How to deal with non-compliant company after take over of them

S

shawofit

#1
I am looking for the correct steps to implement 27001 into a non compliant company we have recently taken over. We are 27k compliant but they are now part of us. The CTO has asked for us to explain our plan, risks and key parts. The CTO wants me to give the new board a 15 minute overview in ppt, yes 15 minutes can anyone help please?

Thanks

Paul
 
Elsmar Forum Sponsor

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#3
Another quick "Bump". My Thanks in advance to anyone who can help with this one.
 

harry

Super Moderator
#4
.................. The CTO has asked for us to explain our plan, risks and key parts. ...............................
Gap Analysis!

It will reveal 2 important sets of information. Where they are now and what is deficient or needs to be done in order to reach a stage where they can be compliant - from which you can formulate your action plans.

Your presentation can be in this form:
1. Current status - 5 minutes
2. What needs to be done to attain compliant status - 10 minutes
 

john.b

Involved In Discussions
#5
I agree with Harry, you're at the gap analysis stage.

The obvious starting point is gaps related to 27001 standard requirements, which of course relates to both main standard body requirements--some a bit general--and the 133 control requirements. Those are more specific in one sense but still not completely clear about how you need to address them, and of course limited exemptions are possible when they don't apply.

You should also be clear early on to what degree you want to integrate the prior system with the new company's system; to use one system to cover both, to just share some common practices, control implementations, formal process implementation, etc. It would be early for looking too closely at the final end-point but some of the demand should already be clear. 27001 standard "compliant" versus "certified" is also a substantial difference relating to possible goals, so it matters which you are and plan for them to be.

If you already have implemented a complete, certified ISO 27001 system you already know all this but these are some primary concerns:

-management system framework: common to most, document control, audit requirements, defining roles, etc.

-security controls: defines a lot of 27001; your statement of applicability will help map what will translate easily or not at all

-risk assessment: major part of 27k, of course 27005 is the reference standard for the security risk assessment, and there is overlap with other standard requirements

-formal policies, procedures, records, training, skills development, etc: relates back to your past development and present goals


A good reference site for 27001 implementation that is worth a look is:

http://www.iso27001security.com/html/iso27k_toolkit.html
 

Richard Regalado

Trusted Information Resource
#6
I am looking for the correct steps to implement 27001 into a non compliant company we have recently taken over. We are 27k compliant but they are now part of us. The CTO has asked for us to explain our plan, risks and key parts. The CTO wants me to give the new board a 15 minute overview in ppt, yes 15 minutes can anyone help please?

Thanks

Paul
The CTO is asking for:

1. your plan in getting the other company to be compliant (see attached generic project plan)
2. risks of what? (risks of the other company or risks of your plan?)
3. key parts (see attached project plan)

15 minutes is a long time.

Let me know your responses to the questions above and I can point you to the right direction.

Cheers!
 

john.b

Involved In Discussions
#7
I'll take the liberty of guessing ahead about what is meant by "risks" here. It seems to confuse two separate types of risks, although again that's a guess.

Whenever you implement anything in IT part of the plan is to address risks, to assess them beforehand, use fall-back plans and whatever else you can to minimize them, and then get the residual risk accepted prior to moving on.

A separate meaning of risk is what a risk assessment assesses; a broad category of risks based on whatever type of assessment you are doing. For a general company assessment this might be business risks (related to changes in market, major events, staffing related disruptions, etc.). For 27001 it's information security related, of course, viruses, confidentiality breaches, etc.

It sounds like you're being asked about risks in general because it's habitual to do so, related to the first context, but there shouldn't be many risks to implementing security measures, and during a gap assessment it's too early to be worried about that anyway. What I mean is that if you implement a new anti-virus application there could be some risks but early on you need to first assess the need to do so, not worry about difficulties in so doing.

So you are back to the second kind of risk, and the question becomes what risks do the current gaps pose to your company or the company scope acquired. Banging out a comprehensive risk assessment is no small feat, as anyone with an active 27001 system already knows, so you could just do a "preliminary" gap assessment and a preliminary resolution project plan and let them know roughly where things stand, and 15 minutes is about right for that. Look at your own risk assessment and statement of applicability for inspiration, and for hints on presentation format.
 
Thread starter Similar threads Forum Replies Date
L How to deal with an ISO 13485 Supplier Audit nonconformance ISO 13485:2016 - Medical Device Quality Management Systems 17
MDD_QNA How to deal with FDA after not reporting anything for several years Other US Medical Device Regulations 14
M Informational Update from GOV.UK – Regulating medical devices in the event of a no-deal Brexit – UK Responsible Person Medical Device and FDA Regulations and Standards News 0
A How to deal with changed shared components in 510k 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
M Informational UK – Contingency legislation covering regulation of medicines and medical devices in a no deal scenario – Human Medicines and Medical Devices (Amendm Medical Device and FDA Regulations and Standards News 3
M Informational EU – Medicinal products and medical devices: Coordinated approach in case of a withdrawal of the United Kingdom from the Union without a deal Medical Device and FDA Regulations and Standards News 0
M Informational UK – Regulating medical devices in the event of a no deal scenario Medical Device and FDA Regulations and Standards News 0
M Informational UK – Businesses supplying medicines and medical devices – what to expect on day one of a ‘no deal’ scenario Medical Device and FDA Regulations and Standards News 1
M Informational Design for new product safety marking for the no-deal Brexit scenario Medical Device and FDA Regulations and Standards News 1
M Informational UK – Contingency legislation covering regulation of medicines and medical devices in a no deal scenario Medical Device and FDA Regulations and Standards News 1
N How to deal with catalog parts suppliers who refuse to submit PPAP documents? APQP and PPAP 0
M Medical Device News MHRA releases response to consultation on EU exit no-deal legislative proposals Medical Device and FDA Regulations and Standards News 0
M Pharmaceuticals News UK – Further guidance note on the regulation of medicines, medical devices and clinical trials if there’s no Brexit deal Medical Device and FDA Regulations and Standards News 0
M Medical Device News Letter to the health and care sector: update on preparations for a potential no-deal Brexit Medical Device and FDA Regulations and Standards News 0
supadrai Indemnity Letters - What's the Deal? Other Medical Device and Orthopedic Related Topics 5
M Medical Device News MHRA to consult on EU exit no-deal legislative proposals EU Medical Device Regulations 1
D How to deal with user needs when it is obvious the design meets the user need 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
P Quality Assurance and Quality Control - Which clauses of ISO 9001 deal with each? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
O How to deal with Multiple Datums - Position with respect to Multiple Datum Feature Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
J ISO 9001:2015 Clause10.2 Nonconformity and Corrective Action - Deal with Consequences ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
0 How to deal with resistance to GDP Document Control Discipline Document Control Systems, Procedures, Forms and Templates 7
R How to deal with CONFIDENTIAL documents Document Control Systems, Procedures, Forms and Templates 2
N Interesting Discussion How to Deal with Suppliers Who Refuse to Complete our ISO Survey? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 51
L How to deal with resistance from auditee(s) Internal Auditing 20
P How to deal with a Recruitment Consultant Career and Occupation Discussions 3
AnaMariaVR2 3 Ways To Deal With People Who Play Office Politics Against You Coffee Break and Water Cooler Discussions 7
J How to deal with incomplete forms Nonconformance and Corrective Action 14
R How to deal with the RM requirement of clause 17 Electromagnetic Compatibility? IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
L How to deal with too many CARs (Corrective Action Requests), PARs (Preventive Action) Nonconformance and Corrective Action 25
T How to train employees to deal with external auditors? Internal Auditing 13
S Training on how to deal with Regulations, Rules, Regulations Conflicts, etc. Training - Internal, External, Online and Distance Learning 6
M Mobile Medical Platforms - How to deal with Supplier Hardware/Software Changes? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
C If my location does not deal with GM - Firewall - CS1 & CS2 Question IATF 16949 - Automotive Quality Systems Standard 3
I How to deal with Behaviour Problem in the work place? Human Factors and Ergonomics in Engineering 20
J How to deal with Mental models IEC 62366 - Medical Device Usability Engineering 1
BradM Deal? Or no Deal? Coffee Break and Water Cooler Discussions 25
Marc Looking for a good deal on a boat? World News 2
S How to deal with telemarketers Funny Stuff - Jokes and Humour 2
ScottK Giving training with a vicious cold - how do you deal? Training - Internal, External, Online and Distance Learning 9
Marc Delphi to close, sell most plants under deal World News 0
J How to deal with an employee who has a bad attitude? - Employee Attitudes Coffee Break and Water Cooler Discussions 15
D X Bar Chart - How can I deal with missing values in subgroups Statistical Analysis Tools, Techniques and SPC 12
E Lets Make a Deal... The TV show - A statistical approach Coffee Break and Water Cooler Discussions 8
M Dock to Stock - How to deal with inspection status requirements Inspection, Prints (Drawings), Testing, Sampling and Related Topics 1
Marc Delphi, GM and UAW reach broad buyout deal World News 1
I How to deal with and track Customer Specific Requirements Customer and Company Specific Requirements 6
J How to deal with operators who fail to follow work instruction? Misc. Quality Assurance and Business Systems Related Topics 52
W Who is my customer? We only deal with the agent who sells our plastic resins IATF 16949 - Automotive Quality Systems Standard 14
P Is TS-16949 a 2 for 1 Deal? QS-9000 - American Automotive Manufacturers Standard 6
Q Customer Specific Requirement, How to deal? QS-9000 - American Automotive Manufacturers Standard 9

Similar threads

Top Bottom