4

I would like to ask if it is efficient and correct to design the ISO27001 ISMS for a company/organisation that is not yet in fully operational mode - e.g. their online architecture of their system is not finalised yet and undergoes several changes on a weekly basis.

I understand that as part of risk assessment a penetration testing exercise needs to be conducted and if the system is not final then there is no meaning doing a penetration testing exercise. However, you can implement other non-technical security controls.

Hashed_Then_Encrypted
  • 83
  • 5
  • This question is not ISO 27000 specific. Each Quality Process is never in ´fully operational mode´, there is always a tradeoff with constraints from business cases, business history and other processes. The obvious answer is yes. – Sam Ginrich Jan 10 '22 at 10:49

1 Answers1

2

Information security should be considered in every aspect of the organization's design, development, and implementation. If the organization isn't fully stood up, it's the perfect time to prime the pump and get security integrated from the ground up.

Bottom Line This will help them make smart choices when it's still easy to make adjustments. It's much harder to retro-fit security.

HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • I agree but this is for security awareness... is it possible to achieve iso certification at this stage without finalised architecture? ISO requires evidence of penetration testing which you cant conduct on a non finalised architecture. However, I agree setting up the security environment at this stage reduces the work after you are in production environment and plan for certification. – Hashed_Then_Encrypted Oct 04 '16 at 16:03
  • You *can* conduct a penetration test at any point, but obviously the value gained from exploiting an unfinished architecture may be negligible. You can achieve ISO cert at any point, provided the necessary control items are in place. – HashHazard Oct 04 '16 at 17:16