Note – Opexo is now part of ISMS.online
Working with policies and controls
Where to start?
This is probably the most common question we get asked. ISO standards can appear daunting as there is so much work to do. opexo simplifies that and breaks the work down into manageable chunks and much of it is already done for you too. opexo also helps you see the progress you make and celebrate success every step of the way. Whether progress is little and infrequent, or lots and often, the built in reports will motivate you towards 100% completion.
Depending on your actual starting point* a great place to make progress is on the core requirements of ISO. Click on the homepage favourite policies and controls project. Then navigate to the structure tab and click into 4.1 Understanding the organisation and its context. Starting in this activity area will help focus your thinking about the world your organisation operates in and how your policies and practice need to reflect that. You’ll logically then move from 4.1 through the requirements to 10.2, simply documenting your work as you go (see below). Depending on your scope and experience this might take just a few hours or could take considerably longer. Once you have done the core requirements, complete the specific activity areas of the standards you are following.
Tip: As you go through the core requirements you’ll become more consciously aware of the risks and opportunities in your scope so remember to also add risks to the risk map as you go too. Risk is covered separately shortly as well.
*If you are new to the standard this flow makes sense. If you are migrating and improving your management system it will depend on your priorities for change.
Working within the activity areas
ISO is very big on documented records, policies and ‘showing your working’ to demonstrate you are in control of your quality, information security etc. You also need to show that you are following certain practices, regularly reviewing policies and continuously improving. That doesn’t mean you need to develop bureaucratic word documents or have policies that prevent you from achieving your work. opexo actually makes the management of your management system a breeze!
You can also allocate activity owners and timelines to drive your implementation. Policies, controls, procedures and related records documentation can be captured in Notes, Documents, To-Dos and Discussions – at whatever level makes sense for your organisation. The activity area keeps everything in one place and provides rich detail of your actions and decision making to show you are in control. We recommend you choose the right tool for the communicating job – for example:
- Notes – ideal for pithy policies and procedures, and recording evidence of whether something has been considered but not required (ISO needs to know you have considered all their areas especially Annex A controls in ISO 27001.
- Documents – some policies might be longer than basic Notes, could need pictures alongside them. Other documents uploaded can help demonstrate your working or evidence your compliance, eg: a photo of a process mapped out on flip-chart.
- Discussions – By holding a discussion in opexo with colleagues you retain that knowledge in one place and demonstrate your decision making or logic around a requirement to an auditor.
- To-do’s – set simple tasks for yourself and other team members, perhaps to break down work even further or address specific issues in a more structured fashion.
At the top of the project area the orange tabs show all the Notes, Documents, To-do’s or Discussions from within each policy activity area in their aggregated format, with links back to the parent activity where relevant.
You can edit and amend Notes, upload and version documents, add and edit tasks etc all the time your activity is open and you are working on it. Once you are finished, we recommend you submit it for approval and show the auditor it has had independent/peer review.
Completing and approving work
Opexo has a robust yet simple approval process that shows you are in control and review your policies regularly. When you are happy with an Activity it can be submitted for approval, and a member of the approval board can sign it off (demonstrating that independent evaluation which ISO likes to see.)
The team area in the top right of the project lets administrators of the work area add approvers (and add anyone with a registered user licence as a team member). Just tick the Approval box for anyone in the team you want to sign off work and save the change.
Submitting for approval
When you’re happy an Activity is complete click Submit for Approval, this puts it in a locked state, time & date stamps it and notifies anyone you have set as an approver. The icon for that Activity will also move to an orange state in the broader project Structure.
Approvers can Approve or Decline Activities submitted for approval. Approving marks it as complete, time and date stamps it then notifies the submitter. The A icon for that Activity will now show as Green in the project Structure.
Review in x Months
When approving an activity the approver can set a next review date and it shows up as planned task for the activity owner to stay on track and meet your obligation to regularly review policies and controls. Tip: ISO requires a regular review of policies so always set a review date of a year or less, and perhaps stagger reviews if you want the work flowing over time rather than all at once!
If an Approver declines an Activity the activity owner will be notified of the reason and have the opportunity to amend it before re-submitting (this process turns into a helpful discussion thread if you want to continue the conversation on the platform).
When to do the approvals and reviews?
That is up to you. You might want to simply complete and approve each activity as you go which is great for seeing rapid progress completion. Alternatively, you might choose to approve your activities as part of the structured management reviews in line with 9.3 and do so weekly, bi-weekly etc as part of the early implementation. Either way works, just make sure that you are doing regular management reviews, which we’ll touch on shortly.