G
Gourmet
Hi,
My company has already an ISO9001 & 14001 certificate (only on specific part of its perimeter).
I'm managing the ISO 27001 part which, at this time, is not scheduled to be certified.
Thanks to the QMS (which is, in fact, an QSEMS), Business and environnement processes are now well defined.
I'm wondering now how define the processes that'll be managed under the ISO 27001 umbrella.
I've already identified the following processes :
- incident management,
- risk assessement,
- risk treatment,
- measuring management as well as
- the ISMS itself of course.
But what else ?
- Vulnerabilities management?
- Rights and authorization management?
- Business continuity management?
- asset management?
- business continuity management?
Which framework should I follow in order to establish my list of processes ?
The ISO 27002 (or the ISO 27001 annex A )? Another one?
Is it unuseful to build such a list?
I have another question about process that already exist though ISO9001 .
Knowing that such a process, managing the documentation for example, already exists in the ISO 9001 perimeter (but with a quality scope not a security one) what should I do in the ISMS scope?
Should I integrate my needs into the ISO 9001 documentation process (in an integrated management system perspective) or make my own process?
Same question for the :
- measuring management process above,
- management,
- legal, regulatory risk management,
- training & awareness management.
Is there some guide and/or example somewhere about rules to follow?
Thanks.
db
My company has already an ISO9001 & 14001 certificate (only on specific part of its perimeter).
I'm managing the ISO 27001 part which, at this time, is not scheduled to be certified.
Thanks to the QMS (which is, in fact, an QSEMS), Business and environnement processes are now well defined.
I'm wondering now how define the processes that'll be managed under the ISO 27001 umbrella.
I've already identified the following processes :
- incident management,
- risk assessement,
- risk treatment,
- measuring management as well as
- the ISMS itself of course.
But what else ?
- Vulnerabilities management?
- Rights and authorization management?
- Business continuity management?
- asset management?
- business continuity management?
Which framework should I follow in order to establish my list of processes ?
The ISO 27002 (or the ISO 27001 annex A )? Another one?
Is it unuseful to build such a list?
I have another question about process that already exist though ISO9001 .
Knowing that such a process, managing the documentation for example, already exists in the ISO 9001 perimeter (but with a quality scope not a security one) what should I do in the ISMS scope?
Should I integrate my needs into the ISO 9001 documentation process (in an integrated management system perspective) or make my own process?
Same question for the :
- measuring management process above,
- management,
- legal, regulatory risk management,
- training & awareness management.
Is there some guide and/or example somewhere about rules to follow?
Thanks.
db
Last edited by a moderator: