(3) discussion boards
|By this point, you probably fully understand that one of the hallmarks of the use of the ISO 27001 standard is that it requires not only that you do things correctly in compliance with the standard, but that you have documentation that lets people know how you want them to protect information, and to have a basis for judging if the systems are running properly from an information protection standpoint.|
For this week’s discussion, assume that your boss has asked you to meet with a friend who is considering using the ISO standard, but who doesn’t believe that the time and cost of writing operational process documentation is worth it. “After all,” the person tells you “my people know how to do their jobs, and the experienced people teach the newcomers exactly how to do it. So why would I waste time and resources having the experienced people write documentation of the processes we use and the controls that are embedded within them?
For your primary post, explain your view of why written documentation is part of the ISO process and why that is important. Try to answer the criticism that it is not worth the time and cost, because people know what to do without having it.