cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lwhite
Newcomer III

ISO 27001 Certification

Looking to get an ISO 27001 certification by end August 2019.  Is it possible to achieve with the primary focus on the product level?
Currently have few up-to-date policies and procedures.  Have contracted with a 3rd party to help with this effort.
Is this achievable in such a short time frame?  (Realize it depends on resources, scope)
If possible, is anyone aware of the breakdown of how many policies and procedures will be related to the Enterprise, verses the product.  (Say 35% Enterprise, 65% Product).

Thanks in advance for any advice, recommendations.

5 Replies
emb021
Advocate I

My understanding is you can limit the scope of the ISO/IEC 27001 certification to just a portion of the company.

 

I think the expected documentation is still the same.  I've seen lists from places focused on ISO/IEC 27001 of what are the minimum documentation required.  Take a look at iso27001security.org for one.

 

Not sure about your timeline.  While not done it, I think I've heard people say it takes about 6 months.  Hopefully, if you're engaged with someone to assist you get ready, they should have a good idea of what is required and how long it will take.  Plus you should be lining up who will be doing the certification.

 

Others feel free to expand on or correct what I said here.

.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
rslade
Influencer II

> Lwhite (Newcomer I) posted a new topic in Member Support on 04-30-2019 12:42 PM

> Looking to get an ISO 27001 certification by end August 2019.  Is it possible to
> achieve with the primary focus on the product level?

ISO 27001 is not exactly criterion-based. Since it is primarily concerned with
ISMS (Information Security Management Systems), it should be possible to tune
the scope to concentrate on the product area.

> Currently have few
> up-to-date policies and procedures.  Have contracted with a 3rd party to help
> with this effort. Is this achievable in such a short time frame?

Ummm, starting with "few up-to-date policies and procedures" this might be a bit
ambitious ...

>  (Realize it
> depends on resources, scope) If possible, is anyone aware of the breakdown of
> how many policies and procedures will be related to the Enterprise, verses the
> product.  (Say 35% Enterprise, 65% Product).

Without knowing the details (a *lot* of details) of your enterprise, this might be
difficult ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Snowflakes are one of nature's most fragile things, but just look
at what they can do when they stick together. - Vesta Kelly
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Shannon
Community Champion

 

One of the organizations I was with implemented ISO 27001 in about 6-8 months --- this was only achieved by reducing the scope to specific departments. Even then, we didn't immediately earn the certification, but a deadline was provided for a later audit, by which time we met the requirements. (This had been taken on as a project, which included the ISO 27001 Foundations training for a few of us)

 

To summarize, the duration depends on your scope. The 3rd party you've hired should be able to assess the organization's current stance and then provide a potential duration and requirements.

 

The policies and procedures may by a starting point, but must meet the minimal requirements of ISO 27001 for which they may have to be supplemented or tailored --- once again by the 3rd party.

 

In addition to what @emb021 recommended, also check the relevant sections of Adviseria and Cybrary for some basic info, and attempt to search for an ISMS manual online.

 

(The 3rd party you've contracted should be able to facilitate all this info)

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
ttsai
Viewer

Hi,

 

You can determine the boundary of your ISMS among Information Systems, physical locations (sites) and organizations (departments, services, etc.). You can start from a small scope and gradually extend the scope to be certified depending on your resources and other factors.

 

No matter how small the scope you choose, I believe you must meet the requirements of ALL ISO 27001 clauses (4 to 10). However, ISO 27001 Annex A controls (A 5 to A 18) can be optional depending on your scope. You must define your Statement of Applicability. If any of the controls in Annex A that you want to opt out, you must provide justifications.

 

As for the mandatory documents and records for ISO 27001, you can Google to search something like "ISO 27001 policy list" for a reference. Please note not all firms have the same policy names. But you policies shall support all ISO 27001 clauses (4 to 10) and Annex A controls.

 

I hope this helps. Good luck to your ISO certification.

 

 

Steve-Wilme
Advocate II

Generally you'll have about 14 - 20 policy level documents in a typically ISMS.  They may be underpinned by standards, baselines, guidance and procedures.  The controls included in your policies will depend on your Statement of Applicability, which is written against Annex A of 27001. 

 

To determine which controls do really need to be applied you need to assess if there's a risk to the part of the business that you're trying to get certified.  So for example if you don't develop your own software then large parts of section 14 won't apply and similarly if all your servers are in the Cloud many of the controls section 12 and 13 will be carried out in your supply chain rather than by you.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS