Tailoring ISO/IEC 27001 for SMEs: A Guide to Implement an Information Security Management System in Small Settings - Software Process Improvement

Hardware Reference

In-Depth Information

Fig. 3. Proposed product of Codasystem

Although the product proposed by Codasystem has been approved by experts, the

security of their processes is also at the heart of their concern. That is why the im-

provements in terms of security and the trust granted by the ISO/IEC 27001 certifica-

tion were raising strong interests.

4.1 Implementation of Codasystem's ISMS

The initial experiment (Figure 2) at Codasystem started in June 2006 and ended in May

2008. The collaboration between our team and Codasystem is evaluated at about 100

CRP Henri Tudor man-days. The total documentation produced was over 300 pages.

The complete process was very long and time-consuming. This is actually due to

several issues. First, the set of ISO/IEC 27001 requirements to satisfy is very impor-

tant, especially for a SME like Codasystem with few human resources to allocate on

this project. Moreover, the gap between the current state of an SME and the state to

reach for the certification is generally more important in SMEs. For example, a re-

source management process is typically in place in large organisations, as opposed to

SMEs where it is usual to develop it “from scratch”. Very few formalised policies or

procedures were already available in Codasystem.

The average knowledge of people involved in the setting up of the ISMS is also

generally lower in a SME than in a large company. Where large companies are able to

hire experienced and skilled human resources with regards to management systems,

SMEs generally choose internal employees who include their effort on the ISMS in

their day-to-day work. That was the case within Codasystem, where people had not

much knowledge in quality and process management. Many training sessions were

performed during the early meetings of the experiment, in order to familiarise the

team with the standard.

The time needed to develop the documentation and to satisfy all the requirements

was also very important. Hopefully, our knowledge was an added value to the Coda-

system's team, because they had very few experiences on what to implement in order

to satisfy the requirements.

Search WWH ::

Custom Search

Home