14 November 2013

First Look at an ISO 27001 Toolkit from Alan Calder

ITG offers a series of toolkits which can be downloaded for something between £400 and £1,000 depending on the contents.

I am sceptical about paying this sort of money for a download from the internet which isn’t actually software – it will be a series of templates. Anyways, there’s a free trial which I download. The confirmation email tells me it contains 10% of the contents of the full toolkit.

The first document I open up is the Toolkit Contents and Change History which is six sides long. All this does is list all the changes made to all the documents within the Toolkit and gives them lots of reference numbers. This is a massive turnoff. I gulp –I can’t even find an index at the moment.

The Toolkit talks on about Tier1, Tier 2 and Tier 3 documents but there isn’t an abvious explanation what this means. It also talks about a ‘Statement of Applicability’ – I am similarly confused.

There’s an Introduction to the Toolkit document which I can understand because it’s the one which encourages you to buy the proper versions and spend £500 plus quid.!! I understand most of the contents. The contents list is thus

My View
A model Information Security Policy Got it!
A model Statement of Applicability Not sure what this is
A pre-written Information Security Manual Sounds good
A Business Continuity Plan Sounds good
A Service Level Agreement Template Sounds heavy
vsRisk™ and RA2 Risk Assessment Tool integration templates I am sure this is going to a complete overload of management methodology.
400 pages of fit-for-purpose information Load me up
110 pre-written policies, procedures, templates and guidance Good
Implementation manager Sounds like another case of overload
Enterprise security assessment tool Sounds overly grand
Gap analysis/ISO27001 Audit tool Gap analysis – I’ve done that before
‘What is BS7799/ISO17799?’ (project staff training slides) Please not powerpoint?
PDCA and documentation pyramid presentation More unnecessary diagrams and complexity?
Unique drafting support service Ok
12 months of automatic upgrades You mean they don’t leave you alone even after giving you all this guff! Just kidding!

Next there are some user instructions – in fact there are 48 of them over 5 pages. These are legible and understandable. There’s good, frank advice embedded in here like “ Creating your ISMS documentation is a big task”.

The User Instructions document is one you can work to but you’d have to sit down and study it. But, man, are we gearing up for a massive project here? This is the first document which divides the task out into stages and is the closest to a bullet point methodology I’ve seen. It refers to many other documents, Risk Assessments and other phenomena, many of which I don’t know what they are. It does at least tell me the order in which I have to begin trying to understand them.

Based on historical notes from my diary and other records 

Leave a Reply