Monday, January 12, 2009

ISO 27001 - The auditor’s perspective

Hello readers,

Wish you all a very happy and prosperous 2009.

During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.

Tangibles and intangibles in an ISO 27001 ISMS

I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”

The smart ISO 27001 auditor looks for..

No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,

1 - The existence of the ISMS
2 - The functioning of the ISMS

Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.

Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.

The broad picture or the Top-level view

So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.

You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.

1) I have an ISMS in my organization
2) My ISMS is functioning well

& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.

Warm regards,

Anup Narayanan
www.isqworld.com (Learning ISO 27001 through storytelling)

29 comments:

Anonymous said...

Really wonderful article and i think this is very important topic for how to get ISO 27001 certification and also good tips of ISO 27001. for more information ISO 27001 documentation

Anonymous said...

與人相處不妨多用眼睛說話,多用嘴巴思考,..................................................

Budi Rahardjo said...

Good article. The situation is similar with what we faced. Clients asking about examples (of policies). They think that there is (an ISO 27001) product that you can see (and copy).

nancy said...

Very informative blog, thanks for sharing....ISO 27001 Consultancy bangalore

ISO Certification said...

ISO 17025 Document - ISO 9001 gives customers and suppliers a single set of guidelines that is accepted worldwide and that can be followed to achieve a definable level of quality. The third-party certification confirms that a company's systems for accepting orders, reviewing customers' specifications, manufacturing and testing products, and delivering those products to its customers are quality controlled and should produce consistent results.

iso27001consultant said...

This is a great article on the topic of the benefits of ISO 27001 certification.
what is iso 27001

iso27001consultant said...

Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!

ISO 27001 Consultant

Unknown said...

I read this article. It has good and helpful information. Thanx for sharing such info.
ISO In India | ISO Services In India

Unknown said...

Assessment for ISO Certification Halal Certification approach ensures our client's products are rigorously examined to ensure they meet globally recognised standards of Halal excellence. From ensuring all employees directly involved in the Halal process are Muslim and all ingredients are Halal certified to ensuring they meet the Malaysian Standard of Halal. ISO 9001 provides a framework and set of principles that ensure a common-sense approach to the management of your organization to consistently satisfy customers and other stakeholders. In simple terms, it provides the basis for effective processes and effective people to deliver an effective product or service time after time.

general manager said...

This is really helpful article shared,
ISO 9001 training

ayshwariya said...



Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.


Android Training in Chennai

Anonymous said...


I thought it was going to be some boring old post, but it really compensated for my time. I will post a link to this page on my blog.
Iso 9001:2015 Certification & Iso 9001 Certification



Anonymous said...

I wanted to thank you for this great read!! I definitely enjoying every little bit of it Smile I have you bookmarked to check out new stuff you post.Iso 9001:2015 Certification &Iso 9001 Certification

Unknown said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!

Iso 9001:2015 Certification & Iso 9001 Certification

Unknown said...

Yes, ISO certifications are very much needed for the business.

ISO certification companies in Bangalore

Unknown said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
ISO 22000 Food Safety Certification &BRC Certification

Unknown said...

It's Very Informative Blog... Thanks for Posting...
27001

John Street said...

Great post. I appreciate the way you have explained about ISO 27001. Thanks and keep it up.

Information Security ISO 27000

Augurs Technologies Pvt Ltd. said...

Looking for a SaaS App Development Company? Augurs Technologies is SaaS Application Development Company in India and develop custom applications for your growing business.

Charles Wilson said...

Thanks for providing such kind of knowledgeable information..The information provided here is excellent and given an idea about ISO 27001 Auditor Training for and how it helped in developing Information Security management system for organizations to implement best information security system as per ISO 27001:2013 standard.

Amelia Joo said...

very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.

iso 27001 auditor certification

Jack Daniels said...

Wow, the article is easy to read and understand to find important information

ISO 27001 Lead Auditor Training

Amith Sharma said...

I would definitely thank the admin of this blog for sharing this information with us. Waiting for more updates from this blog admin.

ISO 27001 Certification

YASARARAFAT said...

Nice blog really cool stuff you have added ..Keep sharing brother. ISO 27001 Certification in Qatar

Anonymous said...


iso 27001 lead auditor course thailand

nice blog

Hafeezriyas said...

Thanks you for sharing this unique useful information content with us. Really awesome work. ISO 27001 Consultants in Oman

zasma yasmin dawood said...

Thanks for sharing. Click here to register Now --> iso certificate registration

Iso registration said...

I found your blog and it was really useful as well as informative thanks for sharing such an article with us. We also provide services related to ISO REGISTRATION.

iso registration

edicksnelson said...

I found your blog and it was really useful as well as informative thanks for sharing such an article with us. We also provide services related to iso 27001