ISO 27001 & BS 25999

You are currently browsing the ISO 27001 & BS 25999 weblog archives for January, 2010.

 

ISO 27001/BS 25999 documents, presentation decks and implementation guidelines


Free_Downloads
 
 
 

Recent Posts

 
    

UPCOMING WEBINARS

    

 
ISO 27001 benefits: How to obtain management support

    

Wednesday
February 15, 2012

    Register_now_green
     

 
Risk Management Part 1: Risk assessment methodology and risk assessment process

    

Tuesday
February 28, 2012

Wednesday
April 11, 2012

    Register_now_green
 
 
 
 

Archive for January, 2010

Main obstacles to the implementation of ISO 27001

ByDejan Kosutic on January 28, 2010
Share

You have this great idea that ISO 27001 will help you achieve compliance, attract new customers, decrease cost of incidents, and streamline your core IT processes? The idea is nice, but when it comes to implementation, things are getting complicated.

First you would have to convince your management (if you are not in top management yourself) that ISO 27001 is really needed in your company. Management is usually overloaded with other commitments and deadlines, and it is not likely that they would like to undertake another project to worry about.

Even if management is eager to do something about information security, the second question arises – how to finance it? At first sight, it may seem that “this paperwork shouldn’t cost too much”, but soon you realise that you have to pay for the consultant, buy literature, train your employees, invest in software and equipment, pay for certification etc.

But let’s say that by some miracle you find the money for it, and then the third question arises: who will actually do it? If you have a frank consultant, he or she will tell you that it is not enough for a consultant to provide you with templates of the documentation, but you must try really hard to customize the documentation according to your situation. But it doesn’t stop here – the consultant tells also that you actually have to do precisely what the documentation (and the standard) tell you to do. And it is a permanent obligation, not a one-time job.

So you come to your colleagues and ask them how you would divide the job for implementing and running ISO 27001, and suddenly they start talking about something else. Even worse, you might ask management to employ an Information Security Manager who, because of lack of such people on the market, doesn’t work for small sums.

So, you end up being appointed project manager for ISO 27001, with small or almost non-existing budget, with a team that does not really want to bother with information security, and management that wants the certificate as soon as possible once the project has started.

Are you still interested in ISO 27001?


read comments
©2010-2012 Dejan Kosutic. Proudly powered by WordPress
Entries (RSS) and Comments (RSS).