Looking to get an ISO 27001 certification by end August 2019. Is it possible to achieve with the primary focus on the product level?
Currently have few up-to-date policies and procedures. Have contracted with a 3rd party to help with this effort.
Is this achievable in such a short time frame? (Realize it depends on resources, scope)
If possible, is anyone aware of the breakdown of how many policies and procedures will be related to the Enterprise, verses the product. (Say 35% Enterprise, 65% Product).
Thanks in advance for any advice, recommendations.
My understanding is you can limit the scope of the ISO/IEC 27001 certification to just a portion of the company.
I think the expected documentation is still the same. I've seen lists from places focused on ISO/IEC 27001 of what are the minimum documentation required. Take a look at iso27001security.org for one.
Not sure about your timeline. While not done it, I think I've heard people say it takes about 6 months. Hopefully, if you're engaged with someone to assist you get ready, they should have a good idea of what is required and how long it will take. Plus you should be lining up who will be doing the certification.
Others feel free to expand on or correct what I said here.
One of the organizations I was with implemented ISO 27001 in about 6-8 months --- this was only achieved by reducing the scope to specific departments. Even then, we didn't immediately earn the certification, but a deadline was provided for a later audit, by which time we met the requirements. (This had been taken on as a project, which included the ISO 27001 Foundations training for a few of us)
To summarize, the duration depends on your scope. The 3rd party you've hired should be able to assess the organization's current stance and then provide a potential duration and requirements.
The policies and procedures may by a starting point, but must meet the minimal requirements of ISO 27001 for which they may have to be supplemented or tailored --- once again by the 3rd party.
(The 3rd party you've contracted should be able to facilitate all this info)
You can determine the boundary of your ISMS among Information Systems, physical locations (sites) and organizations (departments, services, etc.). You can start from a small scope and gradually extend the scope to be certified depending on your resources and other factors.
No matter how small the scope you choose, I believe you must meet the requirements of ALL ISO 27001 clauses (4 to 10). However, ISO 27001 Annex A controls (A 5 to A 18) can be optional depending on your scope. You must define your Statement of Applicability. If any of the controls in Annex A that you want to opt out, you must provide justifications.
As for the mandatory documents and records for ISO 27001, you can Google to search something like "ISO 27001 policy list" for a reference. Please note not all firms have the same policy names. But you policies shall support all ISO 27001 clauses (4 to 10) and Annex A controls.
I hope this helps. Good luck to your ISO certification.
Generally you'll have about 14 - 20 policy level documents in a typically ISMS. They may be underpinned by standards, baselines, guidance and procedures. The controls included in your policies will depend on your Statement of Applicability, which is written against Annex A of 27001.
To determine which controls do really need to be applied you need to assess if there's a risk to the part of the business that you're trying to get certified. So for example if you don't develop your own software then large parts of section 14 won't apply and similarly if all your servers are in the Cloud many of the controls section 12 and 13 will be carried out in your supply chain rather than by you.