Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

ISO-27001

  • 13-12-2017 4:26pm
    #1
    Clareman
    Moderators, Sports Moderators, Regional Midwest Moderators Posts: 23,923 Mod ✭✭✭✭


    I'm looking into the process in getting a company certified in this and there seems to be a lot to it but tool-kits seem to be the way to go, does anyone have any experience in this and would you recommend a toolkit? It doesn't matter if there is a cost to the tool-kit.


Comments

  • #2
    liamo
    Registered Users Posts: 1,193 ✭✭✭liamo


    Hi

    A toolkit can give you a leg up in terms of your documentation. However, no toolkit can do the grunt work that's needed.

    We did our ISO 27001 five years or so ago without a toolkit. However, we did have a consultant come in once a week for a few months to guide us through the process.

    I bought a toolkit a few months ago to give me a head-start in documentation for GDPR. However, it only really acts as a guide for the real work that we have to do. I'm mostly creating my own documention but I'm basing it on parts of the toolkit.

    In short, toolkits have their place but there isn't any real shortcut to ISO 27001 certification.



    Clareman wrote: »
    I'm looking into the process in getting a company certified in this and there seems to be a lot to it but tool-kits seem to be the way to go, does anyone have any experience in this and would you recommend a toolkit? It doesn't matter if there is a cost to the tool-kit.


  • #3
    Clareman
    Moderators, Sports Moderators, Regional Midwest Moderators Posts: 23,923 Mod ✭✭✭✭Clareman


    liamo wrote: »
    Hi

    A toolkit can give you a leg up in terms of your documentation. However, no toolkit can do the grunt work that's needed.

    We did our ISO 27001 five years or so ago without a toolkit. However, we did have a consultant come in once a week for a few months to guide us through the process.

    I bought a toolkit a few months ago to give me a head-start in documentation for GDPR. However, it only really acts as a guide for the real work that we have to do. I'm mostly creating my own documention but I'm basing it on parts of the toolkit.

    In short, toolkits have their place but there isn't any real shortcut to ISO 27001 certification.

    I'm looking to do the same for 27001 as you are doing for GDPR, ideally I'd like to get baseline documentation to delegate to people to complete as well as a check list for everything we need to do, once that's in I'll get a consultant in to do a gap analysis and then hopefully go for certification


  • #4
    Joe Exotic
    Registered Users Posts: 565 ✭✭✭Joe Exotic


    Clareman,
    At a very high level you need to do the following


    step 1. Get Mgmt support (get an email sent to all staff from CEO or similar explaining why this is important to the organisation)

    step 2. define the scope of the ISMS whats in whats out (this needs to take into consideration what your org does), so you will need to include your critical business information. keep in mind its not IT security its information security (the information is the important thing)

    Step 3 Use the scope to define a critical assets inventory

    Step 4 Risk assessment on these assets and the business functions

    At this stage you know whats in scope, what assets are critical to this, what risks you have. Document all of this process.

    Now you can decide on check list of controls (SOA) based on the risks you have and implementation plans in order to comply with your selected controls, every thing should be looked at in terms of risk to the organisations information

    You may be already doing this, but i have seen many people skip the steps then get a consultant in and have to start all over again, because they missed a step and everything after is not right.


    Toolkits are helpful but only if you know where your going first.

    all that being said ISO27001 is very achievable and is a very good way to mange and monitor Information security.

    Good Luck


  • #5
    jamesbondings
    Registered Users Posts: 2,201 ✭✭✭jamesbondings


    to answer the question yes, you will find it on IT Governance website, get a copy of the standard. Attend an implementation training course. if money is no problem, get a consultant. if you are the consultant do training asap


  • #6
    Tec Diver
    Registered Users Posts: 407 ✭✭Tec Diver


    I would include all information assets, not just physical assets. The location of data (file server, SharePoint etc), IP, and how critical each is, with the type of data (code, PII, PHI, general documents, etc).


  • Advertisement
Advertisement