Good evening folks,
I hope all of you are doing well, as I am giving an ISO 27001 Lead Auditor certification training in my hometown this week, I am writing you from beautiful Montreal city in Canada.
First, I would like to start this post by sincerely thanking Cyril, one of the blog readers, for an interesting set of questions and comments. Here are his questions:
1- Is there documentation or feedback information on ISO 27001 ISMS implementation within smaller organizations (ie: business unit only or department) publicly available?
2- Could the decision of certifying only a subset of an organization or a smaller perimeter can cause more harm than good or even project an image of irrelevancy for such an endeavour?
3- Do other frameworks are more adapted to such context?
Since each of those questions deserves my full attention and will require a potentially lengthy answer, I will answer to each of them in a different posting over the next few days.
Question 1: Is there feed back or documentation source available on small business / limited perimeter ISO27001 certification?
Let me first answer your question by saying that the reason why I decided to start this blog is specifically the lack of publicly available, non-commercial and community oriented meeting place for people wanting to learn and share on the topic of ISO27001. So I hope my blog will eventually fill that particular space.
With that said, there are a few discussion groups available, but I must unfortunately admit that those are low “traffic”. Still, they might be interesting places to look at as a lot of questions were asked and answered over time. Here are some forums and web sites you might want to look into:
http://groups.google.com/group/iso27001security
http://tech.groups.yahoo.com/group/iso-27001/
http://www.17799.com/modules.php?name=Forums
Another place you should go to if you have specific questions is LinkedIn. It is one of the best places to ask questions to a wide audience of potential experts. Although the quality of answers is variable, if you post your inquiries in the Information Security and Quality Management subsections, you will reach in "near realtime" tens of thousands of people who might have faced the same issue. Here are the links to the LinkedIn Q&A space:
LinkedIn Quality Management Q&A Section
LinkedIn Information Security Q&A Section
Finally, one thing you should do is to get online and look at who got certified, revise their certification scope and identify two or three companies who got certified in a similar context. Once you spot them, I suggest you do not hesitate to contact them to discuss the matter at heart. After all, this is a professional inquiry and anybody with a normal level of professional courtesy will gladly answer to your question. Here are some links you can look into to find certified companies you can contact:
http://www.iso27001certificates.com/
http://www.sgs.com/certified_clients
http://www.bsigroup.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search/
I hope this posting answers your question, and that you will find what you are looking for in the previously mentioned resources.
Stay tune for the next posting and until then, have a great day!
PS: Readers are invited to leave comments!
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security
Really great article and i think this is very informative topic for small business. Thanks for sharing article.
ReplyDelete