The creators of isology®

isology® is a world-leading proven step by step roadmap to achieve ISO certification.

Implemented for over 600 organisations with a 100% success rate, we take you from the planning and creation of your bespoke ISO System though to certification with our 7 step process.

The deadline is looming over the horizon as October 2025 marks end of the validity of ISO 27001:2013 certificates.

Have you made a start on your transition journey? If not, you really should make a start in 2024 to ensure you’re all set well before that final deadline. The first step is to decide if you want to do it yourself or enlist the help of a professional consultant.

For those that want to tackle it yourselves, you’re in luck! As we have just the tool to help: The ISO 27001:2022 Transition Gameplan.

In this weeks’ episode, Steph Churchman, Communications Manager at Blackmores, explains why you need to transition to the 2022 version of the Standard and outlines the 7-step ISO 27001:2022 Transition Gameplan available on the isologyhub.

You’ll learn

  • Why do you need to transition to ISO 27001:2022?
  • What happens if you don’t transition?
  • What is the ISO 27001:2022 Transition Gameplan?
  • An overview of the 7-step Gameplan

Resources

In this episode, we talk about:

[00:25] A different host – Steph Churchman, Communications Manager at Blackmores, steps in to cover today’s episode. She’s heavily involved with the development and updating of the isologyhub, and will be explaining one of the latest Gameplan’s: The ISO 27001:2022 Transition Gameplan

[01:15] Why do you need to transition to ISO 27001:2022? The October 2025 deadline is fast approaching, so you really should be making a start in 2024 if you’ve not already.

[01:45] Who needs to transition to ISO 27001:2022? – Basically, anyone who is currently certified under ISO 27001:2013 will have to transition to the updated Standard.

One of the main reasons why we recommend getting a head start on this is , Certification Bodies will undoubtedly have a large demand for transition audits in 2025, when everyone’s rushing to get it done last minute. This results in a shortage of resources from the CB’s,  and you may end up struggling to get booked in time.

[02:35] What happens if you don’t transition in time? – The harsh truth is you will lose your ISO 27001 certification.

This then means you’ll be required to go through another Stage 1 and 2 Assessment against the latest version of ISO 27001, which can be costly.

Another key reason is the latest version of ISO 27001 also considers a lot of new technologies that weren’t around back when the last version was published. You can imagine now that there are a lot more cybersecurity risks to consider with all the latest technology that has been released in that time. Put simply, it’s for the benefit of your Information Security to ensure you are adhering to the most recent best practice Standards.

[03:40] What is the ISO 27001:2022 Transition Gameplan? This Gameplan will walk you through the stages of transition, which align to our proven isology® approach. Isology being our methodology for implementing any ISO Standard, based on our 18+ years of experience.

In this Gameplan we provide training videos on the changes to ISO 27001, along with specific training videos covering each of the new Annex A controls that you will need to be familiar with, along with templates and workbooks to take you through the process from beginning to end. 

[04:20] Step 1: Plan – Before you begin on your journey, it’s advised to understand the main changes to the standard. We’ve summarised the high-level changes in a previous podcast, and included a quick summary in the first step of the Gameplan.

In this first step, you’ll also find guidance on how to prepare for your Certification Body visit. You really do need to do this early on to help establish a realistic timeline to complete your transition work.

[04:55] Step 2: Discover  – At this stage, you need to get to grips with the changes to the Standard. There have been a number of controls changed, and 11 completely new ones added. We did cover a select few of these new controls in a few previous podcasts: #111, #112, #113, #114

In this Discover step we provide a number of awareness videos to explore these new controls and changes in detail, including how they may apply to your business.

We’ve also included a downloadable PDF guide to these changes, in case you’d like to share this information internally.

[05:40] Step 3: Expose – In this step we’ve included an ISO 27001:2022 transition workbook, which will act as a guide for all your transition activities. The first being the conducting of a Gap Analysis against the latest version of the Standard.

After completing this, you will have a much better idea of where your main gaps and vulnerabilities are, so you can start putting the necessary controls in place to ensure compliance with ISO 27001:2022.

We’ve also included a summary of the main Management System documentation that will need to be updated ahead of your transition visit.

[06:20] Step 4: Create – This is the step where you will be implementing those changes as a result of your Gap Analysis. This will also be guided by that workbook, and we have provided some additional templates and resources to aid you.

These include:

  • A Statement of Applicability Template
  • Annex A Control Mapping
  • ISO 27001 Management Review Template

[07:15] Step 5: Launch – It’s not just about updating your documentation, you will obviously need to communicate these changes to the wider business.

In this step we go over a few options for your launch plan – including guidance for both a soft launch and an all-in launch.

To help you decide which one would be the best fit for you, we’ve included a full summary of each method in addition to a pro’s and con’s list for each.

[08:30] Step 6: Engage – The last stages are all about gathering evidence of compliance against new and updated clauses and controls.

In this step we provide some insight into what’s required from your Internal Audits and Management Review ahead of your transition visit.

If you wanted to get some more tips on carrying out internal Audits within your business – we also offer a full Internal Auditor course on the hub that covers the core skills needed to complete those. If you become a member of the hub, you’ll get access to our whole library of resources – which includes a wealth of ISO related tools, templates and training videos.

[09:20] Step 7: Review – This last step will help you prepare for the transition visit with your certification body.

We touch on what you should expect from your Certification Body ahead of the transition visit, and include guidance on carrying out a final Document and evidence check to make sure you’re all good to go.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s:

Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List

The use of AI within business is starting to become more common place. With major applications like Microsoft Teams and Word integrating many new features designed to make our lives easier.

However, we still need to exercise caution with this new technology and consider what we can put in place to mitigate any potential security risks while developing or utilizing it. Which is precisely what today’s guest, Monolith, has done.

Monolith provide a machine learning program that engineers can adopt to build highly accurate self-learning AI models that instantly predict the performance of systems in a wide variety of operating conditions.

In this weeks’ episode Mel is joined by Æsc George, Senior Software Engineer at Monolith, to discuss why they have adopted ISO 27001, explain their implementation journey and the benefits of having an Information Security Management System. 

You’ll learn

  • Who are Monolith?
  • What was their main driver behind obtaining ISO 27001?
  • What was the biggest Gap identified in the initial Gap Analysis?
  • What benefits did Monolith gain from implementing ISO 27001?

Resources

In this episode, we talk about:

[00:25] An introduction to Monolith and Æsc George – Monolith is all about empowering engineers to develop self-learning models from their engineering test data. With this they can develop machine learning models to really accelerate new product introductions and get these new products to market much more quickly, primarily by using these models to accelerate and streamline their testing.

They are currently recommended for ISO 27001 certification, and are eagerly awaiting the arrival of their physical certificate.

Æsc George is a Senior Software Engineer of this web browser based software. He is also the interim security officer, which is why he was tasked with obtaining ISO 27001.

Fun fact about Æsc: He was a proud owner of a colony of 8 rats! He currently takes care of 4 cats, which have access to a plethora of enrichment in his home 😊

[03:35] What was the main driver for Monolith to obtain ISO 27001? – There were a few drivers, the most obvious being that they want to display their commitment and credibility when it comes to Information Security.

Acquiring ISO 27001 makes it easier to show their clients and prospects that their engineering data is in safe hands.

Monolith also know that there’s a lot of buzz about artificial intelligence and machine learning at the moment, and that buzz covers both sides of the coin. What good it can do for the world and the harms it can do, so aligning with ISO 27001 shows that they’re trying to use AI in a responsible way.

[05:10] The start-up is getting a head start! – Monolith is a start-up company, only a year in and already leading the way for AI development by ensuring security is a priority from the start.

[05:40] How long did it take to implement ISO 27001? Nine months from the point of contacting Blackmores to assist to being recommended for certification.

Æsc recounts his experience: “My perception is that the effort was quite front loaded, so the amount of effort involved in the process almost wound down towards the end – even with the external audit happening towards the end.

I think once the information security management had been established and we’d worked it into our day-to-day, the perceived effort was lower. So I felt pretty confident going through our audit processes because I’ve experienced the system working already.”

[08:15] What was the biggest gap identified at the Gap Analysis?: There wasn’t a formal approach to information security risk and risk treatment.

There were already a number of existing systems and ad-hoc arrangements to mitigate information security risks – but they had been framed in terms of risk.

They hadn’t gone through a process where risks were quantified and weighed against each other.

So following the gap analysis, one of the many actions Monolith took was to make sure they were consistently and regularly assessing information security risk in various dimensions.

They now have the right framework in place to allocate the appropriate time and resources towards information security, and to prioritise the biggest risks.

[10:10] What difference has Implementing ISO 27001 made? –  It’s given Monolith more confidence in their understanding of Information Security risks, and assurance that there aren’t any massive, unidentified risks that may cause trouble later down the line.

It’s also made it easier to discuss information security risk and policy decisions. Monolith AI are a remote first company, allowing their staff the freedom to experiment with new technologies, and be in an environment where they feel comfortable. Having formal risk treatment in place means they can maintain this highly flexible, highly innovative and productive way of working – but with their eyes wide open.

[11:40] What has Æsc learned from the experience of Implementing ISO 27001? Æsc is not new to ISO Management Systems, having been involved with the maintenance and implementation of a few in the past.

However, he has gained an appreciation for the nuance in ISO 27001. For example, the knowledge that the standard uses words like ‘should’ and ‘shall’ that have particular intentions – ‘shall’ being mandatory and ‘should’ being recommended.

His previous experiences with Management systems had more available resource than at Monolith, so learning this nuance has been important in the prioritization of focus and resources in his current position.

[13:30] What have been the main benefits from Implementing ISO 27001? Having a holistic and formal approach to Information Security and risk management compared to the ad-hoc approach they had prior.

It’s brought the company together on a really important issue, and helped everyone to understand the role they play in Information Security.

Personally, Æsc has enjoyed reaching out to people he may not ordinarily get the chance to work with, as a result of this unifying issue that everyone at Monolith cares about. 

[17:00] Once Monolith formally receive their ISO 27001 certificate, what benefits will that bring? – Currently Monolith AI are recommended for Certification, and are simply waiting on the delivery of their physical certificate.

Once received, they will be able to present it to prospects and clients if they are questioned on information security credentials – to show that they are serious about their commitment to security.

It will also open doors to new prospects that may bother considering them as a supplier due to the lack of ISO 27001 certification.

They are also a leading example in the relatively new industry of AI, those with ISO 27001 certification at this stage stand out from other competitors.

[19:15] What tips does Æsc have for those starting out on their ISO jorney? –  Speaking from experience, Æsc recommends hiring a specialist in ISO to assist with your implementation.

In his case, Blackmores helped to organise the process, drive a lot of the early gap analysis and gave him confidence in going through internal and external audits.

Having someone with experience acting as a guiding hand makes the whole process go a lot more smoothly. This could be a consultant, or someone you train within your own business.

These projects are the sort of thing that turn passion into action. Whether that’s information security or environmental management ect, it’s better to have someone experienced or trained in the nuances of the Standard to ensure it’s implemented in a way that truly benefits your business.

 [21:20] Æsc’s book recommendation –  Nature’s Calendar: The British Year in 72 Seasons by Kiera Chapman, Rowan Jaines, Lulah Ellender and Rebecca Warren. It’s Inspired by a traditional Japanese calendar which divides the year into segments of four to five days, this book guides you through a year of 72 seasons as they manifest in the British Isles.

As Æsc describes: “Lots of the seasons will be very familiar to people who’ve lived in this country their whole life, but they may not have necessarily thought about the context of it.

So I think is really grounding. Time and the way we measure it can seem so arbitrary and abstract sometimes, and measuring minutes and hours is responsible for so much stress and anxiety, so taking a breath, thinking about how nature moves at a different, slower, more deliberate pace, and finding the time to synchronise with that move with nature can be a really rewarding experience”

[24:15] One of Æsc’s favorite quotes –  “I went to the woods because I wished to live deliberately, to front only the essential facts of life, and see if I could not learn what it had to teach, and not, when I came to die, discover that I had not lived” – Henry David Thoreau (from his book ‘Walden’)

[26:10] Need help with your ISO 27001 transition? – We have an ISO 27001 Transition Gameplan available on the isologyhub. This Gameplan provides a step by step guide for you to transition to the latest 2022 Standard.

If you’d like to learn more about Monolith, check out their website.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s:

Stitcher | Spotify | YouTube | iTunes | Soundcloud |

With a growing number of threats and risks facing businesses every day, it’s never been more crucial to have a proper system in place to mitigate and manage issues when they crop up.

A variety of ISO Standards can help businesses to do just that! And we’re seeing an ever-increasing trend of requests for Integrated Management Systems, which combine multiple ISO certifications to cover every aspect of their business. Such is the case with today’s guest, Todd Research.

Todd Research have been in the business of designing, manufacturing and supplying X-ray scanners for 70 years. They have since expanded their product range to include other solutions, all designed to detect suspect devices.

We’re joined by Caroline Banks, Support Manager at Todd Research, to learn about why they decided to implement ISO 9001 (Quality Management) and ISO 27001 (Information Security), including an insight into their experience with our ISO 14001 coaching programme, hosted on the isologyhub.

You’ll learn

  • Who are Todd Research?
  • Why did they choose to Implement ISO 9001 and ISO 27001?
  • What challenges did they face?
  • The benefits of ISO 9001 and ISO 27001
  • Their experience with our ISO 14001 coaching Programme

Resources

In this episode, we talk about:

[00:37] An introduction to Todd Research and Caroline Banks’ role as Support Manager there.

[01:20] What is something not many people know about Caroline? She’s taken up running and started with the couch to 5K. She later completed a half-marathon in the same year, and has since gone on to finish 21 more half-marathons and 2 full ones!  

[02:27] Who are Todd Research? They were founded in 1950, designing, manufacturing and supplying X-ray scanning equipment. They also provide service and maintenance for their devices worldwide.

[03:11] What Standards are they certified to? ISO 9001 (Quality Management, inherited from a previous company) and ISO 27001 (Information Security Management)

[03:48] What was the main driver for achieving ISO 9001 and ISO 27001? – For ISO 9001 – As a manufacturing company, they want to ensure that they can provide the best quality in terms of product and service. For ISO 27001 – This was more sales driven and was being requested in a lot of tenders, particularly Government tenders.

[04:35] How did Caroline manage an inherited Quality Management System? – Caroline completely revamped the inherited Management System, making it their own and adapting it to suit how they currently run their business. It involved a lot of review and removal of unnecessary documentation, with the end result of streamlining the whole system. They also appreciated a 3rd party coming into review and assist with the process. After moving to a new premises, they are still continually Improving system year on year.

[06:25] How long did it take to achieve certification to ISO 27001? – They started in April 2021 with a Gap Analysis and gained certification in September 2021 (6 months in total). As they already held ISO 9001, they made the decision early on to integrate the two Standards into a Business Management System.

[07:50] What was the biggest gap found after the initial ISO 27001 Gap Analysis? – The biggest challenge for Todd Research was carrying out the Risks Assessments. Getting Directors involved in the review of Standards and agreeing what risks applied to them took the most time in the early stages.

[09:00] Caroline’s experience with ISO 27001 – While she had experience with ISO 9001, ISO 27001 was a whole new ball game. There are a lot of risks associated with Information Security including, phishing, malware, risks to hardware ect. This was all new territory for Caroline, but she adapted and learned a lot along the way.

[09:50] What difference has the Management System made to the business? – It’s unique to them and their way of working, especially as a result of integrating the two Standards into a single Management System. The whole process gave them a chance to look at the business with a new perspective, which in turn helped them to streamline a lot of processes.

[10:20] What lessons have they learned from Implementing ISO 9001 and ISO 27001? – Caroline now has a better understanding of how the business works from all angles, from manufacturing to finance. Her experience with having Blackmore assist with Internal Audits highlighted the need and importance of impartiality.

[11:20] What are the main benefits? – For them, it’s having an Integrated Management System, as a lot of aspects of various ISO Standards share similarities, and it just makes sense to combine them to save on doubling up on documented information. Caroline also highlights the Corrective Actions Log as her key tool for managing actions following on from Internal Audits, allowing for a proactive approach for business improvement on a weekly basis. 

[12:50] What is the ENE / ISO 14001 Coaching programme? – Blackmores secured some European funding to support 7 businesses in the East of England to raise awareness of environmental issues and implement some practical tools for Environmental Management. We opted for an ISO 14001 focus and utilized our online membership portal, the isologyhub, as the host with additional coaching from one of our experienced consultants.

[13:25] What was Caroline’s experience with the isologyhub and the ISO 14001 coaching programme – Todd Research made the decision early on not to go for ISO 14001 certification. The experience gave Caroline a good insight into what the requirements are for the Environmental Management Standard in preparation for potentially certifying in future.

Caroline highlights the wealth of information available in the hub, including documentation which supplemented the coaching sessions. Her 1-2-1 coaching sessions resulted in deeper analysis of what their business can act on to improve their impact, for example putting in place a scrap metal policy for X-ray scanners and equipment that needs to be disposed of. They have also streamlined their Engineer’s service visits, by making the most of them while in any given area to reduce the carbon impact of travel.

[17:00] What was the most useful resource in the isologyhub? – The training provided for carrying out Risk Assessments, with a focus on their environmental risks.

[18:05] What was the main benefit of achieving certification to ISO 9001 and ISO 27001? – Having both standards sets them aside from their competitors, as many have ISO 9001 but not many have ISO 27001. It also brings a sense of continuity to the business.

[18:55] Caroline’s top tips – Use an independent company (such as Blackmores) to assist with Implementation. Having a helping experienced hand will make the journey run a lot more smoothly and will give you piece of mind, especially as you have your own day job to worry about!

[19:30] A reminder that the ISO 27001 Transition Gameplan is available on the isologyhub – ISO 27001 recently updated, and those certified with need to update to the latest 2022 version of the Standard. Our Transition Gameplan will guide you through the changes and what needs to be done to update your Management System. 

[21:17] Caroline’s book recommendation – ‘Menopausing’ by Davina McCall

[22:17] Caroline’s favorite quote – ‘It’s not so much that I began to run, it’s that I continued’

You can find out more about Todd Research via their website!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.

Over the past few weeks, our mini-series has covered the fundamental changes to the Standard, along with tips on how to plan and Implement the required updates.

Join Mel this week as she explains the final few stages of an ISO 27001 transition, including the Internal Auditing and final preparation ahead of a Certification Body visit.

You’ll learn

  • What needs to be audited?
  • What do I need to do to prepare for the Certification Body visit?
  • How can you get a free copy of ISO 27001:2022?

Resources

In this episode, we talk about:

[00:44] Catch up on the last two episodes before listening to this one: What you need to know to transition to ISO 27001:2022 / What changes need to be Implemented to transition to ISO 27001:2022

[01:00] The last stages are all about gathering evidence of compliance against new and updated clauses and controls

[01:28] Make sure you plan your transition visit well in advance – If you leave it too late you may incur additional fees for more days or possibly even for a full certification if you miss the deadline.

[02:15] This process for transition is fairly consistent among Certification Bodies. It typically includes a Readiness Review and a transition visit where they will review evidence of compliance against the new controls.

[02:45] You can get a free copy if you sign up to our Transition Programme by April 1st 2023)

[02:55] The last stage ahead of the transition visit is Internal Auditing. For those still planning their 2023 Internal Audits, you may wish to Implement the changes earlier in the year with a view to audit the changes in the later half of 2023. Ensure that you allow time to build evidence of compliance ahead of a transition visit. 

[03:45] If you need a bit of extra help, we include Internal Auditing within our transition programme – this will typically take 1 day.

[04:30] We can also support you during your transition visit – this could be on-line or on-site, which would depend on your Certification Bodies preference.

[05:20] Currently many Certification Bodies are suggesting a half day for the Readiness Review and another day for the transition. Some may choose to include this transition as a part of their annual Surveillance visit to help save on costs. If you have a Surveillance coming up, it’s worth getting in contact with them to see what they would recommend regarding your transition.  

[05:43] We advise that you also ask your Certification Body, when they will be UKAS accredited for ISO 27001:2022 – they may not be ready complete a transition visit until the later half of 2023.

[06:35] For our global listeners, your Certification Body will have an Accreditation Body that needs to verify their ability to conduct transition visits. For the UK this is UKAS, but it may differ for other countries.

[07:15] Don’t leave this until last minute! Based on previous experience with transitions, we’ve found companies that leave it until a few months before the deadline often can’t transition in time, and end up having to pay up for a full Stage 1 and 2 Assessment in order to keep their certification.

Grab a copy of our ISO 27001:2022 Guideline to the changes here:

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The updated ISO 27001:2022 has had several changes, including the addition of 11 completely new controls and the merging of 56 other controls into 24 newly titled controls.  

These changes mean that anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.

Join Mel this week as she explains the changes that need to be made, including what key documentation requires updating to align with ISO 27001:2022.

You’ll learn

  • What changes need to be made to your existing Information Security Management System?
  • What key documents need to be updated?
  • How can you get a free copy of ISO 27001:2022?

Resources

In this episode, we talk about:

[00:44] In the last episode we covered the planning stages for your transition – catch up here

[01:02] We have a free ‘Guide to the ISO 27001 Changes’ available – simply fill out the form at the end of the Show Notes to download your copy

[01:29] You should have a copy of ISO 27001:2022 ahead of Implementing the changes (you can get a free copy if you sign up to our Transition Programme by April 1st 2023)

[01:35] Before you move onto Implementation, ensure that you have: planned back from your transition date, have an understanding of the new controls and had a Discovery session / Gap Analysis to see where the gaps in your current system are

[02:11] This is also a good opportunity to revamp your Management System! We have a few older episodes to help you with this: #102, #103, #104

[02:50] What needs updating? This will include:

  • Your Statement of Applicability
  • Risk Assessment
  • Objectives
  • Action Plans
  • Monitoring and measurement (reviewing what you are monitoring / measuring and how it’s recorded)
  • Internal Audit Schedule / Programme – To include the new controls

[03:45] At this stage you need to look at what controls you have in place – there may be some you can now merge together to reduce any paperwork involved.

[04:25] We have some tools available to tackle the new controls (i.e Threat Intelligence, data masking, physical security monitoring ect) if you need some extra help

[04:50] It’s not just about updating documentation, you will need to fully implement and communication these new controls to the wider business. You may find that you already have some controls covered, but not yet formalised.

[05:30] The main aspect of the Implementation phase is to address the gaps found during the Gap Analysis. For example, new controls such as data masking, threat intelligence and web filtering, which you may not have considered seriously before, now need to put formal documented measures in place to address it.

[06:26] Communication and evidence should be at the forefront of your mind when updating your Info Sec Management System.

[06:39] Don’t just implement controls for the sake of it – considering how they are going to reduce risk and how they’re going to make a difference to improve your Risk Register and Statement of Applicability.

[07:00] The Implementation phase of our Transition Programme is 1-3 days depending on your level of required support

[07:54] You should also consider creating a Communication Plan to share knowledge of these changes to the wider business. Make sure you also compile any evidence of training on new elements of your Management System too. We will have Coffee Break Training available on the isologyhub which could help with this.  

Grab a copy of our ISO 27001:2022 Guideline to the changes here:

Keep an eye out for next weeks episode where we explain how to complete your ISO 27001:2022 transition.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 27001 2022 is here, which means it’s time to start thinking about starting the transition process. While the deadline is set at December 2025, it’s never too early to start!

If this is all news to you, check out our previous three episodes, where we reviewed all the major changes to ISO 27001, including clause updates and the 11 completely new controls added.

Join Mel this week as she explains what you need to know before embarking on your ISO 27001 transition journey, in addition to a summary of our transition programme.

You’ll learn

  • How to plan for your ISO 27001 transition
  • How can Blackmores help you?
  • How can you get a free copy of ISO 27001:2022?

Resources

In this episode, we talk about:

[00:44] Businesses have until October 2025 to transition to the updated version of ISO 27001:2022 – but don’t wait until the last minute! Certification Bodies get really booked up in the last year, and you could risk losing your certification and paying for another Stage 1 and 2 Assessment.  

 [01:30] We recommend that you start thinking about your transition in 2023 so you have everything in place to start the process in 2024.  

[02:28] As a recap – the major changes to ISO 27001:2022 are: 56 controls have been merged into 24 newly titled controls, the addition of 11 completely new controls and controls are now categorised into just 4 groups instead of the 14 from the previous version.

[03:00] ISO 27001:2022 Guide to the changes available – Simply fill out the form available at the end of the show notes to grab a copy!

[04:25] Over the next few episodes, Mel will talk through the process of planning, implementing and preparation for the Certification Body transition visit.

[05:51] All steps of the transition process are laid out in our Transition Programme, which includes: an awareness video, a transition action plan, Implementation of changes, Internal auditing of the changes and some optional support during the Certification Body visit.  

[08:45] The Planning Phase: We recommend trying to combine your transition visit with your next Surveillance visit – you can have a chat with your CB to see if that’s possible. This may not be possible if your Surveillance is coming up very soon, as you need time to implement the changes needed. Those that have it in say 6 or more months’ time would be in a good position to make the request.   

[09:30] Certification Bodies are recommending an extra half day for transition –  some may require a desktop review ahead of the actual visit. Combining this visit with your Surveillance is a good way to reduce costs.

[10:30] When planning out your timescales for transition, don’t forget to inform Leadership and key personnel involved in the running of the Management System about the expected changes to come – and plan in time for them to help with the implementation.

[11:10] Understanding the changes: We gave a high-level overview of the 11 new controls in our last episode. We will also have 11 Coffee Break Training courses covering the controls in more detail, available from March 31st 2023 on the isologyhub.

[12:11] Offer: We’re including a free copy of ISO 27001:2022 for those that sign up to our Transition Programme before April 1st 2023.

[12:34] You may get asked for a copy of the Standard at your transition visit – as having a copy can come under ‘other’ legal requirements.  

[13:10] Discovery Phase: We have a transition checklist which can help you identify where the gaps are in terms of compliance with the new controls. You may already have some of it in place!

Grab a copy of our ISO 27001:2022 Guide to the changes here:

Keep an eye out for next weeks episode where we dive into how to Implement the changes…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 27001, The Information Security Standard, was updated in October 2022. While there is a 2-year grace period for transition, we would urge everyone to make a start on implementing the changes to ensure you are compliant with latest best practice standards.

Over the last two episodes, we’ve gone over the key changes and explored the specific clause updates in more detail. As mentioned in the first episode of this mini-series, there have been 11 new controls added to ISO 27001:2022.

Mel is once again joined by Steve Mason, Managing Consultant here at Blackmores, to discuss the 11 new controls added to ISO 27001:2022 and their purpose.  

You’ll learn

  • What are the 11 new controls in ISO 27001:2022?
  • Why have these been added?
  • What is their purpose?

Resources

In this episode, we talk about:

[01:00] A quick overview of the key changes –  56 Controls combined into 24 newly titled controls, 11 new controls added and 58 existing controls remained unchanged.

 [02:30] We have been over a few of the new controls in ISO 27002:2022 in more detail in a few previous episodes: #111, #112, #113, #114

[02:50] These new controls are nothing to worry about – they are simply aligning the Standard with more modern security considerations. You may already be complying with them!

[03:32] Control A.5.7 Threat intelligence‘To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.’ This can come from many different sources, such as the NCSC or local police websites. There are also additional tools you can add to detect possible phishing attacks. This also includes consideration to external threats – Information Security is about much more than just protecting data! It also includes physical security.

[05:33] Control A.5.23 Information security for use of cloud services “To specify and manage information security for the use of cloud services.” – More and more businesses reply on cloud-based computing. It’s important to verify the security of your service provider to ensure it’s adequate. You can check to see if they have any valid Information Security related credentials such as CSA Star, Cyber Essentials, SOC. You could also adopt principles of ISO 27017 (certification for cloud security), ISO 27018 (Protection of PII in the public cloud) and ISO 27701 (PII security Standard).

[08:30] Control A.5.30 ICT readiness for business continuity –‘ To ensure the availability of the organization’s information and other associated assets during disruption’ – There a few standards that could assist with this, including ISO 27031 (ICT readiness for Business Continuity). Those that have ISO 22301 may want to look at how ISO 27001 elements can be integrated and improved in any disaster recovery plans. ISO 27001 needs to be an integral part of any business continuity plans – not just a bolt on. Small business may not want to conduct a full business impact analysis, but should carry out a risk assessment around business continuity at the very least.

[11:30] Control A.5.30 ICT readiness for business continuity – further considerations: A key focus of this part of the Standard is Recovery Time Objectives and Recovery Point Objectives. Overall, the whole business continuity aspect of the updated ISO 27001:2022 may take a bit of work to implement, but you will ultimately be much better off in the event of a disaster or security incident. For further guidance, you may want to check out an older non-certifiable standard, BS 25777 (ICT continuity).

[13:20] Control A.7.4 Physical security monitoring To detect and deter unauthorized physical access.’ This can include things like CCTV, access control, swipe cards ect. This also includes the ability and regular practice of monitoring these access methods, for the purpose of detecting any anomalies.

[18:56] Control A.8.9 Configuration management‘To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes’ – Configuration for things like a firewall, software, any hardware devices, passwords ect should be documented, explained and monitored on a regular basis to ensure nothing has been changed without notifying the relevant people. ISO 20000 includes a helpful section around configuration if you require further guidance.  

[21:41] Control A.8.10 Information deletion‘To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.’ – This already existed in the Standard, it has simply been clarified further. You will now need to prove that data has been deleted as required, if you use a 3rd party for this, they will need to provide the relevant certificates.  

[22:05] Control A.8.11 Data Masking‘To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.’ – You have 3 options for data masking: Obfuscation, pseudonymisation and annoymisation. This also helps to comply with GDPR requirements.

[24:10] Control A.8.12 Data leakage prevention‘To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.’ – This control has made a return from the 2005 version of ISO 27001. Businesses should have systems in place to monitor any particularly large data downloads – or even possibly large print batches. You should also ensure that you have a secure email system in place as well as VPN’s and regular security training to sure up your security to prevent any potential leaks.

[27:00] Control A.8.16 Monitoring Activities  – ‘To detect anomalous behaviour and potential information security incidents.– Appropriate monitoring should be in place to detect any potentially dangerous or malicious behavior.  

[28:00] Control A.8.23 Web Filtering  – ‘To protect systems from being compromised by malware and to prevent access to unauthorized web resources.’ – Your systems should be set up in a way to prevent people from accessing unsecure or unsavory sites. This could include Social Media sites – but be mindful that there may have to be exceptions for marketing or communications personnel for those particular sites.

[28:00] Control A.8.28 Secure Coding‘To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.’ – If you have created your own secure coding, be sure to evaluate it against industry professional standards such as OWASP and NIST.  

As a reminder, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.

Keep an eye out for next weeks episode where we dive into the clause clarifications and control changes of ISO 27001:2022…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

As many of you are aware, an updated version of ISO 27001 was published in October 2022. While there is a 2-year grace period for transition, we would urge everyone to make a start on implementing the changes to ensure you are compliant with latest best practice standards. But where do you start?

In the last episode, Mel and Steve gave an overview of the updated ISO 27001:2022, including a high-level look at some of the key changes.

In addition to the control changes, there have been several changes made to specific clauses within the Standard.

Mel is once again joined by Steve Mason, Managing Consultant here at Blackmores, to discuss the ISO 27001:2022 clause updates and their purpose.

You’ll learn

  • What clauses have been updated from the 2013 version of ISO 27001?
  • Why have these clauses been updated?

Resources

In this episode, we talk about:

[01:06] The changes to these clauses appear to align your Management System with the business more so than in the previous iteration of ISO 27001 – a key focus is integration.

 [01:20] First change: Clause 4.2 Understanding the needs and expectations of Interested parties‘c) which of these requirements will be addressed through the information security management system.’ This seeks to align the Management System with interested parties and identify where it may or may not be able to meet their needs and expectations.

[03:30] Clause 4.4 Information Security Management System‘The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.’ There will be more focus on process flows and not Policies and Procedures. This can be further used to align the Management System with your business, by clearly identifying where it fits in with your business activities. 

[06:14] Clause 5.1. Leadership ‘Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.’ – This acts more as a reminder to top management to ensure they include the Management System as part of the business and not just a bolt-on. It should be a part of the strategy and part of the business (part of the ship, part of the crew)

[07:42] Clause 6.1.3  Information Security Risk Treatment ‘ Note 2 in sub-clause ‘c’ now states ‘Annex A contains a list of possible information security controls.’ (it had previously read Annex A contains a comprehensive list of control objectives and controls.) – This simply means that you can add references to other controls outside of the list provided within Annex A i.e. NIST or Cyber Essentials. Though, do be careful to avoid doing this at minutia level, as that just increases Management System maintenance.

[09:15] Clause 6.2  Information security objectives and planning to achieve them‘ A couple of extra points have been added to this clause: d) be monitored g) be available as documented information’  – The monitoring was previously a given, but not really specified. So now, you’ll have to demonstrate how you’re monitoring objective planning and achievements.

[10:24] Clause 6.3 Planning of Changes‘When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.’ – This has now been aligned more with ISO 9001’s approach to changes. All changes should be planned before implementation, and this now includes information security consideration. Fun fact – they forgot to include this clause in the Standard table of contents! (as of January 2023, this will probably be added later!)

[11:55] Clause 9.3.2  Management Review Inputs‘ c) changes in needs and expectations of interested parties that are relevant to the information security management system’ – This just ensures that the needs and expectations of your Interested Parties are reviewed and not just left stagnant.

[13:20] To help you revamp your Management Review, check out episodes #99 and #100

As a reminder, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.

Keep an eye out for next weeks episode where we dive into the clause clarifications and control changes of ISO 27001:2022…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

The long-awaited update of ISO 27001 arrived in October 2022, having gone 9 years since its previous 2013 iteration. Needless to say, it was much overdue.

The new 2022 version of the Standard includes 11 new controls and sees around 56 other controls combined into 24 newly titled controls.

In order to cover every aspect of the new Standard, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.

Starting off the series strong, Mel is joined once again by Steve Mason, our very own Information Security guru, to broadly discuss the changes to ISO 27001:2022.

You’ll learn

  • Who is ISO 27001:2022 applicable to?
  • An overview of the changes to ISO 27001:2022
  • What is Steve’s favorite change to ISO 27001:2022?
  • What are the challenges involved with updating to the 2022 version?

Resources

In this episode, we talk about:

[01:50] Steve Gives an overview of what’s new in ISO 27001:2022 – The updated version of ISO 27001 was released on the 26th Oct 2022. The new version included 24 changes and clarifications within the main clauses.

 [02:50] The controls for the new standard are now categorised into 4 groups: Organisation, People, Physical and Technology  

[05:50] We covered some of the new controls in more detail in previous episodes: #109, #110, #111, #112, #113 and #114

[06:17] The 24 changes and clarifications to Clauses include older existing clauses which have been tidied up to be more transparent. We recommend reviewing to ensure that you are complying in a way that aligns with the Standard.

[06:35] There are 11 new Controls. 56 controls from the 2013 version have been reduced to 24 with 58 remaining unchanged. So, in short, Annex A has been simplified with less duplication of controls.

[07:44] Steve highlights section A.9 for Access Control as one of the much-improved controls – due to the lack of repetition and simplified requirements for compliance.

[08:35] Steve’s favourite update to the Standard: The whole Standard now collectively encourages incorporation into your business. Your ISMS should not feel like a bolt on, it should be a part of your businesses DNA.

[10:36] Steve’s favourite update to the Standard #2: It’s not a static Standard, it encourages development and continual improvement.  

[13:45] For those completely new to ISO 27001 – check out our 3-part Steps to Success series which explains the Implementation process from start to finish.

[14:38] Listen to some of our client interviews to hear the challenges others faced when Implementing ISO 27001 in addition to the benefits gained as a result of adopting the Standard:   

[14:50] Why would the business continuity elements of ISO 27001:2022 pose a challenge?  There used to be a clause in the 2005 version of the standard which documented the need for a business impact analysis – this was removed in the 2013 version. The new ‘ICT readiness for business continuity’ control will require at the very least, a risk assessment.   

[16:48] Steve recommends checking out the Plan, Do, Act, Check diagram in ISO 27031 (Guidelines for information and communication technology readiness for business continuity). It also includes some great guidance on business impact analysis.

[18:40] The ICT readiness control is not designed to be an all encompassing business continuity strategy – it’s designed to work in tandem with as existing one (you may already be certified to ISO 22301 Business Continuity Management).

 [19:50] It’s highly recommended that if you don’t have a Business Continuity Plan or strategy – at least have a framework in place. Disasters by their nature are unpredictable, as is the resulting damage to an extent. You will not know the full extent until you’ve lived it – so don’t write an exhaustive 80+ page manual that no-one will read, document the what, who and how of getting yourself back up and running again.

[21:11] There has also been an update to ISO 27005 (Risk assessment in relation to info sec). It includes a new set of threat categories: physical threats, natural threats, infrastructure failures, technical failures, human actions, compromised services or functions and organisational threats. These may help you when putting a business continuity framework in place.

[22:05] Above all else – ISO 27001:2022 has modernised and aligned itself more with the likes of cyber essentials and NIST.

Keep an eye out for next weeks episode where we dive into the clause updates…

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Happy New Year! We at Blackmores hope you all managed to have a break over the holiday season and are gearing up for many challenges and successes in 2023.

As a reminder, we signed off last year by highlighting the top 5 podcasts as dictated by you, the listeners.

Before we dive into a brand-new year full of top tips, expert advice with industry leaders and client interviews, we’d like to take a step back and let the host share her reflections on 2022.

Join Mel as she shares her personal top 5 ISO Show episodes from last year.   

You’ll learn

  • What are Mel’s top 5 episodes of 2022?

Resources

In this episode, we talk about:

[00:30] A reminder to listen to our last podcast, covering the top 5 podcasts as dictated by the listeners.

[01:21] #1 Episode 102 – What’s in a name? This episode features our Senior Isologist, Sarah Ball, as she explains the importance of giving a meaningful name to your Management System. 

[03:40] What’s in a Name snippet – Full episode available in the ISO Show Archive   

[08:01] #2 Episode 94 – The 7 Steps of Carbonology_ Reduce – Part 4 of the 7 Steps of Carbonology series, featuring our Carbonologist, David Algar. This episode delves into the creation and communication of a carbon reduction plan, and the benefits of reducing your footprint rather then relying on offsetting alone.

[10:14] The 7 Steps of Carbonology – Reduce snippet – Full episode available in the ISO Show Archive   

[16:48] #3: Episode 117 PMC’s journey and ongoing success with ISO 27001– This is an interview with Philip Bailey, the Managed Services Director at PMC Retail, talking about their ISO 27001 journey. Philip shares his lessons learned and gives some top tips for anyone considering implementing the Information Security Standard  

[17:58] PMC’s journey and ongoing success with ISO 27001 snippet – Full episode available in the ISO Show Archive 

[24:00] #4: Episode 100 How to get the most out of your Management Review – Featuring Rachel Churchman, Managing Consultant here at Blackmores, this episode explores how added value can be gained from doing a Management Review. Mel and Rachel discuss various ways you can conduct a Management Review and what should be your key inputs and outputs.   

[26:14] How to get the most out of your Management Review snippet – Full episode available in the ISO Show Archive   

[30:41] #5: Episode 108 How to align your Management System with the Sustainable Development Goals– Following on from the Sustainable Development Goals summary episodes, Mel shares how you can align your Management System right now without the need for any ISO certification.  

[32:37] How to align your Management System with the Sustainable Development Goals snippet – Full episode available in the ISO Show Archive 

We look forward to bringing you even more amazing content in 2023, so stay tuned! 😊

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episode’s

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Data breaches have risen by 70% globally in Q3 of 2022, reinforcing the requirement for many to seek out Information Security solutions, especially those within the tech space.

Today we speak to Triaster, who have been in operation since 1994, providing businesses with process mapping and execution software to help drive business improvement.

Triaster’s Business Operations Manager, Jane Duncan, explains why they sought to implement ISO 27001, what challenges they faced and what they learned during their certification journey.

You’ll learn

  • Who are Triaster?  
  • Why Triaster Implemented ISO 27001
  • What did they learn from their experience?
  • What benefits have they seen as a result of Implementing ISO 27001?

Resources

In this episode, we talk about:

[00:54] Get to know Jane Duncan – Triaster’s Business Operations Manager who has recently started fostering dogs for a local charity.

[01:41] Who are Triaster? In short, they build software solutions that drive business improvement. They are a thought leader in their field and strive to create new software to meet business needs.

[02:25] What was the main driver for achieving ISO 27001? In 2020, they had certified to the Quality Standard, ISO 9001, and saw the many benefits that come with ISO certification. They saw ISO 27001 as both an opportunity and a necessity due to their work within the IT industry. ISO 27001 is seen as a mark of trust and provides a central framework to improve data security.  

[04:28] How long did It take to implement ISO 27001? They started looking at certification bodies and consultants to help with implementation in March 2021. The project overall lasted six months, with their assessments taking place in September and October of the same year. They also chose to recertify to ISO 9001 at the same time – this aligned both Standards under one Integrated Management System.  

[06:35] If you are considering implementing multiple ISO’s, it’s recommended to integrate them into a single Management System. This reduces the costs of implementation and is overall easier to maintain.

[07:17] What was the biggest gap identified in Triaster’s initial Gap Analysis? They had a lack of security policies in place in addition to a lack of processes that would have mitigated potential data security risks.   

[08:00] What was the biggest difference ISO 27001 made? They now do regular annual SWOT and PESTLE’s that are evaluated at Management Reviews. Risks identified during those reviews are added to a risk register and are used to develop the necessary objectives and controls needed to mitigate future risk.

[08:38] Other differences include the ability to track non-conformities, security risks and opportunities for improvement. They also have the confidence to prove their data security credentials to clients and have the required documentation to back it up. Tendering processes are also made easier by having ISO 27001 as it is often a requirement that can now be ticked off.

[09:25] Triaster use Infrastructure partner (who are also ISO 27001 certified) and can now hold them accountable for the services they provide. 

[09:50] Jane states that they are now a much better business following the Implementation of both ISO 9001 and ISO 27001 – continually improving their processes and scrutinising working practices.  

[10:54] All of the same security practices can be done by those who are homeworking at Triaster

[11:05] What has been the main lesson learned? The process if certification is a journey – it’s about continually improving and truly adopting the ethos of Information Security into every aspect of the business.  

[11:52] What are the main benefits? They hope their clients can see their efforts and have confidence in Triaster’s ability to keep their data secure. They also now have the processes in place that drive continual Improvement.

[12:33] Jane’s top tip: Document what you do as a business and look for gaps. Also, certification is a journey, and you shouldn’t stop striving to improve once you achieve certification. 

[13:00] What book would you recommend and why?  Internal Auditing in plain English: A simple guide to super effective ISO Audits by Craig Cochran

[14:15] Jane’s favorite quote: “No one is you, and that is your superpower”

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud |

Today we’re joined by Philip Bailey, Managed Services Director at PMC Retail, to talk about PMC’s experience with ISO 27001, from implementation to on-going maintenance.

PMC is a leading retail IT services and solutions provider, who recognised the growing need for formal Information Security certification. They succeeded in achieving certification to ISO 27001 in 2021, now almost a year down the line, we catch up with Phil to find out what they’ve learned, benefits of certification and some tips for those looking to implement ISO 27001.  

You’ll learn

  • Who are PMC retail?
  • How do PMC currently manage their ISO 27001 certification?
  • How has the ISO Support Plan helped?
  • What have they learned from implementing the standard?
  • What are the benefits of implementing ISO 27001?
  • ISO 27001 Top tips from Phil

Resources

In this episode, we talk about:

[01:03] An interesting fact about Phil – He started in electronic engineering and was involved the build of a system designed to measure the mirrors used in a telescope that was carried on the Discovery shuttle!

[01:44] Who are PMC Retail?

[03:49] An example of one of PMC’s projects – Pulling together legacy systems, updating them to newer technologies while maintaining the legacy data.

[04:40] Learn about Phil’s role at PMC  

[05:45] PMC now certified to ISO 27001 – One of the most popular ISO’s globally in recent years. It’s becoming something of a mandatory requirement in the tech space when bidding for contracts

[06:31] How do PMC manage their ISO 27001 certification – Created a small team dedicated to the task of achieving certification – along with some help from us 😊 Following certification they onboarded a Compliance Governance Manager to keep up with Internal Audits and other ISO maintenance.

[08:25] How has the ISO Support plan helped? – Blackmores helped to implement the standard, and were very familiar with their system and way of working. Great to have a wealth of knowledge to tap into.

[09:00] PMC managed to implement the standard in just 6 months!  

[10:25] What did PMC learn from their experience? It wasn’t an easy task! Getting leadership commitment from the start made a huge difference.  

[11:50] The benefits PMC have experienced by implementing and maintaining ISO 27001: Being able to identify risks and put actions in place to mitigate them. Certification demonstrates a robust security infrastructure to third parties. Establishes more credibility to customers and partners. They are able to see a pathway for business growth, utilising the certification.

[14:30] ISO 27001 has helped to collate and bolster their existing Information Security structure – Having a library of resources, unified policies and procedures, company wide Objectives, and better understanding of measuring & managing risks.

[16:15] PMC ensure that staff complete annual training – as required by the Standard.

[17:10] Phil stresses that you can’t just stay still with Information Security is concerned, you need to be aware of new risks and make sure those in your business are also aware and know how to react.  

[18:00] Top tips from Phil: Get Leadership commitment early on. Build yourself a Management Team. Get help from an experienced external party. It’s not a walk in the park, and needs focus to achieve in a reasonable amount of time.

[19:42] Phil’s book recommendation: The magic of thinking big by David J. Schwartz.

[21:42] Phil’s favorite quote: “You’re never too old to set a new goal, or too old dream another dream”

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episode’s:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the Physical category, is something called physical security monitoring. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into physical security monitoring to explain what it is and give examples of different types of security and monitoring you can put in place.   

You’ll learn

  • What physical security monitoring is
  • The purpose of physical security monitoring  
  • What should be monitored?
  • Different types of security and monitoring you can consider

Resources

In this episode, we talk about:

[00:36] A quick recap of our ISO 27002 series and it’s purpose to date – Start from Episode 109

[01:58] ISO 27002 controls reduced from 114 controls to 93 – reduction due to some of them being combined or made redundant in the latest version

[04:02] The purpose of Physical Security Monitoring

[06:22] Example of where security monitoring solved an issue at a bank  

[07:29] Another example of a London business who lacked physical security monitoring

[08:45] The importance of reviewing your need for physical security monitoring – what level do you need? Will it include CCTV, Access cards ect

[10:10] An overview of the various access points to consider, including: Main building, secure offices, server rooms, visitor access rights, CCTV, security alarms and personnel

[10:53] Example of where failure to verify a visitor highlighted a companies lack of security.

[11:30] The importance of communication and inductions for key reception and security staff, to ensure they can do the proper checks on visitors / know who should and should not be allowed into certain areas of your workplace.

[13:50] Suggestion of a checklist for checks on visitors for temp reception staff  

[14:32] How do you define what needs 24 hour monitoring and what can be monitored for selected hours?

[15:46] The installation of security measures should be appropriate for your needs – don’t go overboard if it’s not needed. i.e. a Data Centre would need a high level of security but a small office may only need access control

[17:48] Take note of any security requirements in customer contracts

[18:10] How do you ensure the integrity of your security measures? i.e. CCTV – guidelines are available for installation, including placement, connection to your systems, keeping the timestamps accurate, logging any camera failures.

[20:00] Example of where a German company mapped out their CCTV so they could highlight blind spots, which were then pointed out to guards who did more checks in those areas

[21:15] Make sure you maintain any security equipment  

[22:10] What crossover is there with other ISO 27002 controls? i.e. data masking being used in visitor books   

[24:45] How can you apply this control to home workers? This can include training on being aware of potential security risks at home and locking the computer when not nearby ect

Download our ISO 27002 changes Quick Guide here:

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the technological category, is something called web filtering. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into web filtering to explain what it is, break down the different types and gives examples of uses that you could implement to reduce risk.   

You’ll learn

  • What is web filtering?
  • The purpose of web filtering
  • The different types of web filtering  
  • Different measures of web filtering that can be implemented

Resources

In this episode, we talk about:

[01:05] How you can adopt the new controls of ISO 27002 ahead of the latest version of ISO 27001:2022 being published

[02:00] The purpose of web filtering

[02:26] An overview of what web filtering is: It’s a security technology that monitors web activity and prevents users from accessing websites with malicious content or sites that are deemed to be inappropriate for business use

[03:45] Outlook already has web filtering built in

[04:17] The Internet is still the dominant facilitator for cyber crime

[04:40] Types of web filtering, including: Browser based filters, search engine filters, client side filters and network based filters

[06:58] Examples of where web filtering comes into practice – to protect against threats from malicious sites with malware or fishing content, false anti-virus updates, sites with illegal content and sites with out of date SLL certificates.   

[08:15] Are you safe relying on Microsoft Windows?

[08:50] What to look out for on websites to ensure it’s secure: A padlock in the bottom right corner, use of reputable third party payment gateways.  

[09:27] Examples of what to be wary of when using the web i.e. deals that are too good to be true  

[11:40] Consider setting up a small internet café that is separate from the company network – to allow employees access for personal use and to help keep your systems safe.

Download our ISO 27002 changes Quick Guide here:

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the organisational category, is something called threat intelligence. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into threat intelligence to explain what it is, gives examples of the different types and shares some tools and activities that will help you develop threat intelligence  

You’ll learn

  • What is threat intelligence?
  • What does threat intelligence actually do?
  • The different types of threat intelligence
  • What tools can you implement to help with threat intelligence?
  • What activities can you do to help develop threat intelligence?

Resources

In this episode, we talk about:

[01:19] The definition and purpose of threat intelligence

[03:01] Threat intelligence doesn’t have to factor into your scope and context – you can integrate findings in later

[03:50] Threat intelligence is about being aware of not only internal threats, but global threats that could impact your business

[04:50] Threat intelligence is not only about IT (i.e. viruses)

[05:19] That being said – cyber threats are still a big factor. So ensure you have tools, training and measures in place to reduce cyber attacks and breaches.

[06:30] Types of Threat intelligence, including: Cyber, Strategic and Tactical  

[07:58] What threat intelligence actually does – Firstly ensure that you are collecting relevant data. That data can be analysed and used to reduce risk, to help you be proactive instead of reactive to threats.

[09:51] Threat intelligence is very appliable to Business Continuity (ISO 22301)

[10:35] The different types of tools you could consider, including: Security information and event management (SIEM) and CSOC – Cyber Security Operation Centres

[12:30] Types of threat intelligence activities you can do. This includes: Establishing objectives, collection of information from selected sources, analysing information to understand how it relates and is meaningful to the business and communicating information to relevant individuals.

[15:10] Ensure your threat intelligence is dynamic – and use it to inform and update your Risk Assessments at regular intervals

[16:30] Threat intelligence works with the Plan-Do-Act-Check cycle that is commonly seen in most ISO’s

[17:10] Threat intelligence can be used by any business regardless of any ISO certification you may or may not have.   

[18:05] Keep an eye out for our ISO 27001:2022 migration support offering!

Download our ISO 27002 changes Quick Guide here:

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the technological category, is something called Data Masking. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into data masking to explain what it is, why it’s so important and details a few of the different types of data masking

You’ll learn

  • What is data masking?
  • Why is data masking important?
  • How does data masking work?
  • What are the different types of data masking?

Resources

In this episode, we talk about:

[01:33] The purpose of data masking according to ISO 27002 – Now more clearly defined when compared to earlier versions

[02:55] A brief overview of PII (Personally Identifiable Information)     

[03:52] A summary of the defined attributes of data masking     

[05:25] What is data masking? Including definitions for obfuscation, data anonymization and pseudonymisation

[08:50] The benefits of having a more clearly defined control for protecting PII

[09:35] Other standards where data masking is applicable – ISO 27017, ISO 27018 and ISO 27701  

[11:27] Why data masking is so important currently

[12:40] How data masking works in practice  

[13:10] Static data masking –  data is masked in an original database then duplicated into a test environment

[13:34] Dynamic data masking – The original sensitive data remains in the repository. Data is never exposed to unauthorised users, contents are shuffled in real-time on-demand to make the contents masked

[14:50] On the fly data masking – Masking data while it is transferred from production systems to test or development systems before the data is saved to disk.

[15:55] Techniques for data masking include – Substitution – Businesses substitute the original data with random data from supplied or customised lookup file.

[16:15] Shuffling – Businesses substitute original data with another authentic-looking data but they shuffle the entities in the same column randomly.   

[17:09] Number and date variances – For financial and date-driven data sets, applying the same variance to create a new dataset doesn’t change the accuracy of the dataset while masking data.

[17:56] Encryption is still the number one method for data masking

[18:40] Character scrambling – This method involves randomly rearranging the order of characters. This process is irreversible so that the original data cannot be obtained from the scrambled data.

[19:50] Other forms of data to take into consideration – Protected health information, Payment card information, Intellectual property and Company specific Information

[23:02] How GDPR promotes data masking

Download our ISO 27002 changes Quick Guide here:

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely new ones were added to keep up with new and emerging technology.

As a reminder, ISO 27002 (Information security, cybersecurity and privacy protection — Information security controls) is a guidance document which provides further best practice advice to strengthen your IT Security.

Today, Steve Mason explains the changes made to the 2022 version of ISO 27002, gives a summary of the 11 new controls and gives examples of some key considerations and actions you can take to implement them.

You’ll learn

  • What changes have been made to ISO 27002:2022
  • Why ISO 27002 has been updated in 2022
  • An overview of the 11 new controls added to ISO 27002
  • Examples of actions you can take to implement the new controls

Resources

In this episode, we talk about:

[01:28] A brief summary of the changes to ISO 27002:2022, including new controls, new structure and attribute types

[05:30] Controls in ISO 27002 now have a defined purpose to avoid misinterpretation     

[06:29] A summary of the 11 new controls by name and category    

[08:10] Threat intelligence – What tools do you have in place to identify threats? How do you monitor your threat intelligence effectiveness?

[11:20] Information Security use of Cloud Services – A reminder that ISO 27017 covers this in more detail! Do you have a cloud policy in place? Does it align with your clients security requirements?

[13:10] ICT readiness for Business Continuity – Focus on recovery of IT services following a disaster. Do you have Business Impact Assessments in place? If you’re certified to ISO 22301 – this area is most likely covered

[14:36] Physical Security monitoring – Are you monitoring physical security? i.e. keycard access, CCTV ect

[16:23] Configuration Management – Are you IT systems working well together? Do you have an established configuration for passwords? (i.e. how many characters, alpha numerical, symbols ect)

[18:13] Information Deletion – If data needs to be deleted, that it’s deleted in a secure manor and can’t be recovered.

[21:48] Data Masking – Make sure that any data that shouldn’t be shared is masked in some way i.e. obfuscated or anonymized.

[23:31] Data Leakage – Put measures in place to stop data being leaked through i.e. USB’s, people sending business information to personal email addresses ect   

[26:55] Monitoring Activities – You could monitor network traffic, software access ect. Be selective in your monitoring, only do so if it will be of benefit to the business.     

[28:04] Web Filtering – Ensure that employees can’t access any nefarious / high risk websites that could cause a security breach      

[30:15] Secure Coding – Make sure that coding is done securely – making sure that any software developed is secure and free of as many vulnerabilities as possible.      

Download our ISO 27002 changes Quick Guide here:

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Did you know there were 80 identified security incidents, resulting in 34,908,053 compromised records in June 2022 alone!

Standards such as ISO 27001 can help you put measures in place to reduce risk and help set up procedures for data recovery. However, not as many adopt the guidance document ISO 27002 which provides further best practice advice to strengthen your IT Security.

ISO 27002 has recently been updated with 11 new controls that tackle recent emerging technology not covered in ISO 27001:2013.

Today, Mel explains ISO 27002 (Information security, cybersecurity and privacy protection – Information security controls), why it’s been updated and gives a high-level overview of the changes.

You’ll learn

  • The purpose of ISO 27002
  • How ISO 27002 works with ISO 27001
  • Why ISO 27002 has been updated in 2022
  • A basic overview of the changes to controls within ISO 27002:2022

Resources

In this episode, we talk about:

[00:30] A reminder to keep an eye out for future episodes on the upcoming updated version of ISO 27001:2022

[00:52] An introduction to the guidance document ISO 27002    

[02:02] Controls from the updated version of ISO 27002 can be implemented right now – not a requirement of ISO 27001 but recommended.   

[02:25] Why ISO 27002 has been updated – To bring it up-to-date with the latest technologies and simplification of controls

[03:15] What this means for your Information Security Management System

[03:50] We expect to see the new controls in ISO 27002 to be reflected in the updated version of ISO 27001 coming out later this year.

[4:27] Reminder: ISO 27002 is not a certifiable standard but it is best practice.

[05:00] ISO 27002 had its last major update in 2013 – think how much technology has changed since then!

[06:00] A summary of the changes to controls in ISO 27002

[07:25] New controls added to ISO 27002 highlight that the standard is more then just IT Security – A trait shared with ISO 27001  

[09:13] A summary of what categories the 11 new controls fall under   

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Download our ISO 27002 changes Quick Guide here:

This episode is the final part of our 3-part series on Management Review, and this time Mel is joined by Rachel Churchman to explain how to best conduct Management Reviews and what’s best to include in them.

Rachel Churchman is a Managing Consultant at Blackmores where she assists clients to implement, maintain and continually improve their UKAS certified ISO Management Systems.

Mel and Rachel discuss the different ways to conduct a Management Review, how to improve the Management Review process, and who should be involved in your Management Review.

You’ll learn

  • The purpose of a Management Review.
  • Different ways to approach your Management Review.
  • The importance of using data.
  • Who you should involve in your Management Review.
  • How to deal with non-conformities and corrective opportunities.

Resources

In this episode, we talk about:

[07:30] The purpose of a Management Review.

[11:15] The Management Review carried out at Blackmores and the issues we came across.

[13:06] The ways Covid has shifted from being viewed as a risk to an opportunity.

[14:14] The importance of reviewing your company’s subscriptions in your Management Review.

[15:30] The benefits of involving more people in your Management Review.

[17:52] Why data analysis is so essential in a Management Review.

[22:35] The importance of considering your outputs as well as your inputs in your Management Review.

[24:47] Areas you should monitor and measure in your Management Review.

[30:53] The most beneficial ways to review your objectives.

[34:43] How to deal with non-conformities and corrective opportunities at Management Review.

[37:20] Types of resources you should review in your Management Review.

[41:50] Our top tips for Management Review.

[47:24] The three different ways to conduct a Management Review and the benefits of each one.

For members of the isologyhub, we have a few Management Review templates available for download

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Today, we’re joined by Morgan Sindall’s Head of Information Security and Compliance Neil Binnie, to discuss the Information Security Standard ISO 27001.

Morgan Sindall has been ahead of the curb when it comes to information security having been certified to ISO 27001 for almost 3 years, but with information breaches becoming more common it’s even more vital to get ISO 27001 certified to prove you have a robust information security framework.

Neil explains the importance of information security, the new cloud security standards that are coming out, and the benefits of using ISO 27001.

You’ll learn

  • The importance of information security in the construction industry.
  • The benefits of using ISO 27001 as your information security framework.
  • How to implement ISO 27001 within your business.
  • The recent shift in mindset around data usage.
  • How hackers are using supply chains to attack businesses.
  • The new standards that are coming out to tackle cloud security.

Resources

In this episode, we talk about:

[02:27] Why information security is so important in the construction industry.

[03:34] The benefits of having the ISO 27001 framework in place.

[05:28] Why supply chain security is so important.

[06:20] How a construction company can help to secure their supply chain.

[08:34] Neil’s experience implementing ISO 27001 in Morgan Sindall.

[12:43] The cloud security standards that are coming out.

[14:52] The benefits of having ISO 27001 in place prior to the Covid lockdowns.

[17:21] The incorrect assumptions people have about ISO 27001.

[18:37] The importance of having a collaborative approach when implementing ISO 27001.

If you need assistance with implementing ISO 27001 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Today we’re joined by Senior Information Security Consultant, Steve Mason to discuss how working from home has affected our online security.

Remote working has become the norm during the pandemic and it’s proven that it can be an effective way for people to have a good work-life balance.

But with working from home comes many security risks, we need secure Wi-Fi connections, virus-free laptops, and to be working in environments where we can’t be listened in to.

Steve is an information security expert and as data security risks for homeworkers have shot up, he’s here to explain what we can do to negate this risk.

We talk about the general security risks of working remotely, and the importance of businesses taking this seriously and creating effective processes to mitigate that risk across their business…

You’ll learn

  • How our approach to technology is changing.
  • The increased security risks involved with working from home.
  • The necessity of training your staff in home security.
  • How to access our policy around virtual meeting room security.
  • How to improve your home security and safety.
  • How to reduce the chances of getting a virus or trojan.

Resources

In this episode, we talk about:

[02:30] The added difficulties involved with improving remote client’s security.

[04:06] The benefits of using company devices and the security risks of using your own device and working from home.

[05:47] How to know you’re using a good VPN and adequate virus protection.

[06:36] Using a working from home policy and the benefits that can have.

[09:30] How to monitor employee’s software usage if they are working remotely.

[10:50] Issues some remote workers have with backing up their documents securely.

[12:17] The ways working from home affects your home insurance.

[14:09] The importance of fixing all security weaknesses you become aware of.

[16:56] The necessity of proper security training being given to staff working from home.

[18:38] Security in virtual meeting rooms and the policy we created around that.

[21:10] The main risks involved with working in public places like a coffee shop.

If you need assistance with implementing ISO 27001 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Dinesh Sharma (Director of Information Security Governance at Epiq)

Dinesh Sharma, Director of Information Security Governance at Epiq, joins us on the ISO Show today. He discusses ISO 27001, his in-depth experience of this standard, how it’s working for Epiq, lessons learned, and how he manages this globally for Epiq Global.

We are so excited to interview Dinesh! He has a wealth of experience in terms of implementing frameworks like ISO 27001 and PCI DSS. He’s got plenty of experience ranging from developing information security policies, procedures, managing risk assessments, to delivering security training and awareness, and overseeing internal audits. He also has expert experience in security management and governance as his last 15 years focused on information security.

You’ll learn about:

  • What Epiq does
  • What it means to be Director of Information Security Governance
  • Setting up a security team and managing it in terms of global responsibilities
  • Continual improvement at Epiq
  • Dispelling ISO 27001 myths
  • What has worked well for Epiq in relation to ISO 27001

First and foremost, let’s dive into what Epiq is and does…

What does Epiq do?

Epiq, primarily based in the U.S, is a global professional services company, operating in approximately 25 countries including Germany, Belgium, India, London and so many more.

Epiq primarily provides support to the legal industry (so to law firms and the legal departments within large organisations). Their key service is around E-discovery. This is where there is potentially an investigation, or if two parties are about to enter a litigation. Some processes need to happen around data collection, data review, forensics, processing and document review. Epiq can make all of this so much more efficient and cost-effective for clients! Another core service Epiq provides is court reporting and transcription services. Other services include business transformation services, class-action and a range of other services.

Now, let’s find out more about Dinesh’s role…

Role at Epiq

Dinesh is part of the Global information security function at Epiq. They have a dedicated Global information security team to support the business.

Dinesh’s specific role is to lead the security governance side of things. This means that he manages and helps to define the information security policy set and Information Security Management System (ISMS) within Epiq. He also leads and coordinates the internal security assessments (part of which is internal ISMS audits as well as internal security audits across Epiq). He even reviews and provides input on contracts of clients and vendors around security clauses to ensure they align with the policies of Epiq. His team also delivers staff security awareness and training. Finally, his team manages security certifications including ISO 27001 (very relevant for today!).

So, let’s explore how a mature ISMS is managed…

How to go about setting up a security team and manage it in terms of global responsibilities?

At Epiq they have a dedicated team within their information security function for security operations. This team oversees the security toolset, they monitor the alerts from this toolset, such as their end-point detection and the logging and alerting around network security. This security operations team also takes the lead on defining their processes and handling any security incidents. So, they have a separate team for this specifically.

They also have a separate team for security architecture and security engineering. These teams work very closely with the business to make sure that security is considered and embedded within the projects and new offerings Epiq has as a business, as well as developing their tools. So, if Epiq is looking to implement a new security tool, this team will be very involved in looking at the different vendors that provide that offering, how that would be embedded and work within the infrastructure of Epiq, and the environments with which they serve their clients. So, Epiq has got the structure of sub-teams within the security function well defined!

Of course, sitting on top of this, Epiq is very fortunate to have some very experienced and very qualified leadership come into that team. The governance and operations side is managed by a gentleman called Jason. He has lots of experience and brings experience from other industries he’s worked with. He has a peer called Andrew, who looks after the engineering and architecture side. Epiq also has a new Chief Security Officer (CSO) who is very knowledgeable and savvy. He is doing a really good job of lifting the profile of not only security within the organisation, but also Epiq’s security functions. So, they are fortunate to have that leadership as well.

This is fantastic…when organisations are starting with implementing an ISMS, we always find that leadership commitment is so key! It’s great to hear that Epiq has got a mature management system yet are still continuing to focus on leadership commitment and bringing that in from various angles across the organisation as well.

In terms of the ISMS then…

Epiq has got many other security standards, so what we want to know is how their ISMS helps them to manage all their activities.

Well, looking at the requirements of ISO 27001 and setting up an ISMS that works, Dinesh thinks the most important thing it gives an organisation, regardless of what level of maturity it is at, is what the basic components and principles are in terms of a framework that you should be having in place or that you should consider having. This is because if you want to go for certification to ISO 27001, then you must have some of these things in place.

Dinesh very much sees this as a baseline!

Once, you establish that baseline and you’ve got the documentation, the processes which support the documents and the staff in place who can deliver on those processes. You then think…‘what can you do to increase the maturity’?

A big part of ISO 27001 is continual improvement. This is something Dinesh thinks is very important and puts a lot of focus on in his role. So, that’s all tied with the kind of internal security reviews that they do with the internal assessments that happen. But any feedback they get from the business, or any input or discussions they have with the business which can raise or flag something, e.g., as a potential block, are put onto their continual improvement register to work with the team or the business area. It might be something they have to work on themselves. The important thing is to always look out for these kinds of things. That’s why this is a key area of focus for Dinesh, in his role, as he thinks about what can improve each step of the ISMS in Epiq.

However, a lot of companies, once they’ve completed the assessment, think that’s the job done. But you can’t put your feet up just yet! This is only the beginning of the journey, which is why Dinesh identifies this as the baseline and the foundation to be used for continual improvement.

So, let’s look at what Epiq has implemented in relation to continual improvement, which has been above and beyond this baseline.

Epiq and continual improvement

Epis has implemented a Critical Asset Reviews. They identified their 15 most critical assets and instead of doing a full security review, they pick the 10 most important controls and other controls they think would deliver the highest level of security if they had it in place. So, they have done a very focused security review, based on risk and what they think their most important assets are. They dig deep into what are the risks and issues and by acting on these, it moves Epiq to another level.

Now, let’s move onto the part where we dispel myths around ISO standards!

Dispelling ISO 27001 myths

Dinesh believes that a good understanding of ISO 27001 is needed to know what the standard actually means. There is a difference between being aligned and being certified to ISO 27001. So, an independent review of your ISMS is really important as it shows you haven’t just picked and chosen which parts of the core standard you’re going to implement. It shows that you’ve had to do them all and have had that verified and tested. This would provide a level of assurance to your organisation and stakeholders. That’s why there is such a big difference between being aligned to the standard and being compliant with it.

Finally, I’m sure our audience would love to know…

What has worked well from an information security perspective in relation to ISO 27001?

Dinesh identifies the top-level management commitment within a business as the most crucial thing in any implementation of a standard. The business needs to understand the importance of information security. So, everyone needs to be aware of what the benefits are, what’s going on and what is important…having this conversation in your business really makes everything easier according to Dinesh. Epiq does this during their management reviews, where all four of their CEOs attend. They take the management review section of ISO 27001 and cover most of it in their quarterly meetings, and because this is visibly supported by their CEO, the business leaders reporting to the CEO and all their directors attend the management reviews as well. So, they all understand what’s going on, what’s important and what the key risks are from the security team’s perspective. Having this conversation just makes everything a lot easier according to Dinesh.

That’s it from Dinesh! We hope you enjoyed learning about Epiq’s journey…it’s inspirational to hear how Epiq is still developing, evolving, improving and still getting such fantastic commitment from the very top as well. It clearly demonstrates Epiq Global’s commitment to information security without a shadow of a doubt!

Contact details for Dinesh, if you have any enquires or would simply like to connect with him, you can get in contact using one of the ways below:

Email: dsharma@epiqglobal.co.uk

Website URL : Epiqglobal.com

LinkedIn handle: uk.linkedin.com/in/dineshcsharma

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Today, we’re joined by the Director of Corporate Assurance at Totally PLC, Falu Bharmal.

Falu plays a key role in working with NHS England and has in-depth knowledge and understanding of ISO implementation, Legal Policy relating to corporate governance, health and safety, and integrated Risk Management. He has extensive experience in establishing new corporate governance structures, systems, and processes to ensure organizations are fit for purpose.

Today, Falu is here to discuss ISO 27001 (Information Security Management), and why it’s so important to have consistent practices throughout a company.

Falu explains how he’s able to implement new ISO’s so effectively and some of the biggest improvements ISO 27001 has allowed him to make.

We talk about how best you can prepare before implementing a new standard, and how ISO’s can help systemise your way of working across a company.

Visit the Totally PLC website to learn more about their services.

You’ll learn

  • The benefits of working as a group with consistent practices throughout a company.
  • How to effectively prepare for and implement new standards.
  • How ISO 27001 is used as a best practice mechanism.
  • How implementing standards can help to systemise the ways of working across a company.
  • How many people you need to be involved with the implementation of new standards.

Resources

In this episode, we talk about:

[00:29] The services Totally PLC supplies and how they support the NHS and reduce A&E waiting times.

[03:30] The different divisions that makeup Totally PLC.

[05:36] The ways Falu as Director of Corporate Assurance is involved with ISO implementations.

[06:34] How Falu implements ISO standards effectively.

[07:21] How ISO 27001 is used as a best practice mechanism for Totally PLC.

[08:20] Some of the biggest improvements Falu’s made through using ISO 27001.

[09:25] How ISO standards help to systemise ways of working across a company.

[10:14] The different roles Totally PLC has dedicated to ISO implementation.

[12:18] The best things you can do before implementing a new standard.

[13:46] The extra pressures Totally PLC has faced due to the pandemic, and the new opportunities this has brought.

If you need assistance with implementing ISO 27001 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO 9001 & ISO 27001 certifications on their first time.

With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.

Today, Steve is back to discuss the new ISO 27017 (Information Security Controls for Cloud Services Standard), and why it is needed in addition to ISO 27001.

The current publication of ISO 27001 was released back in 2013 before cloud security was as big of a concern. Due to this, it does not adequately cover cloud security and hence the new standard ISO 27017 was released.

It is wise not to assume that the cloud is secure on its own, you need a provider that can demonstrate protection from hacking and guarantee you security.

There are 7 new controls that the standard brings –

  • 6.3.1 Shared roles and responsibilities within a cloud computing environment
  • 8.1.5 Removal of cloud service customer assets
  • 9.5.1 Segregation in virtual computing environments
  • 9.5.2 Virtual machine hardening
  • 12.1.5 Administrator’s operational security
  • 12.4.5 Monitoring of cloud services
  • 13.1.4 Alignment of security management for virtual and physical networks

In this episode, Steve talks through some of these new controls, explains why they’re so important, and describes who can benefit from implementing this new standard.

You’ll learn

  • How the standard works for both customers and providers.
  • How ISO 27017 works as a unique selling point for businesses.
  • The new controls and how it demonstrates security within the cloud.
  • The benefits of adopting ISO 27017.
  • How doing a gap analysis can help you to understand what cloud controls you already have in place.

Resources

In this episode, we talk about:

[01:30] Why it’s important to have a standard for cloud security when we already have ISO 27001.

[02:46] The type of new controls and how they make the standard ‘cloud effective’.

[05:37] Some examples of the new controls.

[07:20] The prerequisites you need before implementing ISO 27017.

[08:37] The type of certificate you get with ISO 27017.

[10:22] How ISO 27017 can set companies apart from their competitors.

[11:03] What the future for ISO 27001 and ISO 27017 looks like.

[13:03] Advice for anyone thinking of implementing the standard.

[14:20] The main benefits there are from implementing ISO 27017.

If you need assistance with implementing ISO 27017 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISOlogist logo

Consultancy service

Let us do it for you

ISOlogy hub logo

Online membership

DIY with our isologyhub

About Blackmores

Our 7 Steps to Success

The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.

Whether you choose to work with one of our isologist consultants or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!

What our clients have to say

The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.

Kalil Vandi

“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”

David Gibson

Photon Lines Ltd

“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year.  We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”

Mandy Welsby

Jaama Ltd

“We have been extremely impressed with the service and support provided by Blackmores.  There knowledge and assistance through out our ISO journey has been amazing!”

Philip Hannabuss

Dome Consulting

“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”

Phil Geens

Kingsley Napley

“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”

dotdigital

Trusted by leading organisations across all sectors, we support companies of all sizes in any location.

Are you ready to start your ISO journey?

     
ISO Show

Listen to our Podcast

Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.

Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.

     

Carbonology logo

Ready to go carbon neutral... And achieve ISO Standards?

Welcome to Carbonology®

The proven method for achieving your carbon goals, aligned with ISO 14064 (carbon verification) and PAS 2060 (carbon neutrality)

Blackmores Carbon Neutral       Blackmores Carbon Footprint