Accelerated learning is a theory/practice of learning that acknowledges that we all learn differently.  It also builds on that fact and provides the premise that we all learn better if we see, here and practice things.   The theory incorporates the concepts of left-brain vs right-brain.

We adopt the basic principles of this in our training.  We ensure that training is substantially exercise based so that you have to learn for your self, so that you dont get bored and tired and so that you learn more.  Our training is fun and effective and better than the traditional style of training.  For instance, in our lead auditor training – 5 days,  we have about 30 powerpoint slides!

We use these same principles when we customize our training and bring it in house to your organization.

For information about our training - click here

The ISO standards do not dictate how you conduct your audits.  They merely require that they are effective.  It has been argued by some ISO proponents that a one-time event cannot be effective.

Cavendish Scott performs internal audits for many organizations.  We are ISO and auditing experts and take all of the problems and worry out of your ISO system.  Outsource your internal audits and relax.

Schedule an ISO Audit

Currently, most organizations decide to become ISO 27001 certified because of customer or market pressure or because they deal with “important” customers and want to prove they are capable of handling information. More increasingly there are requirements in RFQs, when dealing with government contracts and meeting legislation e.g. HIPPA. These types of requirements are not going to go away and are likely to become more and more important. ISO 27001 certification answers these questions without any effort.

ISO 27001 is a management system standard for controlling information security that requires defined and documented procedures and processes that “assure” the management of information.

When working on ISO 27001, many organizations overlook the management system part and focus on strengthening information security. This is a mistake. The truth is that ISO 27001 does not require any particular security technique or performance of information security. Theoretically you could have very poor information security and still be ISO 27001 certified.

Management should be keen to do ISO 27001 because it gives them an objective understanding of the information security perspective without committing to spending indeterminate amounts of money on security.

Information Security Personnel should be keen to do ISO 27001 because it spreads the awareness of the importance of information security and clearly assigns ultimate responsibility to organization management.

You become certified following a successful audit by an accredited certification body. In order to satisfy the audit you must write procedures and define processes that describe your approach to conducting an information security risk assessment. There are other standards that provide information on how to do a risk assessment but unless you are going to invest in a computer based risk assessment tool, then excel provides an excellent mechanism. Microsoft also has a free risk assessment tool that could be used but the emphasis here is on “keep it simple”.

The risk assessment process needs to be comprehensive and includes criteria for risk calculation and a re-assessment cycle once any corrective actions have been taken.

A few other processes need to be in place too, including a formal process for dealing with security incidents that occur (or nearly occur), a process to review and generate a statement of applicability (defining which security controls are applicable and explaining them), contingency planning and a process for having information security contacts and knowledge of relevant legislation.

Additionally you need all of the supporting processes and procedures in place to make sure the management system remains effective including document control, record control, management review, objective setting, training, internal audit and corrective and preventive action.

All of these processes and procedures operate in a comprehensive and congruent management system that ensures awareness, responsibility and control over information security.

Although focusing on the security controls is a mistake (both from a certification and management perspective), it cannot be ignored. There are about 173 information security control requirements identified in ISO 27001 (and expanded in ISO 27002) from managing the physical access controls to HR issues (e.g. employment contracts) to software development controls to technical network and operating controls to legal and contingency planning. These requirements must be reviewed and conscious decisions made about how they are to be applied (or not). All of these reviews and decisions need to be recorded and traceable.

No individual control (or group of controls) are mandatory so long as management accept the responsibility for the residual risks that exist. In practice the system of information security controls need to be “appropriate” or it is likely that a certification body auditor will be uncomfortable recommending certification. Once everything is working a certification assessment needs to be completed.

Cavendish Scott provides consulting, training and auditing for ISO 27001. We guarantee that our consulting clients will pass their ISO assessment and get certified. Getting certified to ISO 27001 is fairly easy to achieve and our unique approach takes nearly all of the effort while providing a meaningful and easy to maintain system.

To be 14001 certified you must have a documented system (procedures) in place and you must adopt environmental activities that promote improvement in environmental issues.  You are NOT required to change the way your business operates nor adopt any activity that will be detrimental to the organization.  Typically organizations focus on simple and easy activities that actually provide financial benefit to the organization.

The main procedures and activities cover (usually new) processes in your organization to formally identify and record what environments aspects exist within the organization and what impacts they have.  Procedures then require identification of the most important and the establishing of programs and objectives to improve “some” environmental issues.  As mentioned, these are expected to have a positive financial impact on the organization like the reduction of energy usage or the reduction of waste.

The organization must also  formalize the control over those impacts that it has identified (e.g. if you have equipment that expels dust or affect the air, then you have to have equipment or procedures that describes how you control that equipment to make sure it performs as expected).

The processes for identifying environmental aspects and impacts and setting programs and objectives, needs to be repeated at least annually.  A few other processes are also necessary – Emergency response plans, knowledge of environmental legal requirements and control over communication regarding environmental issues.

Finally you must control (with procedures) the supporting activities which will ensure that the environmental system described so far, continues to exist.  This includes document control, record control, training, calibration, internal auditing, management review, non-conformance management and corrective and preventive action control.

All of these processes and procedures operate in a coherent management system that is internally audited to ensure everything continues to work effectively, provides demonstrable improvements in environmental impacts (not necessarily anything “big”) and assures protection where impacts actually occur.

Finally ISO 14001 certificates are issued by accredited certification bodies in the established way.  You must subject yourself to audit to prove your system meets the requirements of the standard.

To do this successfully you will need some expertize in ISO 14001, resources to define processes, write procedures and implement activities, and commitment of management to support the program.

Cavendish Scott consults, trains and audits in ISO 14001.  ISO 14001 is actually quite straightforward and can be designed and implemented very quickly without much internal effort.  Cavendish Scott will also help maintain your system so you don’t have to worry about it.

Yes — but obviously this is controversial.

The most common issue or mistake with ISO systems is the structure of the documentation.  One approach is to structure documentation around the ISO standard.  One document is written for each requirement of the standard until all of the requirements are “explained” in a document.  This approach is very effective at meeting the requirements of the standard and is easy to “boilerplate” – which is why some consultants are comfortable with this approach.  The resulting documents don’t provide much additional value as they really only describe the standard and thus aren’t much use for improvement or even straightforward management.  Because the documentation and the processes it described doesn’t have much meaning to the organization, the documents are often ignored and thus as things change in the organization, documentation doesn’t get updated and problems occur with certification.  This approach usually requires constant and deliberate management to keep ISO registered.

An alternative approach is the “process approach” which is advocated by ISO itself.  In this approach, documented procedures are written that describe the activities in the organization.  These documents are actually quite useful as they clarify the right way of doing things and can be used for review and improvement.   The documents become a tool through which the business is organized and operated.  Maintenance is not a chore but a natural part of what is done.

These two extremes are easy to understand and one is described above as clearly better than the other.  However, it is very difficult to achieve a process based system.  What should I include in the procedure?  What level of detail?  How and where do I get the requirements?  Should the requirements from one section be in one procedure?  What if requirements seem inapplicable?  It is also true that in smaller organizations the benefits to be obtained from any ISO system are less substantial than they are in a larger organization.  Consequently the ease of implementation and simple acknowledgment of the expected maintenance effort are easy to accept as a price for certification.

If you are using a consultant you should demand a process based system.  Before contracting get them to describe and commit to that approach.  If you attempting ISO alone and you are a small organization (very small 1-5 people and not real expectation of growth) then you have more options.