CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

Who should be your project manager for ISO 27001/ISO 22301?

If you’re planning to start your ISO 27001 and/or ISO 22301 project, you’re probably wondering who could lead such a complex project – what type of person do you need, with which authorities, and should you go with someone in-house or someone from the outside?

First of all, don’t even think of starting to implement these standards without a project approach – to succeed, you need a project manager, project sponsor, clearly defined milestones and deadlines, etc. See also: ISO 27001 project – How to make it work.

Profile of the project manager


Since ISO 27001 and ISO 22301 are closely related to information technology, the project manager should have at least average knowledge of IT; however, this project should not be treated as an IT project, so you should avoid having someone from your IT department lead this kind of a project. See also: 5 greatest myths about ISO 27001.

What you need is someone with a balanced knowledge of IT and of your company’s business processes, because managing information security is, in most cases, related to organizational issues (developing policies and procedures, defining responsibilities and change management), not the technology.

Since the manager of these kinds of projects will often run into opposition from some of their colleagues, such person should have enough authority either by position or by respect from his/her peers.

Once this project is over, this person is the most likely candidate to become your Chief Information Security Officer (CISO) or Business continuity manager. For smaller companies, you will usually have one position that covers both information security and business continuity, while in larger companies these functions will be separate – although very often in the same department. See also: Chief Information Security Officer (CISO) – where does he belong in an org chart?

Needed skills & availability

It would be perfect if your project manager had experience with ISO 27001/ISO 22301 implementation, but you’ll find these kinds of people very rarely.

In most cases, this person will obtain these skills by attending courses – the best are Lead auditor and Lead implementer courses. Learn more here: Lead Auditor Course vs. Lead Implementer Course – Which one to go for?

Regarding the time needed, for a smaller company the project manager will need to spend about 1 or 2 hours per day for this kind of a project; for a company with a couple of thousand employees, this kind of a project will consume this person 100% of the time throughout the project duration. See also this Implementation Duration Calculator.

In-house or outsource?

There is no doubt about it – the project manager must be someone from inside your company – this is necessary because an outsider cannot know all the details and the cultural issues in your company.  When things get tough (which they certainly will during this kind of a project), you need someone who will know who to turn to, which kind of approach to other employees will be accepted, and what to avoid.

Don’t get me wrong – you should get some external help in order to get the know-how, but a consultant cannot lead your project. See also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

Which kind of authority?

This is probably the toughest question – on one hand, the project manager only has a temporary job, and on the other hand, he has to change how things are done in your company. So theoretically speaking, this person should have a formal authority to implement any change necessary as part of this project.

But, in reality, the following two characteristics will be much more important than the formal authority:

1) How well the project manager gets along with the project sponsor – because whenever the project manager hits a wall, it will be the sponsor who will provide him with a way to remove this wall.

2) The level of “diplomatic” skills of the project manager – since the project sponsor won’t get into every detail, the project manager will need to find ways to bypass this wall.

So, the point is – the project manager is a central figure in your implementation, and the success of your project depends much more on this person than you might think. So, to succeed, find a capable person, provide him with the required skills, and give him a good sponsor. The alternative is to have one of those never-ending projects.

Download this free Project plan template that is applicable for smaller and mid-size companies.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

12 responses to “Who should be your project manager for ISO 27001/ISO 22301?”

  1. Guest says:

    How deep should organization dig into assets, when it is very first iteration of
    asset identification? Let’s take Web Server as an example. My question is
    following, what will be the most flexible solution for not mature organizations?
    Considering Web Server including its components (OS, Server side software,
    configurations, etc.) as one asset or considering each component (OS, Server side
    software, configurations, etc.) of Web Server as individual assets?

    • ISO 27001 allows both approaches – you can list web server as a single asset, or as several assets (hardware, software, data). First approach is better for smaller companies that are not exposed to serious security threats; for larger companies, and for companies for bigger threats the second approach is better because it produces better results both with risk assessment and with managing the assets.

      • Tunji says:

        For ISO 27001 implementation, are we required to list all the assets individually or we are allowed to generalise. eg for servers, instead of listing the 200+ servers we have in my organisation, group them in to categories like Mail servers, Web application servers, etc?

        • Antonio Segovia says:

          Absolutely, you can have an unique asset “Group of Web Application servers”. The important here is that each group of assets have the same threats/vulnerabilities and the same risk. Anyway, keep in mind that the standard establishes that you need a inventory of assets, but it not define how you have to do it.

  2. Fareed says:

    What about financial organizations or banks of medium-large size? How should their Asset Management Policy be written from the context of information security? What does ISO 27001:2013 say about Information Assets? What is an Information Asset? What’s the difference between hardware assets, software assets, people assets, services assets? Is it even acceptable use such terms? For me, all of these are Information Assets as they contain (or process) information which is valuable to the organization? I’m currently writing an Information Asset Management Policy which will cover classification, valuation, labeling and handling of Information Assets. I want to call it an “Information Asset” Management Policy as opposed to “Asset” Management Policy because I’ll be writing it from the Information Security perspective excluding financial or other types of assets. Your valuable and expert thoughts and guidelines on this will be highly appreciated. Thanks already.

  3. GreenKura says:

    Hi, this article help me a lot with differentiating Risk vs Asset Owner. However, I’m still confused with the method identify asset for asset inventory.
    1. For People asset, is it enough to just list the position/functional (e.g.staff, managers,supervisor) or is it recommended to list down the name of the people (e.g. John Doe, Jane Doe)?
    2. For software, what is the recommended way to list down software asset used by many employee. For example, software like MS Office used by 2000 different employee, and each has different serial number. Is it enough to just generalize it as ‘MS Office’ and write it down as one asset entry, or is it recommended to list down every MS Office with different serial number used by the employee (e.g. MS Office Serial XXX-XXX-XXX, MS Office Serial YYY-YYY-YYY) as different asset entry?

    Really appreciate it if you can help me out on these. Thanks!

    • From the perspective of ISO 27001, you can do this in your Asset inventory:
      1) For people assets you can list positions/functions, and you can refer to your existing list of employees for details.
      2) For software you can generalize and state only “MS Office”, and again refer to some existing detailed list where you defined which serial numbers are used by which employees.

  4. Ando says:

    Hi, Thanks a lot for this article. I have a question though :

    I understand that there could be more than one threat and vulnerabilities for one particular asset. For example, an in-house application. This has threats related to access rights, change management, configuration, etc. Right now, I feel that I should list them one by one in separate rows under that asset. Is it possible?

  5. Muhammad says:

    i want to ask a question related to People assets how can we identified Risk, Threads , Vulnerabilities for the person whose designation is Chief Security Officer in the IT based Organization and Department of Information Security ?
    please guide me through it

    • Antonio Segovia says:

      Generally the methodologies of risks management gives you a catalogue of threats/vulnerabilities, and it can help you to calculate risks. And of course, can help you to assign threats/vulnerabilities for each asset. For example, in ISO 27005 you can find vulnerabilities directly related to personnel (for any type of employee): absence of personnel, insufficient security training, lack of policies for the correct use of telecommunications media and messaging, etc. And also you can find threats related to this vulnerabilities: absence of personnel -> breach of personnel availability, insufficient security training -> error in use, etc. Once that you have identified threats/vulnerabilities to your asset (CSO), you need to calculate the risk, following the methodology of risk management. Finally, you can find here our catalogue of threats and vulnerabilities:

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.