I feel that I am now in strong position with regards to ISO 9001 and ISO 14001. My attention turns to finding information on the practical implementation of 27001 in an SME.
After the struggle of finding information on with ISO 9001 and ISO 14001, my patience is wearing a bit thin with the nature of information that is available on thes standards.
Most of the material features in depth discussion on corporate governance or charts which to my mind make a simple idea much more complex than it needs to be. It seems that when a point could be made in one or two sentences ISO authors write two sides of prose instead. They throw in a chart, and, if they’re really overloading, a table or figure as well. What’s more the figures have numbers eg. “3.1a”, and the figure or chart is always over the page to the text that refers to it and explains it – so one has to keep page-flipping between the two.
Judging by my searching on ISO 27001, all or most Google information security roads appear to lead to www.itgovernance.co.uk (ITG). Unlike for ISO 9001, Google searches for ISO 27001 do not go many page searches deep in terms of relevant results.
These Google road signs lead to ‘ITG’ either because its good, because it’s the only one there, or both.
My first download about 27001 is IT Governance’s Introduction to Information Security and 27001 – 6 sides. This is pretty useful. It sets the scene quite well for a director or manager whose thinking about going for it and sets the background to the standard well. I pick up on some particular sentences “the most time-consuming….part of the entire project is the development of documentation that sets out how the ISMS works.” I would have guessed this but it just underlines what the challenge is going to be judging by my ISO 9001 experience to date.
At the end of ITG intro document is a list of additional resources which turn out all to be available from their own website! Ok, so the this intro document have set the scene and now the next task is to have a look around the site.