Organizations that intend to do a partial implementation of Information Security practices using BS ISO/IEC 27001:2005 need to note down these points which is a part of the standard.
Refer to your BS ISO/IEC 27001:2005 document under point 1 Scope.
1. Scope
1.1 General
This international Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This international Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
The ISMS is designed to ensure the selection of adequate………….
NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.
Look carefully at the words that I have highlighted above. It clearly says that if you are doing a partial implementation of Information Security practices using BS ISO/IEC 27001:2005 at your organization, choose those departments that has activities that is core to the existence of the organization. BS 7799-2:2002 had the flexibility of implementing at or choosing any departments that the organization is comfortable with and in the process most organization chooses department that are much easier to implement.
For example: if you are implementing Information Security practices in an IT organization, you should choose the development department/team for implementation as that is the core business of an IT organization, without which an IT organization might not exists.
Those organizations who are already BS7799-2:2002 certified for some of their departments which is not core to their business process need not worry. You can go ahead with the upgrade as is, but should make sure that the scope is extended to the core business process. It also makes more sense in doing so, cause ultimately, what is that we are trying to achieve…??? We need to protect our information assets, which is critical in those departments that are core to the business.
Couple of other points that we need to keep in mind are as mentioned below:
Note down the points under Management review of the ISMS point 7 of BS ISO/IEC 27001:2005. Make sure every point in this section is discussed at all your security committee meeting. Even if you do not have anything specific to discuss on points in this section, please mark appropriately in your minutes of meeting document.
Make sure your Statement of Applicability (SOA) document mentions that all controls that are applicable have been implemented. If any of those controls is not been implemented, list down those controls in the SOA document. Often, some of the organization will mention that BCP is an applicable control but will be implementing the same only after 6 months. You can still go ahead with the certification process, but mention this in your SOA specifically and have all your supporting documents ready.
If you are doing a partial implementation of Information Security practices in your organization, you need to clearly justify the exclusion of other departments in your scope document. Clearly mention why you choose this department and what were the reasons for excluding other departments and have the management approval documents prepared for audits.
These are some of the points that I would like to highlight, which I feel would be of some help to all who is intending to implement Information Security practices in your organization using the BS ISO/IEC 27001:2005 standards.