to ISO 27001 certification.



    Clareman wrote: »
    I'm looking into the process in getting a company certified in this and there seems to be a lot to it but tool-kits seem to be the way to go, does anyone have any experience in this and would you recommend a toolkit? It doesn't matter if there is a cost to the tool-kit.




  • liamo wrote: »
    Hi

    A toolkit can give you a leg up in terms of your documentation. However, no toolkit can do the grunt work that's needed.

    We did our ISO 27001 five years or so ago without a toolkit. However, we did have a consultant come in once a week for a few months to guide us through the process.

    I bought a toolkit a few months ago to give me a head-start in documentation for GDPR. However, it only really acts as a guide for the real work that we have to do. I'm mostly creating my own documention but I'm basing it on parts of the toolkit.

    In short, toolkits have their place but there isn't any real shortcut to ISO 27001 certification.

    I'm looking to do the same for 27001 as you are doing for GDPR, ideally I'd like to get baseline documentation to delegate to people to complete as well as a check list for everything we need to do, once that's in I'll get a consultant in to do a gap analysis and then hopefully go for certification




  • Clareman,
    At a very high level you need to do the following


    step 1. Get Mgmt support (get an email sent to all staff from CEO or similar explaining why this is important to the organisation)

    step 2. define the scope of the ISMS whats in whats out (this needs to take into consideration what your org does), so you will need to include your critical business information. keep in mind its not IT security its information security (the information is the important thing)

    Step 3 Use the scope to define a critical assets inventory

    Step 4 Risk assessment on these assets and the business functions

    At this stage you know whats in scope, what assets are critical to this, what risks you have. Document all of this process.

    Now you can decide on check list of controls (SOA) based on the risks you have and implementation plans in order to comply with your selected controls, every thing should be looked at in terms of risk to the organisations information

    You may be already doing this, but i have seen many people skip the steps then get a consultant in and have to start all over again, because they missed a step and everything after is not right.


    Toolkits are helpful but only if you know where your going first.

    all that being said ISO27001 is very achievable and is a very good way to mange and monitor Information security.

    Good Luck




  • to answer the question yes, you will find it on IT Governance website, get a copy of the standard. Attend an implementation training course. if money is no problem, get a consultant. if you are the consultant do training asap




  • I would include all information assets, not just physical assets. The location of data (file server, SharePoint etc), IP, and how critical each is, with the type of data (code, PII, PHI, general documents, etc).


  • Advertisement
Advertisement