Rhand LealWhen you start your ISO 27001 project, you have to make some very important decisions – one of those decisions is if you’re going to use a consultant. If you decide not to use one (which is a trend lately), then you have to decide what kind of online support you can get for your implementation.
Basically, you have two types of providers that offer support for ISO 27001 implementation: those who offer documentation templates, and those who offer ISO 27001 online software for handling the project.
Documentation templates for ISO 27001
Usually, these kinds of websites offer policies, procedures, plans, reports, and other documents and records that are mostly completed, where the user needs to fill out the rest of the document, and in such way adapt the documentation for their own needs.
These templates can be downloaded and edited/adapted to the needs of a particular company – the advantage is that, in most cases, they are really easy to use, and they cover all the mandatory and commonly used documents for ISO 27001.
The biggest problem with such solutions is that they are difficult to use for activities where continuous changes are needed – e.g., risk management, customer complaints, incidents, internal audits, etc. For smaller companies, using Word or Excel documents for such purpose might work, but even then it takes too much time. In other words, maintenance of the management systems brings some challenges when using the templates only.
ISO 27001 online software
These online software solutions are, in fact, Software-as-a-Service (SaaS), and they usually offer risk management, incident management, handling of customer complaints, etc. Some of these software solutions also offer document management (so that you can distribute and control your documentation), project management (so that you can run your whole ISO 27001 implementation project through it), and also collaboration (so that project members can use it for messaging and coordination).
The advantages of such online software are that, unlike software that has to be downloaded and installed, using the SaaS solution requires you only to log into your account in the cloud. Further, they enable multiple users from the same company to collaborate on a project.
The disadvantage of most of these online tools is that they usually focus on ISO 27001 functionalities, but they do not offer the documentation (i.e., policies, procedures, plans, etc.) that need to be produced as part of the ISO 27001 implementation project.
The blended approach
When we developed Conformio, we opted for a blended approach – this means that we decided to merge documentation toolkits and online tools into a single SaaS solution.
In the image below, you can see what Conformio’s user interface looks like.
You navigate through Conformio mostly by using the left sidebar. You can select the “ISO 27001 main steps,” which leads you to the core of your IOS 27001 implementation, or check the documents in Conformio by clicking on the Documents section.
In the Registers and Modules section you will have access to the Incidents Register, Internal Audits Module, Nonconformities Module, Risk Register, Statement of Applicability Module, and others. The Reporting dashboard gives you an overview of the ISO 2700 implementation project, as well as compliance status and the compliance performance of your company.
The Responsibility Matrix provides an overview of all tasks and responsibilities required for the ISO 27001 project and, in My Work, you will have a view of all your responsibilities in Conformio.
We believe that with such an approach it is much easier for project members to collaborate in order to complete the initial implementation of ISO 27001; but, at the same time, it enables them to maintain their management system with much less effort.
Additionally, based on parameters you define in your documentation, Conformio will build schedules for activities needed to implement and maintain ISO 27001. With this Responsibility Matrix, in which all activities have their clear owners and due dates, the risk of missing a recurrent activity (e.g., document review, risk assessment and risk treatment update, internal audit, etc.) is decreased. Furthermore, anyone with access to Conformio can have a systemic view of all responsibilities he/she has to fulfill.