This is a very basic ISO27001 PPT that I prepared in 2013.
ISO 27001 Implementation Approach
ISO 27001 Agenda
ISO 27001 Overview
ISO 27001 Standards - Wikipedia
High Level Structure of ISMS based on ISO 27001
ISO 27001 - Certification Audit Cycle : Internal Audits are mandatory before you plan for certification. Having a strong internal audit team internally helps a lot, however if manpower cost is a concert, onboard a good consultant and run through 2 internal audit cycles atleast before you go for external audit.
External Audit : Choose a certification body , having worked with Bureau Veritas and experienced few others during my consulting assignments, I can rate Bureau Veritas and BSI as good certification bodies.
ISO 27001 Implementation Methodology
ISMS or any other ISO standard implementation follows the PDCA model , sometimes also called as Deming Cycle. PDCA understanding really helps to inculcate strong practices for making ISO implementation successful. Some good links for understanding the PDCA approach are :1. Mindtools site.
ISMS Implementation Approach
ISO Certification Plan : Certification cycle consists of 3 stages :
Stage 1 Audit : To validate ISO mandatory documents, organization readiness, Management commitment and overall approach adopted. Gaps identified are highlighted and need to be
Stage 2 Audit : Focuses on the control checking, process maturity, management commitment and compliance aspects of the organization. Once Stage 2 audit is clear, organization get ISO certification which is valid for 3 years.
Continued Conformance : Annual Assessments : Certification bodies do conduct annual surveillance audits for next two years, most of the process of audit remains the same except that during these surveillance audits all departments or functions are not audited. Auditors pick up critical functions that are part of scope and few of the secondary or supporting functions. They also check any pending closures against non-conformities raised in previous audits. After 2 surveillance audits comes the recertification audit which is similar to Stage 2 audit.
ISO Core Team : This team generally overlooks the critical areas which are part of ISO certification scope.
The security committee is generally responsible for ensuring budgets , training support and ensures timely internal audit and other compliances mandatory to continue ISMS certification. Management level employees are generally part of this committee.
Risk Assessment is critical requirement for ISO 27001. The organization is expected to develop a risk assessment and risk management process to ensure risks are identified , evaluated , assessed and managed - 4T's : Treated , Tolerated , Transferred or Terminated.
Risks can only be identified against assets - so asset identification is the first step. Assets can be physical assets such as UPS or Server or non-physical assets such as employees or intellectual property or software code etc.
This is the list of mandatory ISO 27001 documents and records.
You can freely use the PPT, If you need the PDF , I would be happy to share the PDF. You can send me a DM over my Twitter handle #ISOGeek
No comments:
Post a Comment