ISO27001 Audits in general can be quite daunting especially if Information Security or understanding of the ISO27001 standard is not your main area of expertise.
Concerns that can arise in the run up to an ISO27001 audit usually range from:
- “I need more resource if we’re going to do this”
- “I don’t have adequate skills for this”
- “Where is the ISO documentation? (or is there documentation?)”
- “Have we carried out awareness training?”
- “We have an ISO27001 audit coming up, who is going to take responsibility ?”
I’m sure anyone who has been involved in an ISO27001 audit will have heard one or more of these mentioned whenever you have sat down to discuss how you as a company are going to approach the audit.
Not to worry, having been through quite a few of these audits myself, I have listed the top 5 categories with tips that you will need to ensure have been implemented in your company (It always helps to have the ISO27001 Standard at hand and ensure as a team you have read each clause and understood what is required).
Leadership – Embedding an information security culture in your organisation begins with leadership. Having a management team that supports and implements good governance around information security is the foundation of good cyber security.
Your management team needs to have an understanding of the information assets in your business, why they are important and why they need protecting.
Absence of leadership involvement in your organisation’s information security strategy will signify a non conformity against clause 5 of the ISO 27001 standard.
Merely paying lip service to this clause will quickly be uncovered in any ISO audit and can result in an embarrassing conversation for your CEO or top executives if asked to evidence their involvement.
Tip : Ensuring that your top management have an understanding of the ISMS (information Security Management System) and security related risks is key to your ISO accreditation as well as the secure operation of your business.
Regular management reviews help ensure the appropriate level of ownership by the business so that adequate resources can be made available by senior management to implement the risk treatments.
Make sure your management reviews have documented minutes and action log with clear actions, owners and time frames.
Policy Management – How will your staff know what’s expected from them if you don’t inform them? Policies exist because of a risk to the business. They should outline what the risk is, the potential impact to the business and what employees/contractors/suppliers must or must not do in order to comply with the processes and controls in place to mitigate that risk.
The Information Security (IS) Policy is a key element of your cyber security, this policy must define the top management’s objectives in relation to Information
security, associated sub policies and responsibilities for complying.
The IS Policy is the founding document of your ISMS (Information Security Management System). It should set out top management’s vision for information security in light of the strategic business objectives and determine the scope of managements ambition for the ISMS.
The IS policy must take into account all relevant business, legal, regulatory and contractual security requirements and must be formally approved by top management.
Tip: Ensure that you have a policy management system in place that allows you to clearly evidence the policy reviews and employee attestation. This is a great way to ensure that your organisation’s policies’ are continuously reviewed and updated as your business risks change and employees have attested to the latest policies.
Risk Management – Risks are inherent of all business activities, any change made to your business will introduce some form of risk. Having a well defined risk management strategy will enable you to identify and prioritise threats and vulnerabilities in your business and your cyber security controls.
In order to identify the risks you will need to carry out a risk assessment and qualify the probability of the risks occurring and the impact to the business.
From an information security perspective you must assess the impact of the risk to the Confidentiality, Integrity and Availability of the asset impacted.
Tip: Have a documented process for how you manage risk and carry out regular risk assessments at planned intervals or when significant changes are proposed or occur in the business.
Create a risk treatment plan that defines how your organisation responds to the risk and proposed controls that will be implemented to mitigate the risk to an acceptable level. From an information security perspective associate the risk treatments with the applicable controls from your Statement of Applicability (SOA), this will help demonstrate to your auditor why you have chosen to implement the controls from the SOA.
Internal Audits: Internal audits are a great way for a company to attempt to stay on top of the ever changing landscape of their business.
Internal audits ensure that policies, procedures, documentation and people are all travelling in the same direction as expected.
Internal Audits should be used to gauge the effectiveness of the controls implemented by the business and if they are continuing to have the desired effect.
Tip : Plan, establish and implement an audit programme that can be evidenced. Define the criteria and scope of your audit and ensure that the audit is carried out with impartiality.
Make sure to audit the different clauses in the ISO Standard and ensure that you are able to successfully evidence the outcome of each audit.
Awareness Training – The human firewall needs to be on and continuously updated. Cyber awareness training is critical to ensure your staff know how to identify potential cyber threats and how to report them.
Cyber awareness training needs to be a continuous element of your cyber security strategy. Ensuring that your staff have been trained and understand cyber security fundamentals can significantly minimise the risk of a data breach.
Explaining to an auditor that you train your staff without being able to evidence this may not be adequate and may result in a Minor / Non conformity to clause 7 of the ISO standard. Have an awareness plan that you are able to demonstrate has been implemented and that your staff have completed.
Tip : Implementing a cyber awareness plan helps ensure that your staff know how to identify any potential threats, how to report them and are continuously updated with the existing and evolving threat landscapes (This is like keeping your human firewalls updated with the latest security updates).
Gaining and retaining ISO27001 accreditation can be resource intensive for some organisations, if you feel that you don’t have the in house capacity or expertise, take a look at https://Safeharboursecurity.co.uk to see how we can help.
At Safe Harbour Security we can guarantee a range of ISO services that are delivered in the most cost effective and efficient manner by qualified ISO27001 practitioners.
Remember that ISO audits are necessary to ensure that security remains a key focus for your business but can also present the opportunity for improvement, which in the long run helps keep your business more secure.