Common Myth – Big Mistake

ISO 27001There is a belief that you have to have superior security to be ISO 27001 certified. That’s not what its all about. Certain methods and processes do indeed have to be in place to ensure you have effective security, and to ensure that management is held to accountability with, and awareness of, all shortcomings. But this does not mean superior security. In fact the emphasis on security is secondary to the processes you have in place, processes which ensure that you know the security requirements and the current security situation in the organization.

Security experts often make a mistake in engaging to provide ISO 27001 consulting. Security experts are quite rightly very expensive, and very good at security. However, ISO 27001 is about processes and management systems, not the technical aspects of security. In practice, your in-house security and IT personnel are often all the expertise you need from a security point of view. Not only are security experts very expensive but they have very limited experience of ISO management systems and even if they have “done this a few times” they are not management system experts and are not likely to provide an ideal solutions. A costly mistake.

The ISO 27001 Standard

ISO 27001 is a management system standard. It requires you to set up a system in your organization for managing security. In itself it does not require any aspect of actual security to be applied. Management can absolutely accept their current security position without buying any new equipment or adopting any new processes. Instead it requires systems to ensure that security issues and risks are identified and treated to an acceptable level of risk. A level that you decide. It requires the system to be comprehensive and address all areas of the organization. It requires specific systems for identifying, reporting and managing security events and incidents and also defining, planning, testing and managing appropriate mitigation and continuity strategies to ensure ongoing continuation of the organization’s business in a secure manner. It requires appropriate communication and appropriate deference to legal and regulatory requirements.

All in all it is a defined, effective and repeatable process and system, integrated into the established business management system, that ensure security is addressed to an appropriate level and that management are aware of and accountable for it.

ISO 27002 – a different ISO

Unlike other ISO standards, ISO 27001 is accompanied by ISO 27002 which provides specific technical topics for security. ISO 27002 provides a comprehensive checklist of security controls that “may” be applied. The organization is asked to review the list and determine the applicability of the controls and to decide, considering any security risks that have been identified, if any actions are necessary.

Although ISO 27002 is not mandatory, some controls are also specified in 27001 which makes them effectively mandatory. Training and awareness and management of security incidents are examples of where the organization will need to apply the controls. Management of information security in the development of software will only be applicable if you develop software. It is stated that the list may not be comprehensive, that you may identify other controls that are relevant. However, it is very comprehensive and a great start to ensure you have a thorough review of security in the organization. In practice this is where you have a possible need for security expertize. Again, probability is that your in house IT professionals have enough understanding of the situation to determine the applicability and the appropriately define the level of and treatment of current risks.

ISO 27001 requires you to think about your assets and what security issues might affect them (risks). ISO 27002 includes a comprehensive list of security controls that organizations might consider to apply. Together they doubly ensure a great review of security.

Cavendish Scott Advantage

Cavendish Scott has been working with ISO standards, management systems and processes for over 25 years. We design and implement business focused, easy to maintain meaningful management systems that ensure your system is effective but not overly expensive.

ISO 27001 is Easy With Cavendish Scott

“This was by far the best auditing class I've attended and should we need more students trained, Cavendish Scott will be our choice for trainers.  The interaction and exercises were phenomenal and the fact that we got audits completed that we can count towards our yearly schedule was a definite plus.”

– SG, Corporate Director Product Assurance, Aerospace services organization

“The [lead] auditor class was absolutely one of the best I’ve ever had the pleasure of attending and know Cavendish will be invaluable in the [ISO] process.”

– DS, Quality Manager, Metal Processing and Manufacturing Organization, Colorado

“Thank you all again for coming out and for all that you do for us. Despite a few challenges, we really do appreciate the value that your audit adds to our business … and that is not just from me; I hear it from other members of the management team.”

– [AS9100 Auditing Client] Manager – Quality Systems, Aircraft Maintenance, Refitting, Services

“It would have been a difficult course for most of us if it weren't for your patience and teaching skill.  You have made us all better stewards of the taxpayer's money by making us proficient auditors.”

– [Training Client] Quality Assurance, Naval Shipyard

“This course gave me an excellent overview of the ISO 9001 standard and I now have an appreciation for and solid knowledge of the standard, its intent, and how to audit against it.”

– Documentation Coordinator & Auditor, Chemical Test Standards Laboratory

“The instructor tailored the course as much as he could to the requests and experience of the group present, which made it much more valuable.”

– Environmental Health and Safety Manager, Defense Microelectronics Agency

“This is actually the best class I have attended. Instructor was amazing and very knowledgeable.”

– Top Manager, Integrated Circuit Design and Manufacturing Company

“There were lots of real life examples shared on very open discussions and the workshop feeling where all could contribute was very effective.”

– [Training Client] Systems Analyst, Data Storage Products and Services Company

“Thank you so much for all you did getting us prepared for the ISO Certification. We passed with flying colors.  We had 0 Nonconformance.  I felt like we just won a gold medal.  The ISO Auditor was very impressed with the documents that you set us up with and how well written the manual and procedures were.”

– [Consulting ISO 9001:2015] Debbie at Precision Machine Shop, Texas

“I just wanted to extend to you all my personal thanks for all the help that you’ve given me. Our ISO auditor was very impressed with the progress that we made within the last year. This progress would not have been possible if wasn’t for the professionalism and knowledge that you four displayed throughout the internal audits, consultations, (Continue Reading)

– ISO Representative, Logistics, Resale and ReUse Organization, Aurora, Colorado