Actually, deciding the scope involves a number of factors, depending on how large your organization is, and what your options are. We recently did a 4 week exercise for a major telecom company, simply to help them decide the best scope for their implementation. The various factors considered were:
1. The business drivers for the exercise - why do you want to do it in the first place: Could be to use it as a marketing tool, to get a handle on your information risks, or for any other reason
2. Fit for purposeness - which of the various options you are considering fit best with the business drivers
3. User acceptability - nothing will get done if you don't get across-the-board buy-in to the exercise. Interview users and business unit heads to get a feel of user acceptability and awareness of the standard
4. BS 7799 PDCA Maturity - are the list of assets classified, has a risk assessment been done, are info sec policies and procedures drafted and disseminated, is there a BCP in place, etc.
5. Controls compliance - do a brief gap analysis vis-a-vis the BS 7799 controls and measure where each of the scope options stand
6. Cost - the biggie! How much will it probably cost for each of the options under consideration. Balance it with how long it will take - that's opportunity cost for you. Remember costs include the consultants' fees, your internal time and effort expended towards compliance, any tools or products you may end up purchasing (although the standard does not mandate this), etc.
Make sure your scope has relevance to your overall business.
Cheers,
KK
--
K. K. Mookhey
Founder & CTO
Network Intelligence (I) Pvt. Ltd.
Web: www.nii.co.in
------------------------------------
Comprehensive Security Assessment Software
http://www.nii.co.in/products.html
------------------------------------
This message may contain privileged and confidential information and is solely for the use of intended recipient. If you are not the intended recipient you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
1. The business drivers for the exercise - why do you want to do it in the first place: Could be to use it as a marketing tool, to get a handle on your information risks, or for any other reason
2. Fit for purposeness - which of the various options you are considering fit best with the business drivers
3. User acceptability - nothing will get done if you don't get across-the-board buy-in to the exercise. Interview users and business unit heads to get a feel of user acceptability and awareness of the standard
4. BS 7799 PDCA Maturity - are the list of assets classified, has a risk assessment been done, are info sec policies and procedures drafted and disseminated, is there a BCP in place, etc.
5. Controls compliance - do a brief gap analysis vis-a-vis the BS 7799 controls and measure where each of the scope options stand
6. Cost - the biggie! How much will it probably cost for each of the options under consideration. Balance it with how long it will take - that's opportunity cost for you. Remember costs include the consultants' fees, your internal time and effort expended towards compliance, any tools or products you may end up purchasing (although the standard does not mandate this), etc.
Make sure your scope has relevance to your overall business.
Cheers,
KK
--
K. K. Mookhey
Founder & CTO
Network Intelligence (I) Pvt. Ltd.
Web: www.nii.co.in
------------------------------------
Comprehensive Security Assessment Software
http://www.nii.co.in/products.html
------------------------------------
This message may contain privileged and confidential information and is solely for the use of intended recipient. If you are not the intended recipient you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
[ reply ]