Ismael

I think you are "spot on". I wrote about this in a blog a while back

http://securitybuddha.com/2007/03/22/ism-community-top-ten-company-wide-
busi
ness-support-and-participation/

This is part of the ISM-Community (www.ism-community.org) Top Ten that we
plan to publish next week or the week after.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Ismael Valenzuela
Sent: Friday, May 25, 2007 11:55 AM
To: kartik.kashyap (at) gmail (dot) com [email concealed]
Cc: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: Release authority

Hi Kartik,

Although the CISO, or the CSO, should manage the ISO 27001
implementation programme, and senior managers are required to sign-off
and to support corporate policies, departmental managers are actually
responsible for reviewing and socialising those policies, processes or
working instructions with their staff. It makes no sense having a new
policy on access control issued by the CISO without letting the comms
manager and the system manager to contribute and review the policy.
Even if it's signed-off by the CEO it won't work unless you make sure
all the affected parties are involved, and that includes the
departmental manager reviewing the policy with the people that will
actually have to comply with the policy on a daily basis.

Hope this helps ;)

Ismael Valenzuela
Information Security Specialist
CISSP, CISM, IRCA ISO 27001 LA, ITIL Certified, MBA
www.linkedin.com/in/ivalenzuela

25 May 2007 09:19:49 -0000, kartik.kashyap (at) gmail (dot) com [email concealed]
<kartik.kashyap (at) gmail (dot) com [email concealed]>:
> Hi
> Just a query for my knowledge in this regard.
> Who is responsible for the actual release of a policy/procedure in
ISO27001.. as in is it the CISO,CIO.. or someone else in the organization
that has to take up this responsibility.
>
>

[ reply ]