Hello readers,
Wish you all a very happy and prosperous 2009.
During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.
Tangibles and intangibles in an ISO 27001 ISMS
I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”
The smart ISO 27001 auditor looks for..
No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,
1 - The existence of the ISMS
2 - The functioning of the ISMS
Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.
Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.
The broad picture or the Top-level view
So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.
You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.
1) I have an ISMS in my organization
2) My ISMS is functioning well
& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.
Warm regards,
Anup Narayanan
www.isqworld.com (Learning ISO 27001 through storytelling)
29 comments:
Really wonderful article and i think this is very important topic for how to get ISO 27001 certification and also good tips of ISO 27001. for more information ISO 27001 documentation
與人相處不妨多用眼睛說話,多用嘴巴思考,..................................................
Good article. The situation is similar with what we faced. Clients asking about examples (of policies). They think that there is (an ISO 27001) product that you can see (and copy).
Very informative blog, thanks for sharing....ISO 27001 Consultancy bangalore
ISO 17025 Document - ISO 9001 gives customers and suppliers a single set of guidelines that is accepted worldwide and that can be followed to achieve a definable level of quality. The third-party certification confirms that a company's systems for accepting orders, reviewing customers' specifications, manufacturing and testing products, and delivering those products to its customers are quality controlled and should produce consistent results.
This is a great article on the topic of the benefits of ISO 27001 certification.
what is iso 27001
Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!
ISO 27001 Consultant
I read this article. It has good and helpful information. Thanx for sharing such info.
ISO In India | ISO Services In India
Assessment for ISO Certification Halal Certification approach ensures our client's products are rigorously examined to ensure they meet globally recognised standards of Halal excellence. From ensuring all employees directly involved in the Halal process are Muslim and all ingredients are Halal certified to ensuring they meet the Malaysian Standard of Halal. ISO 9001 provides a framework and set of principles that ensure a common-sense approach to the management of your organization to consistently satisfy customers and other stakeholders. In simple terms, it provides the basis for effective processes and effective people to deliver an effective product or service time after time.
This is really helpful article shared,
ISO 9001 training
Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.
Android Training in Chennai
I thought it was going to be some boring old post, but it really compensated for my time. I will post a link to this page on my blog.
Iso 9001:2015 Certification & Iso 9001 Certification
I wanted to thank you for this great read!! I definitely enjoying every little bit of it Smile I have you bookmarked to check out new stuff you post.Iso 9001:2015 Certification &Iso 9001 Certification
Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
Iso 9001:2015 Certification & Iso 9001 Certification
Yes, ISO certifications are very much needed for the business.
ISO certification companies in Bangalore
Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
ISO 22000 Food Safety Certification &BRC Certification
It's Very Informative Blog... Thanks for Posting...
27001
Great post. I appreciate the way you have explained about ISO 27001. Thanks and keep it up.
Information Security ISO 27000
Looking for a SaaS App Development Company? Augurs Technologies is SaaS Application Development Company in India and develop custom applications for your growing business.
Thanks for providing such kind of knowledgeable information..The information provided here is excellent and given an idea about ISO 27001 Auditor Training for and how it helped in developing Information Security management system for organizations to implement best information security system as per ISO 27001:2013 standard.
very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.
iso 27001 auditor certification
Wow, the article is easy to read and understand to find important information
ISO 27001 Lead Auditor Training
I would definitely thank the admin of this blog for sharing this information with us. Waiting for more updates from this blog admin.
ISO 27001 Certification
Nice blog really cool stuff you have added ..Keep sharing brother. ISO 27001 Certification in Qatar
iso 27001 lead auditor course thailand
nice blog
Thanks you for sharing this unique useful information content with us. Really awesome work. ISO 27001 Consultants in Oman
Thanks for sharing. Click here to register Now --> iso certificate registration
I found your blog and it was really useful as well as informative thanks for sharing such an article with us. We also provide services related to ISO REGISTRATION.
iso registration
I found your blog and it was really useful as well as informative thanks for sharing such an article with us. We also provide services related to iso 27001
Post a Comment