Contact

Common Myth – Big Mistake

There is a common misconception that achieving ISO 27001 certification requires superior security measures. However, ISO 27001 is primarily about implementing effective processes and management systems to address security requirements and ensure accountability and awareness of shortcomings. While certain methods and processes for effective security must be in place, the emphasis on security itself is secondary to having robust processes that manage security requirements and the current security situation within the organization.
 
Engaging security experts for ISO 27001 consulting can often be a mistake. While security experts are excellent in their domain, ISO 27001 focuses on processes and management systems rather than technical aspects of security. In many cases, the expertise of in-house security and IT personnel is sufficient from a security standpoint. Not only are security experts expensive, but they often lack experience in ISO management systems and may not provide the ideal solutions. It’s important to avoid this costly mistake.

The ISO 27001 Standard

ISO 27001 is a management system standard that requires the establishment of a system within your organization to manage security. It does not inherently require specific security measures to be applied. The standard allows management to accept their current security position without investing in new equipment or adopting new processes. Instead, it focuses on systems that ensure the identification and treatment of security issues and risks to an acceptable level, as determined by the organization. It requires a comprehensive system that addresses all areas of the organization, including the identification, reporting, and management of security events and incidents, as well as the development of appropriate mitigation and continuity strategies. Communication and compliance with legal and regulatory requirements are also essential.
 

The Accompanying ISO 27002 Standard

Unlike other ISO standards, ISO 27001 is accompanied by ISO 27002, which provides specific technical topics related to security. ISO 27002 offers a comprehensive checklist of security controls that organizations “may” apply. It is up to the organization to review the list, consider the applicability of the controls, and determine if any actions are necessary based on identified security risks. While ISO 27002 is not mandatory, some controls specified in ISO 27001 effectively become mandatory. Training and awareness, as well as the management of security incidents, are examples of controls that organizations will need to apply. Although the list may not be exhaustive, it serves as a valuable starting point for conducting a thorough review of security within the organization. In practice, in-house IT professionals often possess enough understanding to determine the applicability of controls and define the treatment of current risks appropriately.
 

Cavendish Scott Advantage

With over 35 years of experience in ISO standards, management systems, and processes, Cavendish Scott is well-equipped to assist organizations. We specialize in designing and implementing business-focused management systems that are easy to maintain while ensuring effectiveness without excessive costs.
ISO 27001 is Easy With Cavendish Scott
Thanks to you and your extremely intelligent team for guiding CES towards achieving certification. Everyone on your team is well-versed and provides pointed advice relative to our specific operation and overall goals. We learned more than I expected from the experience and continue to benefit from our relationship with Cavendish Scott.
Dave V. President/COO
Cavendish Scott is a wonderful presence in our yearly audits. They seem truly invested in helping companies grow and improving their internal processes, and going through the ISO registration process with them has had an immense positive impact to our team. As a small company it is easy to get caught up in the whirlwind of daily tasks, e-mails, and meetings and never step back to see the bigger picture. Not only has ISO unlocked our ability to win larger contracts, but it has greased the wheels, so to speak, at our company, and unlocked better communication between team members, better documentation of records, and better strategies for improving output. Cavendish Scott’s enthusiasm for the auditing process helped us get through the paperwork, which led to great insights about what we could be doing better, and to wrap processes around what could be perceived as "throwaway" tasks. We appreciate Cavendish Scott’s role in helping our company improve and we look forward to next year's audit.
Guy M.CEO
We appreciate the auditors' ability to adapt to the maturity level of our organization. Throughout the audit process, they have consistently aligned with our current stage of development and, in doing so, have identified areas for improvement that correspond to our progress. As we continue to advance, the auditors consistently raise the bar, helping us identify new opportunities for growth and pushing us to enhance our processes further.
Ignacio C. Lean & QA Lead
Cavendish Scott was wonderful and really helped give the perspective of the outside looking in when reviewing our processes. Thank you for the excellent experience!
Healthcare Solutions Company
Cavendish Scott was thorough, patient during the audit; and after the audit was responsive to our request for a draft of the findings to review and begin addressing them. We appreciate Cavendish Scott’s support in general on helping us with the ISO audit project.
Risk Intelligence and Data Analytics Firm
What makes us use Cavendish is that I don't have to be shy about making a quick call to my auditor throughout the year for QMS questions that arise. The level of customer service provided by Cavendish Scott is invaluable.
Marc J. Quality Assurance Manager
We appreciate that Cavendish Scott offers a value-added approach to our business. The Auditors do not get bogged down in the "low hanging fruit", they continue to dig deeper to help our business continually improve and not just meet the standard. We could definitely find a company that is closer and cheaper, but we have used Cavendish Scott for the past 12 years because we feel that they help make us a better company.
Sam P.Director of Quality & Safety
We enjoy working with Cavendish Scott. Every year they find ways for us to improve and enhance our quality system and forms. Their knowledge of the standard allows us to have a successful external audit every year!!
Lee E. ISO Representative
Cavendish Scott is always great to work with. They help us build and grow our QMS every year and I think of them as a great asset for when I have questions about our QMS.
Will G. Lead Purchaser
We were very pleased with Cavendish Scott. They came in and shared a bit of information, communicated with the teams that they were here as a friend not a foe and put the teams at ease. Cavendish Scott was a wealth of information!
Diane T. Laboratory Manager
We were pleased with the service provided! We were highly impressed with the Cavendish Scott’s professionalism and thoroughness throughout the audit process. They demonstrated a deep understanding of our systems and operations, offering constructive insights and recommendations that were both practical and actionable. Cavendish Scott’s approach was collaborative, making the entire process smooth and informative. Communication was clear and timely, which helped us to quickly address any identified issues. Overall, the audit process was invaluable in identifying areas of improvement, and I feel confident in our enhanced compliance and risk management as a result. I appreciate Cavendish Scott’s hard work and dedication!
Aerospace Distribution Company
Our gratitude to you and the Cavendish Scott team for the comprehensive audit you organized and performed. Your work and discussion facilitiation allowed our team to gain new insights into improvement opportunities as well as where we shoud tighten up our processes.
Jay G. Continuous Improvement Manager
Scroll to Top