Information classification (control A.8.2.1 – Classification of information).Network segregation (control A.13.1.3 – Segregation in networks).Cabling (control A.11.2.3 – Cabling security).Since nothing is better than a good practical example, let’s see a hypothetical WBS for implementing security controls in an information system: As control development and implementation goes on, some adjustments may be necessary, and the impact of such changes must be evaluated. The initial developed WBS will rarely remain unchanged. And, the more people involved, the more effort involved to balance the many needs and requirements. Depending on the size or complexity of the control to be implemented, the WBS development can take quite a lot of time. As a group work, the WBS development helps create a sense of ownership and involvement with the control implementation. The detail level provided by a WBS makes it easier to establish people accountability, since no one can hide under a “broad specification.” This situation forces everyone to work to clarify ambiguities, bring out assumptions, and raise critical issues that can impact the control performance. The WBS development is a group effort, where each person involved has needs to be fulfilled in order to achieve the expected results. Better knowledge of the required steps.
Some benefits associated with developing a WBS are: Though you can make a WBS with any level of detail, try to keep yours between three and seven levels, with the more detailed dedicated to deliverables with high cost or high risk. A good “rule of thumb” is to limit the effort required by a single deliverable to less than 80 hours. Avoid defining for a single deliverable an activity, or group of activities, that would require the allocation of many resources. Besides reducing the number of actions to be tracked, more outcome elements provide better capacity to identify results that may compromise the security control strength, or performance. To make your WBS more understandable and useful, define as many elements as possible as outcomes to be achieved. While using a WBS to plan a security control, some rules should be followed to avoid excess or lack of detail, since both can negatively affect the implementation effort:
Wbs to iso iso#
In the ISO 27001 security controls context, we can have the following examples of deliverables: In terms of information, deliverables and components are specified in terms of requirements to be fulfilled, while activities are specified in terms of resources needed, like time, equipment, and cost. See examples of these presentations at the end of the article Another way to present a WBS is as an indented list. Normally, a WBS is presented graphically in the form of a tree of elements, with the main deliverable at the top, the deliverable components in the middle part, and lists of activities to produce the deliverables at the bottom.
Deliverables may be decomposed into multiple smaller deliverables, also called components (e.g., parts of a product, functionalities of a service, or chapters in a report). Examples of deliverables are a product, a service, or data. Originating from project management practices, the Work Breakdown Structure (WBS) is defined by the Project Management Body of Knowledge (PMBoK) as “a deliverable-oriented hierarchical decomposition of the work to be executed by the team.”Ī deliverable is any tangible or intangible object produced by a project that is intended to be delivered to a customer. In this article, I will present you with a concept based on “divide and conquer” that can be very useful, especially for bigger companies, while implementing ISO 27001 security controls: the Work Breakdown Structure (WBS). Like war, signal processing, and marketing competition, information security also deals with a complex situation: protecting information in all its forms and in all locations where it is stored or passes through. This is a strategy called “Divide and Conquer.” What do diverse situations like the Battle of Trafalgar (1805), the Cooley–Tukey FFT algorithm (1965), and the multi-sided market competition have in common? They are all examples of big or complex problems divided into smaller and more manageable pieces to reach a winning solution.
0 kommentar(er)
