Tailoring ISO/IEC 27001 for SMEs: A Guide to Implement an Information Security Management System in Small Settings - Software Process Improvement - page 207

Hardware Reference

In-Depth Information

5.1 Selective Coverage

As an answer to the first objective, we propose in the guide a tailored version of the

ISO/IEC 27001 requirements. The complete set of standard requirements was first

modelled as a list of 32 major activities. Each of them was annotated, if applicable,

with its key outputs in term of document production. This list was then split over a 5-

column matrix representing various progressive configurations, giving five coherent

set of activities. Those five choices have been established through multiple experts'

opinions in order to find a consensus that would maintain coherence for each column

and keep the smoothest progression from implementing level 1 to 5.

Fig. 4. ISMS completion matrix

The criteria used to define these configurations were essentially in connection with

resources consumption, importance of the activity within the ISMS and therefore

return on security investment. However, the impact of each choice was taken into

account for its relevance with regards to the whole ISMS's efficiency. Indeed, numer-

ous activities are strongly tied together and cannot be removed nor added without

others. For instance, the risk assessment requires half a dozen of activities, which

have no meaning by themselves.

Finally, a given level was chosen: implementation level 4. It basically consists of a

complete ISMS, without audits requirements, nor technical surveys. On one hand,

level 3 was rejected as it lacked most “check/act” activities. On the other hand, level 5

was too close to the original standard to bring any added value to the guide. Further-

more, as audits were probably one of the most expensive and time-consuming part in

Codasystem's experiment, it made sense to remove them.

Decisions made with this matrix conducted to the definition of the ISO/IEC 27001

coverage of the guide. This modelling of the standard also served as guidelines re-

garding how the guide should be organised, as explained in Section 5.4.

5.2 Raising Awareness and Maturity to Lower Apprehension

As stated in Objective 2, initial apprehension can be critical regarding ISMS imple-

mentation. That is to say, if the management perceives an ISMS as a long, costly or

Next Page

Software Process Improvement

Search WWH ::

Custom Search

Home