Why asking ‘have I passed ISO 27001?’ is a waste of time

Why asking ‘have I passed ISO 27001?’ is a waste of time

A question we often get asked at internal audits is ‘Have I passed?’  The question is irrelevant, as we are auditing a sample of the business processes, not the individual, and in the real world, no business is perfect.  It is not about pass or fail.   Is just a ‘pass’ even good enough? It’s about making sure you’ve got robust systems in place to meet your clients’ requirements and reduce risk, so you don’t fail your clients’ or your business’ own high standards.

Embedding an information security system doesn’t happen overnight. It takes time to establish a system, so it becomes part of an organisation’s DNA.

In our final Podcast episode on how to implement ISO 27001, Steve Mason, Senior Consultant at Blackmores takes us through the last few months of an ISO 27001 project.  This stage generally takes three months because it is a UKAS requirement that the system is ‘established’ prior to the assessment.

It is helpful to audit all aspects of the ISMS before your assessment; however, you need to take a risk-based approach and align the audits with the organisation’s needs.

Steve Mason talks us through a typical internal audit and what to expect.  Although each auditor may have different styles, and each business is unique, so it can never be a tick box or one size fits all exercise. Each company will interpret the standard differently and assumptions cannot be made. 

A typical audit of Human Resources in relation to information security could take 45 minutes.  Questions could cover new employee screening, information security training records, and responsibilities, i.e. job descriptions.  In some cases, even looking at an example of your employees’ terms and conditions to see if the disciplinary section covers the scenario of a security breach made by an employee (which is one of the most common breaches, either accidental or intentional).

Avoiding ‘death by audit’

Although it is essential for internal audits to be completed prior to an assessment, Steve also recommends planning the audits over a three-year cycle to avoid ‘death by audit’ and align this with the period that the certificate is valid for (3 years from assessment)

Information Security Health Check

The final step is to ensure that top management are available for the Information Security Management Review Meeting.  The purpose of this meeting is to bring together expertise within the business on information security, ready for senior leaders to be informed on the ‘health’ of the business and make decisions, so improvements can be made.

ISO 27001 provides an agenda which needs to be covered at the meeting.  Some companies take the approach where all parties need to be involved for the duration, however, a more time efficient approach is to have the key players present, but then bring in the specific expertise as and when needed for a short period i.e. 10 – 15 minutes.  The Management Review Meeting shouldn’t be seen as an arduous task, but a useful exercise to review the effectives of the system i.e. security incident trends, What are IT monitoring? Is the monitoring analysed and effective? i.e. anti-virus, penetration tests. Have actions/non-conformances been addressed? and has this action been effective? By bringing together your organisation’s technical skills and data, you will have a thorough ‘Security Health Check’ so management can understand what needs to be done in order to try and prevent any damaging incidents and continue to empower a positive culture of security.

Join us on the Podcast to hear more about the final stages of an ISO 27001 project including the last, but not least clause – ‘Continual Improvement’ and how Steve uses the ‘5 Ys’ on root cause, to get to the root of a business’ problems.

Click HERE for further information on our ISO 27001 Steps to Success programme.

To help out the ISO Show: