7 Key Problems to Avoid in ISO 27001 Implementation
What are 7 key problems that we should avoid when implementing ISO 27001? What are the most common causes for these problems? How can we reduce or avoid these problems without reducing the quality of the implementation? Main points covered: • Learn what the most common causes of the ISO 27001 project failures are • See what the steps to overcome these problems are • Learn how to speed up your implementation without reducing the quality of the implementation Our presenter for this webinar was Mr. Dejan Kosutic who is the main ISO 27001 expert Advisera. He has extensive working experience both as a tutor and as a consultant – he is an Approved Tutor for ISMS Lead Auditor courses and delivers various ISO 27001 in-person courses throughout Europe as well as online courses via webinars. In his consulting career, he works with clients from the financial sector, government, and small and medium-sized business including IT companies. Link of the recorded session published on YouTube: https://youtu.be/QD6kWvD76p4
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 7 Key Problems to Avoid in ISO 27001 Implementation
Similar to 7 Key Problems to Avoid in ISO 27001 Implementation (20)
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
7 Key Problems to Avoid in ISO 27001 Implementation
- 1. 1
- 2. 2 Which mistakes to avoid in ISO 27001 implementation If you’re starting your ISO 27001 implementation… … make sure you structure your project properly!
- 3. 3 Most ISO 27001 implementations fail because of the same problems
- 4. Agenda 4 1) Implementation steps are not following the logic of the standard 2) Writing too many documents 3) Writing unusable documents 4) Only one person is working on the project 5) Viewing ISO 27001 implementation as an IT project 6) Expecting that a tool will do most of the work 7) Top management does not understand why this is useful for the company
- 5. 1) Implementation steps are not following the standard 5 Examples of what to avoid: • Starting to implement controls without doing the risk assessment first • Doing the risk assessment before finding out the legal requirements • Defining the scope before finding out the context of the organization
- 6. 2) Writing too many documents 6 Examples of what to avoid: • Writing a document for each control – e.g. A.11.1.1 Physical security perimeter • Writing a document for clauses that are not mandatory – e.g. context of the organization • Inventing documents that you don’t really need
- 7. 3) Writing unusable documents 7 Examples of what to avoid: • Writing documents of more than 5 pages • Using technical language that is difficult to understand • Developing some new rules that are not doable in practice
- 8. 4) Only one person is working on a project 8 Examples of what to avoid – project manager is doing all the work him/herself: • Listing all the assets and assessing risks • Deciding which controls should be implemented • Deciding which risks are acceptable • Writing all the documents • Doing all the analysis • Doing the internal audit
- 9. 5) Viewing ISO 27001 implementation as an IT project 9 Examples of what to avoid: • Setting the IT person as the project manager • Setting the ISMS scope to IT department only • Including only IT personnel in the project team • Plan the project as part of the IT budget • CISO is subordinate to the Head of IT
- 10. 6) Expecting that a tool will do most of the work 10 Examples of what to avoid: • Presenting to your top management that investment in a software/tool will resolve the whole implementation • Purchasing some expensive and/or complex tool just for this purpose • Rely on checklists instead of reading your own documentation • Not understanding that implementing ISO 27001 is about changing people behavior
- 11. 7) Top management does not understand why this is useful 11 Examples of what to avoid: • Sending a detailed written proposal on 100 pages • Presenting the project in a 2-hour meeting • Using many words like “firewall” and “disaster recovery site” • Focusing on technical instead of business issues
- 12. Conclusions 12 ISO 27001 implementation will bring the biggest benefits if you make all these new rules a part of normal day- to-day operations
- 13. ISO 27001 Training Courses ISO/IEC 27001 Introduction 1 Day Course ISO/IEC 27001 Foundation 2 Days Course ISO/IEC 27001 Lead Implementer 5 Days Course ISO/IEC 27001 Lead Auditor 5 Days Course Exam and certification fees are included in the training price. https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events
- 14. THANK YOU ? +1 (646) 759 9933 dejan.kosutic@gmail.com www.advisera.com hr.linkedin.com/in/dejankosutic Dejan_Kosutic http://advisera.com/27001academy/webinars
Editor's Notes
- (EXAMPLE) Very often I see new consultants investing most of their time and money in various ISO certificates, but they have no idea on how to sell what they know.