Initial commit
This commit is contained in:
commit
570d74d4dd
67 changed files with 4609 additions and 0 deletions
47
marketing/campaigns/FUD with Certification.md
Normal file
47
marketing/campaigns/FUD with Certification.md
Normal file
|
|
@ -0,0 +1,47 @@
|
|||
# Fears, Uncertainties, and Doubts with ISO 27001 certification
|
||||
|
||||
People who need to implement ISO 27001 within their organization, often worry about the following:
|
||||
|
||||
* Am I doing it right
|
||||
* Did I interpret this article correctly
|
||||
* Haven’t I forgotten anything
|
||||
* Are we doing enough
|
||||
* How long will this take
|
||||
* How will I get people to cooperate
|
||||
* This will bring a mound of unnecessary paperwork
|
||||
* We will need to implement unworkable procedures
|
||||
* This will take all flexibility out of our way of working
|
||||
* We will become robots
|
||||
* We will need to implement all kind of expensive measures
|
||||
|
||||
## Themes
|
||||
|
||||
The challenges they face an be grouped in several themes, as described below.
|
||||
|
||||
**Lack of leadership / top management support**
|
||||
- leadership doesn't fully understand the value of ISO 27001, sees it as a bureaucratic burden instead of a strategic priority
|
||||
- not a priority for middle management because of leadership stance
|
||||
- lack of resource allocation (time, money and people) due to lack of leadership
|
||||
|
||||
**Business alignment**
|
||||
- overly long and confusing policies that are difficult for employees to understand and auditors to navigate
|
||||
- Risk of ISMS becoming isolated from real business processes, especially when internal responsibility lies with people lacking authority or visibility into all business areas.
|
||||
* integration of management processes, process documentation, and continuous evaluation
|
||||
|
||||
**Acceptance / buy in at operational level:**
|
||||
- (cultural) resistance from employees, beccause ISO 27001 implementation often introduces new policies and processes that can be perceived as burdensome or unnecessary
|
||||
- this is aggravated if staff don't understand the benefits and/or aren't properly trained
|
||||
- this is aggravated if the ISMS is implemented as, or perceived as, an artificial system for certification rather than an integrated part of the company's culture and operations
|
||||
|
||||
**Documentation /policy tuning:**
|
||||
- how to create and maintaining policies and procedures that are both comprehensive enough to satisfy auditors and practical enough for employees to follow.
|
||||
- Over-engineering of a one-size-fits-all approach from templates, leading to massive, unwieldy documents, instead of tailoring the documentation to the specific needs and size of the organization
|
||||
- finding the balance between being thorough and being concise – how much detail or separation is appropriate for policies, procedures, and supporting documentation
|
||||
|
||||
**On Risks:**
|
||||
- How do we properly identify, analyze, and prioritize all relevant risks.
|
||||
- Fear of missing a critical risk or not prioritizing them correctly.
|
||||
|
||||
**Passing the audit:**
|
||||
- When is a control implemented "enough" to pass an audit and a fear of misinterpreting the auditor's expectations. This often stems from the fact that ISO 27001 is a framework, not a prescriptive checklist.
|
||||
- Lack of structured and impartial internal audit processes
|
||||
Loading…
Add table
Add a link
Reference in a new issue