For those planning training sessions or candidates intending to take an online exam during this period, we will be offering online exam sessions on December 27 and 29, as well as January 5, 2024. You can check the link to online exam events here.
What is the most important step/factor that a company should consider while implementing ISO 27001?
Defining the scope of an ISMS is one of the most if not the most important things that an organization needs to think about when they start implementing and ISMS. This is where the organization will be defining the boundary of the ISMS. This boundary could be best for physical side, could be best for people and could also be best for Information Systems. Now when you scope right we achieve three things; The most important thing we achieve is when we are able to align the ISMS towards achieving the strategy of the business. The second thing is we are able to narrow our focus towards the most critical systems, towards the most critical information of an organization. The thing is that we are better able to scope for people so we get a good team, we get a team that is highly motivated, a team that is dedicated, a team that is skilled and knowledgeable towards implementing the ISMS towards success.
Is it important to engage a Certification Body in early stages of the process?
The decision to select a certification body is a very important decision. Many organizations usually leave this towards the end of the implementation of the ISMS. Now it is very important that an organization thinks about the decision to select a certification body in the planning phase of the ISMS. Now what are the things you consider when selecting a certification body? The first and the most important thing is accreditation. A certification body needs to be accredited towards the ISO standard that it is certifying you against. Now for example, PECB is accredited by ISO towards the certification of ISO 27001 for Management Systems. The second thing you need to consider is the flexibility of the certification body. You need to be sure that the certification body you are working with is not rigid, and the systems are not set up in such a way that it would not be able to be flexible to meet any projective eventualities that you may come across. The sad thing of course is cost, you need to be sure that all the cost that you encounter, fold within your budget.
How can you involve staff members outside IT department in the implementation?
A success of the ISMS depends on the people of the organizations. Traditionally, in many organizations you will see that IT is a team that visually steers the implementation of the ISMS. Now this is usually a recipe failure. In order to ensure that your ISMS is successful you need to get a cross section of people from the organization, so be that from HR, be that from Technical, be that from Legal, be that from Sales or commercial; you need to be assured that you get a team that cuts across the organization. So how do you get them involved? Within everybody’s walking area, they come across information that is critical, information that needs to be maintained in terms of its confidentiality, in terms of its integrity, and they just are not aware about this. So, it’s important to pick this team and ensure that they are educated, ensure that they are made aware of their responsibilities towards ensuring the information security of the information which they come across in their walking environment.
Author
Musa Wesutsa
Is an Information Security expert with years of experience in IT and Networks Security and ISO27001 Implementations ranging from Manufacturing to Telecommunications and Mobile Money. Musa is a Certified PECB Trainer and trains mainly ISO 27001 Lead Implementer and Auditor. He is currently the Managing Consultant at Sentinel Africa Consulting - a Risk Management Consultancy that offers implementation, audit, and training services to clients in various risk management disciplines across Africa.