The Elsmar Cove Wiki More Free Files The Elsmar Cove Forums Discussion Thread Index Post Attachments Listing Failure Modes Services and Solutions to Problems Elsmar cove Forums Main Page Elsmar Cove Home Page
Go Back   The Elsmar Cove Forum > ISO (International Organization for Standardization) Standards > ISO/IEC 27000 Series - Information Security Management Systems (ISMS)
Forum Username

Elsmar Cove Forum Visitor Notice(s)


Search the Elsmar Cove
Custom Search
Monitor the Elsmar Forum
Follow Marc & Elsmar
Elsmar Cove Forum RSS Feed  Marc Smith's Google+ Page  Marc Smith's Linked In Page   Marc Smith's Elsmar Cove YouTube Page  Marc Smith's Facebook Page  Elsmar Cove Twitter Feed
Elsmar Cove Groups
Elsmar Cove Google+ Group  Elsmar Cove LinkedIn Group  Elsmar Cove Facebook Group
Sponsor Links





Donate and $ Contributor Forum Access
Courtesy Quick Links

Links that Elsmar Cove visitors will find useful in your quest for knowledge:

Howard's
International Quality Services
Marcelo Antunes'
SQR Consulting
Bob Doering's
Correct SPC - Precision Machining

NIST's Engineering Statistics Handbook
IRCA - International Register of Certified Auditors
SAE - Society of Automotive Engineers
Quality Digest Portal
IEST - Institute of Environmental Sciences and Technology
ASQ - American Society for Quality

Related Topic Tags
iso 27001 - information security management system (isms), implementation of a standard in a company
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  #1  
Old 20th July 2011, 02:47 PM
shawofit shawofit is offline
Shy Poster (1 to 5 Posts)

 
Registration Date: Jul 2011
 
Posts: 1
Thanks Given to Others: 1
Thanked 0 Times in 0 Posts
Karma Power: 12
Karma: 10
shawofit has less than 100 Karma points so far.
Please Help! How to deal with non-compliant company after take over of them

I am looking for the correct steps to implement 27001 into a non compliant company we have recently taken over. We are 27k compliant but they are now part of us. The CTO has asked for us to explain our plan, risks and key parts. The CTO wants me to give the new board a 15 minute overview in ppt, yes 15 minutes can anyone help please?

Thanks

Paul

Sponsored Links
  #2  
Old 21st July 2011, 07:28 AM
Stijloor's Avatar
Stijloor Stijloor is offline
Cross Forum Moderator

 
Registration Date: May 2003
Location: Charlotte, North Carolina.
 
Posts: 14,226
Thanks Given to Others: 3,159
Thanked 4,461 Times in 3,156 Posts
Karma Power: 1516
Karma: 24864
Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.
Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.Stijloor is appreciated, and has over 1700 Karma points.
Re: How to deal with non-compliant company after take over of them

Can someone help Paul?

Thank you very much!!

Stijloor.
Sponsored Links

  #3  
Old 21st July 2011, 07:46 PM
Marc's Avatar
Marc Marc is offline
Your Elsmar Cove Host

 
Registration Date: Jan 1996
Location: West Chester - Southern Ohio - USA
Age: 63
 
Posts: 23,743
Thanks Given to Others: 8,816
Thanked 5,010 Times in 3,179 Posts
Blog Entries: 4
Karma Power: 400
Karma: 31192
Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.
Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.Marc is appreciated, and has over 1700 Karma points.
Re: How to deal with non-compliant company after take over of them

Another quick "Bump". My Thanks in advance to anyone who can help with this one.

__________________

A Search is a terrible thing to waste!
One Test is Worth 1000 Expert Opinions - The plural of anecdote is not data - Correlation does not imply Causation
We can't solve problems by using the same kind of thinking we used when we created them. - Unknown
  #4  
Old 21st July 2011, 09:14 PM
harry harry is offline
Super Moderator

 
Registration Date: Sep 2005
Location: Johore/Malaysia
 
Posts: 6,222
Thanks Given to Others: 1,479
Thanked 2,941 Times in 2,045 Posts
Blog Entries: 2
Karma Power: 694
Karma: 18645
harry is appreciated, and has over 1700 Karma points.harry is appreciated, and has over 1700 Karma points.
harry is appreciated, and has over 1700 Karma points.harry is appreciated, and has over 1700 Karma points.harry is appreciated, and has over 1700 Karma points.harry is appreciated, and has over 1700 Karma points.harry is appreciated, and has over 1700 Karma points.harry is appreciated, and has over 1700 Karma points.
Re: How to deal with non-compliant company after take over of them

Quote:
In Reply to Parent Post by shawofit View Post

.................. The CTO has asked for us to explain our plan, risks and key parts. ...............................
Gap Analysis!

It will reveal 2 important sets of information. Where they are now and what is deficient or needs to be done in order to reach a stage where they can be compliant - from which you can formulate your action plans.

Your presentation can be in this form:
1. Current status - 5 minutes
2. What needs to be done to attain compliant status - 10 minutes
  #5  
Old 27th July 2011, 11:23 PM
john.b john.b is offline
Involved in Discussions

 
Registration Date: Jul 2010
 
Posts: 67
Thanks Given to Others: 2
Thanked 44 Times in 24 Posts
Karma Power: 22
Karma: 236
john.b is appreciated, and has over 200 Karma points.john.b is appreciated, and has over 200 Karma points.john.b is appreciated, and has over 200 Karma points.
Re: How to deal with non-compliant company after take over of them

I agree with Harry, you're at the gap analysis stage.

The obvious starting point is gaps related to 27001 standard requirements, which of course relates to both main standard body requirements--some a bit general--and the 133 control requirements. Those are more specific in one sense but still not completely clear about how you need to address them, and of course limited exemptions are possible when they don't apply.

You should also be clear early on to what degree you want to integrate the prior system with the new company's system; to use one system to cover both, to just share some common practices, control implementations, formal process implementation, etc. It would be early for looking too closely at the final end-point but some of the demand should already be clear. 27001 standard "compliant" versus "certified" is also a substantial difference relating to possible goals, so it matters which you are and plan for them to be.

If you already have implemented a complete, certified ISO 27001 system you already know all this but these are some primary concerns:

-management system framework: common to most, document control, audit requirements, defining roles, etc.

-security controls: defines a lot of 27001; your statement of applicability will help map what will translate easily or not at all

-risk assessment: major part of 27k, of course 27005 is the reference standard for the security risk assessment, and there is overlap with other standard requirements

-formal policies, procedures, records, training, skills development, etc: relates back to your past development and present goals


A good reference site for 27001 implementation that is worth a look is:

http://www.iso27001security.com/html...k_toolkit.html
  #6  
Old 1st August 2011, 11:24 AM
Richard Regalado Richard Regalado is online now
Appreciated Member

 
Registration Date: Mar 2005
Location: Philippines
Age: 41
 
Posts: 190
Thanks Given to Others: 9
Thanked 113 Times in 73 Posts
Karma Power: 59
Karma: 1615
Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.Richard Regalado is appreciated, and has over 1500 Karma points.
Send a message via Yahoo to Richard Regalado
Re: How to deal with non-compliant company after take over of them

Quote:
In Reply to Parent Post by shawofit View Post

I am looking for the correct steps to implement 27001 into a non compliant company we have recently taken over. We are 27k compliant but they are now part of us. The CTO has asked for us to explain our plan, risks and key parts. The CTO wants me to give the new board a 15 minute overview in ppt, yes 15 minutes can anyone help please?

Thanks

Paul
The CTO is asking for:

1. your plan in getting the other company to be compliant (see attached generic project plan)
2. risks of what? (risks of the other company or risks of your plan?)
3. key parts (see attached project plan)

15 minutes is a long time.

Let me know your responses to the questions above and I can point you to the right direction.

Cheers!
  #7  
Old 1st August 2011, 11:05 PM
john.b john.b is offline
Involved in Discussions

 
Registration Date: Jul 2010
 
Posts: 67
Thanks Given to Others: 2
Thanked 44 Times in 24 Posts
Karma Power: 22
Karma: 236
john.b is appreciated, and has over 200 Karma points.john.b is appreciated, and has over 200 Karma points.john.b is appreciated, and has over 200 Karma points.
Re: How to deal with non-compliant company after take over of them

I'll take the liberty of guessing ahead about what is meant by "risks" here. It seems to confuse two separate types of risks, although again that's a guess.

Whenever you implement anything in IT part of the plan is to address risks, to assess them beforehand, use fall-back plans and whatever else you can to minimize them, and then get the residual risk accepted prior to moving on.

A separate meaning of risk is what a risk assessment assesses; a broad category of risks based on whatever type of assessment you are doing. For a general company assessment this might be business risks (related to changes in market, major events, staffing related disruptions, etc.). For 27001 it's information security related, of course, viruses, confidentiality breaches, etc.

It sounds like you're being asked about risks in general because it's habitual to do so, related to the first context, but there shouldn't be many risks to implementing security measures, and during a gap assessment it's too early to be worried about that anyway. What I mean is that if you implement a new anti-virus application there could be some risks but early on you need to first assess the need to do so, not worry about difficulties in so doing.

So you are back to the second kind of risk, and the question becomes what risks do the current gaps pose to your company or the company scope acquired. Banging out a comprehensive risk assessment is no small feat, as anyone with an active 27001 system already knows, so you could just do a "preliminary" gap assessment and a preliminary resolution project plan and let them know roughly where things stand, and 15 minutes is about right for that. Look at your own risk assessment and statement of applicability for inspiration, and for hints on presentation format.
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Forum > ISO (International Organization for Standardization) Standards > ISO/IEC 27000 Series - Information Security Management Systems (ISMS)

Do you find this discussion thread helpful and informational?


Bookmarks


Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
Testing compliant to USP Class VI and ISO10993-1 compliant. Is that possible? IEGeek - 2006 ISO 22000, HACCP (21 CFR 120) and Food Safety 10 6th October 2009 03:43 PM
FDA Compliant Company - which procedure addresses Customer Order Changes/Requirement? maxwell Misc. Quality Assurance and Business Systems Related Topics 5 9th October 2007 01:13 PM
Compliant or accedited - Gage company that calibrates and verifies our own product ISOCOP ISO 17025 and related Metrology Topics - Measurement Devices, Calibration and Test Laboratories 1 2nd February 2005 12:23 PM
ISO 9001 'Compliant' Company - Conducting a supplier audit on a major supplier Jeri Mackay Supplier Quality Assurance and other Supplier Issues 17 23rd April 2004 03:02 PM
How do I deal with a company where there is no centralized quality function? sherry Preventive Action and Continuous Improvement 13 17th August 2000 01:46 PM



The time now is 12:09 PM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.


   


Marc Timothy Smith - Elsmar.com
8466 LeSourdsville-West Chester Road, Olde West Chester, Ohio 45069-1929
513 341-6272