2.2 KiB
We start with all Clauses and controls on the Backlog. At the end of each session we move controls from the backlog to 'to do' (and maybe some items can move to 'planned for Qn').
Because every item is also tagged with a session number, I can generate an Epic timeline view.
I foresee a linear phase in which we go through the sessions sequentially, and then a number of cyclic iterations in which we expand and refine until we're ready for certification (of course the cycles continue after that). Actually the linear phase can be seen as the first cycle.
There will be different frequencies/RPM's
3 yr certification cycle, yearly, and the more frequent 'operational'.
These may be implemented by assigning a 'Review every n years/months/weeks' value to the Kanban item. A 'reviewed' button could trigger the population of a 'link to review' field and a 'next review date'. This could however be too complex for the video course. For the course the only use of the cycle frequency is to generate a Review Planning.
Now for the Risks. Finding a fitting Control is also a todo. But it's more a project item: it can not be pre-populated like the clauses and controls. It must be clearly distinguishable from them. There wil also be other project todos specific for the organization. Incorporate examples into the method.
PDCA cycle
Controls from Annex A 'come alive' by connecting them to a real world Risk. Next, a Policy had to be defined (we are going to mitigate this risk by ...), the implementation of the Control and its associated Measuring mechanism needs to be planned, then after the Implementation the measurements need to be Evaluated and additional actions need to be identified (and planned) for the next cycle.
Related: About ISO27DIY Policy Cards
Activities and Artifacts
We can distinguish Activities and Artifacts. Activities line up with the PDCA cycle steps. Each activity needs to produce documented proof, or an 'Artifact'. The planning, in the form of the Kanban board, is an artifact in itself. Other artifacts are for instance measuring reports and logs, meeting notes, policies, etc.