Login

u/PM_ME_YOUR_CLAUSES

What are your best tips and trix to make a bloated ISMS light and fast? (poke a hole in my plan)
▲ 4 r/ISO27001

What are your best tips and trix to make a bloated ISMS light and fast? (poke a hole in my plan)

Asking for tips and tricks and feedback on my plan. The plan is simplified here, feel free to ask for more information and if I have forgotten anything or is unclear, please let me know.

Context

  • small company (100 employees) med-tech
  • ISO 27001-certified ISMS that no one has worked with full-time before
  • I started 6 months ago to mature the ISMS, I have long experience in IT and cybersecurity operations, but am new to implementing ISO 27001 ISMS. CISSP certified if that says something.
  • ISMS is a few years old and is built using different generic templates;
  • the policies often mixes SOP-sections all the documentation is pretty hard to read.
  • Also, we have 24 policies, 99 risk entries(!)

There has been an attempt to do some kind of Integrated Management System and combining policies and SOPs with ISO 13485 QMS,. This, of course, added even more complexity and adopted stricter procedures than the ISMS standard requires.

This makes it hard to work systematically and risk-based due to the overwhelming administrative load.

Suggested plan to fix this (before my head explodes)

  1. Keep the full scope for now
  2. Decouple as much as possible from QMS (ISO 13485) to bring down dependencies and administrative load
  3. Centralize requirements into the ISMS guide, such as roles and responsibilities, to make the policies easier to read
  4. Move out any SOP information from policies into a new template. Policies shrink from about 5-8 pages to 2 pages.
  5. Consolidate policies from 24 to 8-12 policies
  6. Rewrite the entire risk register (current risks makes no sense) from 99 risks to 25 high-level risks.
  7. Update ISMS hierarchy to make SOPs more general, see image from ISMS Guide draft. This is to give teams flexibility to interpret implementation of Policy/SOP requirements in Operational Work Instruction. (current SOPs are managed by QMS requirements, makes them hopelessly complex and hard to update due complex document system, signature requirements. People hates it and few SOPs are correct or even useful)

https://preview.redd.it/u5mdgorcfkzg1.png?width=1442&format=png&auto=webp&s=a08ea117ccd35b9497cdaa1c1e9e4c4f32b38ba0

ease

Any holes in this plan? (especially number 7)

Any other tips or tricks to make the ISMS more effective?

Many thanks in advance! 🙏

reddit.com
u/PM_ME_YOUR_CLAUSES — 8 days ago