Congratulations! You finally got the management buy-in for ISO 27001 implementation and conducted a gap analysis. The next step is to pick the right team to help you develop the right policies and procedures to align with the standard. Up to this point, you have managed to stay on top of the implementation project, as you were a one-man team. However, when you look at the amount of work ahead, the piles of documentation, and the numerous tasks, meetings, and discussions tied to policies and procedures, the project becomes more and more complex and it starts to look like you need to be a superhero to get it all done on time.

In this article, we want to present an angle where we, average joes, can enable teamwork to develop ISO 27001 policies and procedures just as easily as some expert ISO 27001 project managers.

Requirements for successful team development

It is expected from the project manager to stay on top of each requirement needed to comply with ISO 27001. To do so, the project manager should:

Pick the right team. Usually, the team should be comprised of people who represent all of the relevant departments and have enough organizational experience to really help you develop the procedures and policies needed to align with what the ISO 27001 standard dictates.

Spread the word. Once the project begins, awareness and understanding are crucial. So, all new policies, new processes, procedures, objectives, tasks, and timelines should be communicated clearly to the team members to avoid confusion and missed steps. This is usually done using some internal communication tool, email, or a dozen face-to-face weekly meetings.

Delegate roles and responsibilities. The completed gap analysis will show the team what requirements are not being met by your current processes and what new policies and procedures are needed to be developed internally to conform. That is usually turned into a list of tasks, which should be delegated to team members, tracked, and signed off on.

Be lord of the pile. A horde of policies and procedures are developed during the numerous meetings, and it is expected from the project manager to understand, at all times, the current status of the documents, where the last versions are, who should approve them, and when those policies and procedures should be updated next.

Monitor progress. Having an eagle eye on the policies’ and procedures’ statuses, accountable owners, latest versions, and approval deadlines is key to successfully orchestrate all the upcoming activities, mitigate risks (people leaving the team or company), and avoid loss of time.

Developing ISO policies online

We designed Conformio to relieve all the challenges team leaders face during the ISO 27001 implementation project by giving them one centralized place where they can bring together all relevant stakeholders and develop a massive amount of documentation, tasks, and communication without losing a step.

This is how we have resolved the teamwork challenges when developing ISO 27001 policies and procedures in Conformio:

Getting everyone on board. All team members can be added to one place, which is available any time. As that place is online, the locations of the team members become irrelevant, as long as they have an Internet connection and a proper browser. Even better, the members of the management committee can be added to approve the policies and procedures, or everyone else in the organization to comply with the changes.

Defining all team members needed in one place, available anytime on Conformio

Figure 1. Defining all team members needed in one place, available anytime on Conformio

Easily reaching out to the team. We designed Conformio with effective communication in mind. There are separate discussions for each register, module, and document, so everybody interested can easily find the right information. All changes in Conformio and every discussion can be sent out as a notification, either via email or Slack, so that nobody misses important information.

Sending a message to all team members, adding an attachment, and turning the discussion into a task on Conformio

Figure 2. Sending a message to all team members, adding an attachment, and turning the discussion into a task on Conformio

Delegating, tracking, and reacting. Conformio was developed around the phases and tasks required to implement an ISO management system, and the most common organizational roles involved (e.g., project manager, CEO, IT manager, HR manager, approver, reviewer, etc.). This approach allows for the automatic creation of tasks at proper times, and automatic delegation of these once the project team and involved parties are identified, during project parameters configuration. Once the project starts, tasks are automatically assigned to appropriate team members, ensuring accountability, and team members get notifications via email or Slack. Conformio creates tasks automatically, and keeps you in the loop, so nothing will be missed.

Responsibility Matrix for an overview of which activities are delegated to each role/person

Figure 3. Responsibility Matrix for an overview of which activities are delegated to each role/person

All tasks in one place – My Work

Figure 4. All tasks in one place – My Work

Staying on top of the documentation. Conformio has basic document management capabilities, which provide the necessary support to effectively co-develop, store, version, review, and approve all the policies and procedures coming out from the staff. Its Document Wizard can help you create the mandatory and most commonly used documents compliant with an ISO 27001 ISMS (templates are almost 80% completed and you only have to include the specifics of your organization). Once the uncomfortable questions are asked – “What is the status?” . . . “Where is the latest version?” . . . “Who approved that policy or procedure?” – the answer is just a few clicks away.

See this article for more details: What kind of Document Management System (DMS) do you need for handling ISO documents?

Documentation management system in Conformio

Figure 5. Documentation management system in Conformio

Managing documents in the Document Wizard

Figure 6. Managing documents in the Document Wizard

Implementing change. When policies and procedures are defined and approved, the rest of the organization can be called in to become aware and trained on the necessary changes. This “call to knowledge” is performed during document development, by identifying who must read each document after approval, and by using the Training Module for more structured activities (e.g., in-person or virtual training).

Optimizing policies and procedures on time. The frequency of review for each document can be set, and the document owner will receive a task to review the document at the right time to review and update the document as necessary. Cool, right?

Setting the Frequency of Review for timely update of the documents on Conformio

Figure 7. Setting the Frequency of Review for timely update of the documents on Conformio

With these sets of modules, it’s easy to maximize your team’s potential and overcome all the challenges encountered while developing ISO 27001 policies and procedures.

If this makes sense, go on and give it a try!