Elsmar Cove Forum Header Graphic The Elsmar Cove Wiki Sitemap More Free Files The Elsmar Cove Forums Discussion Thread Index Post Attachments Listing Failure Modes Services and Solutions to Problems Elsmar Cove Forums Main Page Elsmar Cove Home Page
NQA-USA
Miner's MSA (Measurement Systems Analysis) Blog 
Go Back   The Elsmar Cove Forum > ISO (International Organization for Standardization) Standards > ISO/IEC 27000 Series - Information Security Management Systems (ISMS)
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

How to deal with non-compliant company after take over of them

Search the Elsmar Cove
Search Elsmar
Monitor the Elsmar Forum
Follow Marc & Elsmar
Elsmar Cove Forum RSS Feed  Marc Smith's Google+ Page  Marc Smith's Linked In Page   Marc Smith's Elsmar Cove YouTube Page  Marc Smith's Facebook Page  Elsmar Cove Twitter Feed
Elsmar Cove Groups
Elsmar Cove Google+ Group  Elsmar Cove LinkedIn Group  Elsmar Cove Facebook Group
Donate and $ Contributor Forum Access
Courtesy Quick Links

Links that Elsmar Cove visitors will find useful in your quest for knowledge:

Howard's
International Quality Services
Marcelo Antunes'
SQR Consulting
Bob Doering's
Correct SPC - Precision Machining

NIST's Engineering Statistics Handbook
IRCA - International Register of Certified Auditors
SAE - Society of Automotive Engineers
Quality Digest Portal
IEST - Institute of Environmental Sciences and Technology
ASQ - American Society for Quality

Related Topic Tags
iso 27001 - information security management system (isms), implementation of a standard in a company
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 20th July 2011, 03:47 PM
shawofit

 
 
Total Posts: 1
Please Help! How to deal with non-compliant company after take over of them

I am looking for the correct steps to implement 27001 into a non compliant company we have recently taken over. We are 27k compliant but they are now part of us. The CTO has asked for us to explain our plan, risks and key parts. The CTO wants me to give the new board a 15 minute overview in ppt, yes 15 minutes can anyone help please?

Thanks

Paul

Sponsored Links
  Post Number #2  
Old 21st July 2011, 08:28 AM
Stijloor's Avatar
Stijloor

 
 
Total Posts: 14,711
Re: How to deal with non-compliant company after take over of them

Can someone help Paul?

Thank you very much!!

Stijloor.
Sponsored Links

  Post Number #3  
Old 21st July 2011, 08:46 PM
Marc's Avatar
Marc

 
 
Total Posts: 24,480
Re: How to deal with non-compliant company after take over of them

Another quick "Bump". My Thanks in advance to anyone who can help with this one.
  Post Number #4  
Old 21st July 2011, 10:14 PM
harry

 
 
Total Posts: 6,278
Re: How to deal with non-compliant company after take over of them

Quote:
In Reply to Parent Post by shawofit View Post

.................. The CTO has asked for us to explain our plan, risks and key parts. ...............................
Gap Analysis!

It will reveal 2 important sets of information. Where they are now and what is deficient or needs to be done in order to reach a stage where they can be compliant - from which you can formulate your action plans.

Your presentation can be in this form:
1. Current status - 5 minutes
2. What needs to be done to attain compliant status - 10 minutes
  Post Number #5  
Old 28th July 2011, 12:23 AM
john.b

 
 
Total Posts: 67
Re: How to deal with non-compliant company after take over of them

I agree with Harry, you're at the gap analysis stage.

The obvious starting point is gaps related to 27001 standard requirements, which of course relates to both main standard body requirements--some a bit general--and the 133 control requirements. Those are more specific in one sense but still not completely clear about how you need to address them, and of course limited exemptions are possible when they don't apply.

You should also be clear early on to what degree you want to integrate the prior system with the new company's system; to use one system to cover both, to just share some common practices, control implementations, formal process implementation, etc. It would be early for looking too closely at the final end-point but some of the demand should already be clear. 27001 standard "compliant" versus "certified" is also a substantial difference relating to possible goals, so it matters which you are and plan for them to be.

If you already have implemented a complete, certified ISO 27001 system you already know all this but these are some primary concerns:

-management system framework: common to most, document control, audit requirements, defining roles, etc.

-security controls: defines a lot of 27001; your statement of applicability will help map what will translate easily or not at all

-risk assessment: major part of 27k, of course 27005 is the reference standard for the security risk assessment, and there is overlap with other standard requirements

-formal policies, procedures, records, training, skills development, etc: relates back to your past development and present goals


A good reference site for 27001 implementation that is worth a look is:

http://www.iso27001security.com/html...k_toolkit.html
  Post Number #6  
Old 1st August 2011, 12:24 PM
Richard Regalado's Avatar
Richard Regalado

 
 
Total Posts: 236
Re: How to deal with non-compliant company after take over of them

Quote:
In Reply to Parent Post by shawofit View Post

I am looking for the correct steps to implement 27001 into a non compliant company we have recently taken over. We are 27k compliant but they are now part of us. The CTO has asked for us to explain our plan, risks and key parts. The CTO wants me to give the new board a 15 minute overview in ppt, yes 15 minutes can anyone help please?

Thanks

Paul
The CTO is asking for:

1. your plan in getting the other company to be compliant (see attached generic project plan)
2. risks of what? (risks of the other company or risks of your plan?)
3. key parts (see attached project plan)

15 minutes is a long time.

Let me know your responses to the questions above and I can point you to the right direction.

Cheers!
  Post Number #7  
Old 2nd August 2011, 12:05 AM
john.b

 
 
Total Posts: 67
Re: How to deal with non-compliant company after take over of them

I'll take the liberty of guessing ahead about what is meant by "risks" here. It seems to confuse two separate types of risks, although again that's a guess.

Whenever you implement anything in IT part of the plan is to address risks, to assess them beforehand, use fall-back plans and whatever else you can to minimize them, and then get the residual risk accepted prior to moving on.

A separate meaning of risk is what a risk assessment assesses; a broad category of risks based on whatever type of assessment you are doing. For a general company assessment this might be business risks (related to changes in market, major events, staffing related disruptions, etc.). For 27001 it's information security related, of course, viruses, confidentiality breaches, etc.

It sounds like you're being asked about risks in general because it's habitual to do so, related to the first context, but there shouldn't be many risks to implementing security measures, and during a gap assessment it's too early to be worried about that anyway. What I mean is that if you implement a new anti-virus application there could be some risks but early on you need to first assess the need to do so, not worry about difficulties in so doing.

So you are back to the second kind of risk, and the question becomes what risks do the current gaps pose to your company or the company scope acquired. Banging out a comprehensive risk assessment is no small feat, as anyone with an active 27001 system already knows, so you could just do a "preliminary" gap assessment and a preliminary resolution project plan and let them know roughly where things stand, and 15 minutes is about right for that. Look at your own risk assessment and statement of applicability for inspiration, and for hints on presentation format.
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Forum > ISO (International Organization for Standardization) Standards > ISO/IEC 27000 Series - Information Security Management Systems (ISMS)

Do you find this discussion thread helpful and informational?


Bookmarks


Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
Testing compliant to USP Class VI and ISO10993-1 compliant. Is that possible? IEGeek - 2006 ISO 22000, HACCP (21 CFR 120) and Food Safety 10 6th October 2009 04:43 PM
FDA Compliant Company - which procedure addresses Customer Order Changes/Requirement? maxwell Misc. Quality Assurance and Business Systems Related Topics 5 9th October 2007 02:13 PM
Compliant or accedited - Gage company that calibrates and verifies our own product ISOCOP ISO 17025 and related Metrology Topics - Measurement Devices, Calibration and Test Laboratories 1 2nd February 2005 01:23 PM
ISO 9001 'Compliant' Company - Conducting a supplier audit on a major supplier Jeri Mackay Supplier Quality Assurance and other Supplier Issues 17 23rd April 2004 04:02 PM
How do I deal with a company where there is no centralized quality function? sherry Preventive Action and Continuous Improvement 13 17th August 2000 02:46 PM



The time now is 04:04 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.


   


Marc Timothy Smith - Elsmar.com
8466 LeSourdsville-West Chester Road, Olde West Chester, Ohio 45069-1929
513 341-6272
NOTE: This forum uses "cookies".