Search in ISMS Guides


Tuesday, July 31, 2007

Key Strategies for Implementing ISO 27001 (2)


Select the Proper Scope of Implementation
Identifying the scope of implementation can save the organization thousands of dollars and time. In many instances, it is not necessary for an organization to adopt companywide implementation of a standard. The scope of compliance can be restricted to a specific division, business unit, type of service, or physical location. In addition, once successful compliance has been achieved for a limited, but relevant scope, it can be expanded to other divisions or locations.

Choosing the right scope is one of the most important factors throughout the compliance cycle, because it affects the feasibility and cost of the standard's implementation and the organization's return on investment. As a result, it is important for the selected scope to help achieve the identified business objectives. To do this, the organization may evaluate different scope options and rank them based on how well they fit with each objective.

Organizations also may want to sign memorandums of understanding (MOU) or service level agreements (SLAs) with vendors and partners to implement a form of indirect compliance to the standard. For example, a garment manufacturing company may have a contract with a software provider for application maintenance and upgrades. Therefore, the manufacturing company will not be responsible for the application’s system development life cycle compliance with the standard, as long as it has a relevant MOU or SLA signed with the software vendor.

Finally, the organization's overall scale of operations is an integral parameter needed to determine the compliance process' complexity level. To find out the appropriate scale of operations, organizations need to consider their number of employees, business processes, work locations, and products or services offered.

Key Strategies for Implementing ISO 27001 (1)
Key Strategies for Implementing ISO 27001 (2)
Key Strategies for Implementing ISO 27001 (3)
Key Strategies for Implementing ISO 27001 (4)

No comments: