If you are planning to implement any of the ISO or GRC projects this is for you.

We advise organisations in multiple ISO and GRC projects that involve implementation of new requirements. This is an effort to share that experience.

We are often asked these questions as to what are the key challenges of an ISO and GRC projects and how to really resolve them?

So lets start by documenting what are the unique requirements of the ISO or GRC projects are:

  • Achieve Certification or attestation by an external body within a target date
  • Ensure all head of functions or key roles are involved
  • Ensure all personnel are aware
  • The role of the management representative is crucial both for designing and maintaining the requirements. For a small or startup, this is generally a shared responsibility, for larger organisation, it requires a dedicated role
  • Management support, participation must be visible
  • Any identified resource requirement should be planned if not provided immediately
  • Ensure newly established procedures are being followed
  • Monitoring of risk and controls are in place
  • External auditor is satisfied with the requirements that they are fulfilled, and provide certification
  • Ongoing ‘momentum’ to the compliance once you have achieved the first year of compliance

So what is the most optimum way to achieve all of these?

Here are some of them and hopefully they will help you to achieve your goals. If you considering starting an ISO or a GRC project, consider these as critical success factors:

  1. Know about the requirements – someone in the organisation must read and understand the requirements. If the standard is complex, get an interpretation performed. This will help to know and define requirements that are really applicable, and those that are not.
  1. Project Charter – Right in the beginning define a list of tasks that shows – how we will achieve the final goal. As a consultant we often start with a laundry list of tasks that shows this list, also the end objective. For some tasks you can define a start date but for others you have to define a range as they need a management decision.
  1. Documentation – When an organisation decides to demonstrate its compliance they have to start showing their ‘intent of compliance’ by documentation. These documents starts with either a Policy or a process or a process or a standard. You must take the help of a specialist, seek services of a consultant or train your staff to document these requirements in your organisation.
  1. Training Sessions – Almost each of the standard requires some kind of training as a requirement of the standard. You should create a training template and ensure the training is an ongoing practices both for new comers as well as for all employees. Someone should be made responsible for updating these contents.
  1. Risk register – Customer complaints, root cause analysis reports, incidents, threat impact probability, vulnerability assessments – these are different names to the same. This is where you place all your weaknesses. The weaknesses arise out of your organisation based on the ISO and organisation objectives of that subject.
  1. Communication – If you are a lone warrior in an ISO project, you will not achieve the compliance goals. You must be a good communicator. The role of the communicator is to communicate all of the above to a specific audience.

Hope this helps you in designing your ISO/Compliance program.

Reach out to us at roadmap@coralesecure.com if you have any questions on the article.

Author : Probal C