What are 7 key problems that we should avoid when implementing ISO 27001? What are the most common causes for these problems? How can we reduce or avoid these problems without reducing the quality of the implementation?
Main points covered:
• Learn what the most common causes of the ISO 27001 project failures are
• See what the steps to overcome these problems are
• Learn how to speed up your implementation without reducing the quality of the implementation
Our presenter for this webinar was Mr. Dejan Kosutic who is the main ISO 27001 expert Advisera. He has extensive working experience both as a tutor and as a consultant – he is an Approved Tutor for ISMS Lead Auditor courses and delivers various ISO 27001 in-person courses throughout Europe as well as online courses via webinars. In his consulting career, he works with clients from the financial sector, government, and small and medium-sized business including IT companies.
Link of the recorded session published on YouTube: https://youtu.be/QD6kWvD76p4
2. 2
Which mistakes to avoid in ISO 27001 implementation
If you’re starting your ISO 27001
implementation…
… make sure you structure your project
properly!
4. Agenda
4
1) Implementation steps are not following the logic of the
standard
2) Writing too many documents
3) Writing unusable documents
4) Only one person is working on the project
5) Viewing ISO 27001 implementation as an IT project
6) Expecting that a tool will do most of the work
7) Top management does not understand why this is
useful for the company
5. 1) Implementation steps are not
following the standard
5
Examples of what to avoid:
• Starting to implement controls without doing the
risk assessment first
• Doing the risk assessment before finding out the
legal requirements
• Defining the scope before finding out the context of
the organization
6. 2) Writing too many documents
6
Examples of what to avoid:
• Writing a document for each control – e.g. A.11.1.1
Physical security perimeter
• Writing a document for clauses that are not
mandatory – e.g. context of the organization
• Inventing documents that you don’t really need
7. 3) Writing unusable documents
7
Examples of what to avoid:
• Writing documents of more than 5 pages
• Using technical language that is difficult to
understand
• Developing some new rules that are not doable in
practice
8. 4) Only one person is working on a
project
8
Examples of what to avoid – project manager is doing
all the work him/herself:
• Listing all the assets and assessing risks
• Deciding which controls should be implemented
• Deciding which risks are acceptable
• Writing all the documents
• Doing all the analysis
• Doing the internal audit
9. 5) Viewing ISO 27001 implementation
as an IT project
9
Examples of what to avoid:
• Setting the IT person as the project manager
• Setting the ISMS scope to IT department only
• Including only IT personnel in the project team
• Plan the project as part of the IT budget
• CISO is subordinate to the Head of IT
10. 6) Expecting that a tool will do most
of the work
10
Examples of what to avoid:
• Presenting to your top management that investment
in a software/tool will resolve the whole
implementation
• Purchasing some expensive and/or complex tool just
for this purpose
• Rely on checklists instead of reading your own
documentation
• Not understanding that implementing ISO 27001 is
about changing people behavior
11. 7) Top management does not
understand why this is useful
11
Examples of what to avoid:
• Sending a detailed written proposal on 100 pages
• Presenting the project in a 2-hour meeting
• Using many words like “firewall” and “disaster
recovery site”
• Focusing on technical instead of business issues
13. ISO 27001 Training Courses
ISO/IEC 27001 Introduction
1 Day Course
ISO/IEC 27001 Foundation
2 Days Course
ISO/IEC 27001 Lead Implementer
5 Days Course
ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27001-training-courses| www.pecb.com/events
(EXAMPLE) Very often I see new consultants investing most of their time and money in various ISO certificates, but they have no idea on how to sell what they know.