One of the effective techniques to handle ISO 27001 or any other security management standard or framework is to go deep into a matter regardless of where you want to start or even where to are forced to start.
In practice, the main challenging question and the answer for that to many organizations, when they want to be complied with a standard or regulation would be: where we should start?
Let’s talk about ISO 27001, shall I start with Asset Management, or Risk Management, both are fundamental, can I start with Suppliers?! What about when I am forced to start with Compliance Clause, or Access because Customers are pushing me or at least the whole things is customer-driven?
The answer is actually very simple, execution is also so simple, we just need to deep dive into a matter/Clause, no matter where to start, links are going to organically take you where you should be, this is the beauty of almost all well-crafted framework or standard.
I usually walk through how to exactly execute such a technique in context of any organization or business function, regardless of scope or type of security management framework, but for sake of this brief article, I would like to direct you to only one important things to keep in mind: go deep into any topic you face, and do Not address tomorrow, do not procrastinate elements to any time later and you will automatically cover all the elements of other clause or related topics.
Most organizations hesitate to do so because particularly when you are in rush, you think better cover more areas, rather than being mature in one area, but practically, you will automatically cover all areas if you deep dive into a matter solely!