How to enable teamwork for developing ISO 27001 policies and procedures using an online tool

Congratulations! You finally got the management buy-in for ISO 27001 implementation and conducted a gap analysis. The next step is to pick the right team to help you develop the right policies and procedures to align with the standard. Up to this point, you have managed to stay on top of the implementation project, as you were a one-man team. However, when you look at the amount of work ahead, the piles of documentation, and the numerous tasks, meetings, and discussions tied to policies and procedures, the project becomes more and more complex and it starts to look like you need to be a superhero to get it all done on time.

In this article, we want to present an angle where we, average joes, can enable teamwork to develop ISO 27001 policies and procedures just as easily as some expert ISO 27001 project managers.

Requirements for successful team development

It is expected from the project manager to stay on top of each requirement needed to comply with ISO 27001. To do so, the project manager should:

Pick the right team. Usually, the team should be comprised of people who represent all of the relevant departments and have enough organizational experience to really help you develop the procedures and policies needed to align with what the ISO 27001 standard dictates.

Spread the word. Once the project begins, awareness and understanding are crucial. So, all new policies, new processes, procedures, objectives, tasks, and timelines should be communicated clearly to the team members to avoid confusion and missed steps. This is usually done using some internal communication tool, email, or a dozen face-to-face weekly meetings.

Delegate roles and responsibilities. The completed gap analysis will show the team what requirements are not being met by your current processes and what new policies and procedures are needed to be developed internally to conform. That is usually turned into a list of tasks, which should be delegated to team members, tracked, and signed off on.

Be lord of the pile. A horde of policies and procedures are developed during the numerous meetings, and it is expected from the project manager to understand, at all times, the current status of the documents, where the last versions are, who should approve them, and when those policies and procedures should be updated next.

Monitor progress. Having an eagle eye on the policies’ and procedures’ statuses, accountable owners, latest versions, and approval deadlines is key to successfully orchestrate all the upcoming activities, mitigate risks (people leaving the team or company), and avoid loss of time.

Developing ISO policies online

We designed Conformio to relieve all the challenges team leaders face during the ISO 27001 implementation project by giving them one centralized place where they can bring together all relevant stakeholders and develop a massive amount of documentation, tasks, and communication without losing a step.

This is how we have resolved the teamwork challenges when developing ISO 27001 policies and procedures in Conformio:

Getting everyone on board. All team members can be added to one place, which is available any time. As that place is online, the locations of the team members become irrelevant, as long as they have an Internet connection and a proper browser. Even better, the members of the management committee can be added to approve the policies and procedures, or everyone else in the organization to comply with the changes.

Defining all team members needed in one place, available anytime on Conformio
Figure 1. Defining all team members needed in one place, available anytime on Conformio

Easily reaching out to the team. We designed Conformio with effective communication in mind. There are separate discussions for each register, module, and document, so everybody interested can easily find the right information. All changes in Conformio and every discussion can be sent out as a notification, either via email or Slack, so that nobody misses important information.

Sending a message to all team members, adding an attachment, and turning the discussion into a task on Conformio
Figure 2. Sending a message to all team members, adding an attachment, and turning the discussion into a task on Conformio

Delegating, tracking, and reacting. Conformio was developed around the phases and tasks required to implement an ISO management system, and the most common organizational roles involved (e.g., project manager, CEO, IT manager, HR manager, approver, reviewer, etc.). This approach allows for the automatic creation of tasks at proper times, and automatic delegation of these once the project team and involved parties are identified, during project parameters configuration. Once the project starts, tasks are automatically assigned to appropriate team members, ensuring accountability, and team members get notifications via email or Slack. Conformio creates tasks automatically, and keeps you in the loop, so nothing will be missed.

Responsibility Matrix for an overview of which activities are delegated to each role/person
Figure 3. Responsibility Matrix for an overview of which activities are delegated to each role/person
All tasks in one place – My Work
Figure 4. All tasks in one place – My Work

Staying on top of the documentation. Conformio has basic document management capabilities, which provide the necessary support to effectively co-develop, store, version, review, and approve all the policies and procedures coming out from the staff. Its Document Wizard can help you create the mandatory and most commonly used documents compliant with an ISO 27001 ISMS (templates are almost 80% completed and you only have to include the specifics of your organization). Once the uncomfortable questions are asked – “What is the status?” . . . “Where is the latest version?” . . . “Who approved that policy or procedure?” – the answer is just a few clicks away.

See this article for more details: What kind of Document Management System (DMS) do you need for handling ISO documents?

Documentation management system in Conformio
Figure 5. Documentation management system in Conformio
Managing documents in the Document Wizard
Figure 6. Managing documents in the Document Wizard

Implementing change. When policies and procedures are defined and approved, the rest of the organization can be called in to become aware and trained on the necessary changes. This “call to knowledge” is performed during document development, by identifying who must read each document after approval, and by using the Training Module for more structured activities (e.g., in-person or virtual training).

Optimizing policies and procedures on time. The frequency of review for each document can be set, and the document owner will receive a task to review the document at the right time to review and update the document as necessary. Cool, right?

Setting the Frequency of Review for timely update of the documents on Conformio
Figure 7. Setting the Frequency of Review for timely update of the documents on Conformio

With these sets of modules, it’s easy to maximize your team’s potential and overcome all the challenges encountered while developing ISO 27001 policies and procedures.

If this makes sense, go on and give it a try!

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal