Monday, January 12, 2009

ISO 27001 - The auditor’s perspective

Hello readers,

Wish you all a very happy and prosperous 2009.

During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.

Tangibles and intangibles in an ISO 27001 ISMS

I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”

The smart ISO 27001 auditor looks for..

No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,

1 - The existence of the ISMS
2 - The functioning of the ISMS

Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.

Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.

The broad picture or the Top-level view

So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.

You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.

1) I have an ISMS in my organization
2) My ISMS is functioning well

& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.

Warm regards,

Anup Narayanan
www.isqworld.com (Learning ISO 27001 through storytelling)

59 comments:

ElroyTLanphear said...

ol制服美女影片PlayGirl金瓶梅視訊檳榔西施影片777成人免費成人1007視訊美女寫真美女視訊聊天室交友美女交友八國聯軍成人正妹百人斬aqaq視訊聊天室咆哮成人繁體美女影片0204貼圖區ut聊天室av情色一葉情貼圖片區

九份 said...

When everything is coming your way, you are in the wrong lane.............................................

聊天室 said...

pleasure to find such a good artical! please keep update!!........................................

佩怡 said...

很喜歡你的blog哦...加油唷 ........................................

仁南 said...

great msg for me, thanks a lot dude˙﹏˙

佩昭彥怡 said...

能猜得出女人真實年齡的男人也許耳聰目明,但肯定毫無大腦。哈哈! ..................................................

睿玄 said...

^^ 謝謝你的分享,祝你生活永遠多彩多姿!........................................

isdocuments said...

Really wonderful article and i think this is very important topic for how to get ISO 27001 certification and also good tips of ISO 27001. for more information ISO 27001 documentation

湖聿湖聿 said...

真得很不錯的blog,加油哦........................................

真坤 said...

Nice post ~ 3Q..............................................................

NealVassall水慧 said...

favebook色情a片瑤瑤寫真集天空交友完美女人交友ek21交友104速配網交友104相親網250av女優免費影片日本女傭遊戲日本女傭介紹日本女優 mms4u日本女優a片日本女優a片網站日本女優av日本女優無碼免費下載日本女優裸照日本女優貼圖區日本女優光碟美女 視訊sex成人 網站18 成人色情 網站嘿咻情色 網露點girl5320av一葉情貼影色網aio 交友愛情館sod特輯真人娃娃免費性愛影片免費h影片一對一視訊一葉情貼圖片區 av12720jack主入口0204成人人妻凌辱參觀日曼雪兒短片曼雪兒-情色文學 免費成人小說更衣室偷拍短片更衣室偷拍影片更多18禁小遊戲

韋于倫成 said...

與人相處不妨多用眼睛說話,多用嘴巴思考,..................................................

韋于倫成 said...

只有尋常才幹,但具有不尋常恆心的人,一切皆可獲取........................................

柏懿綺辰 said...

blog的用心,看得出來~~請加油..................................................

budi said...

Good article. The situation is similar with what we faced. Clients asking about examples (of policies). They think that there is (an ISO 27001) product that you can see (and copy).

冠宛君中 said...

The more haste, the less speed. ............................................................

王周宏儒 said...

人不能像動物一樣活著,而應該追求知識和美德..................................................

韻枝 said...

愛情是一種發明,需要不斷改良。只是,這種發明和其他發明不一樣,它沒有專利權,隨時會被人搶走。.................................................................

秀吉 said...

人有兩眼一舌,是為了觀察倍於說話的緣故。................................................................

saas said...

生存乃是不斷地在內心與靈魂交戰;寫作是坐著審判自己。....................................................................

柏廷柏廷柏廷 said...

生存乃是不斷地在內心與靈魂交戰;寫作是坐著審判自己。......................................................................

智能智能 said...

Quality is better than quantity.....................................................................

秋娥秋娥 said...

成熟,就是有能力適應生活中的模糊。.................................................................

王名仁 said...

人有兩眼一舌,是為了觀察倍於說話的緣故。............................................................

JasonBirk佳琪 said...

路過--你好嗎..很棒的BLOG...................................................................

育隆 said...

友誼能增進快樂,減少痛苦............................................................

怡潔怡潔 said...

人生之中,比冒險更危險的一件事:不去冒險。..................................................

吳婷婷 said...

出遊不拘名勝,有景就是好的............................................................

姿柯瑩柯dgdd憶曾g智曾 said...

期待你發表的新文章!跟你說一聲加油。............................................................

宥妃 said...

馬丁路德:「即使知道明天世界即將毀滅,我仍願在今天種下一棵小樹。」............................................................

宜欣宜欣 said...

你的部落格不錯哦,我來享受一下~~..................................................

RicoLisi0802志竹 said...

用心經營的blog~有一天你會紅!............................................................

毛彥宇毛彥宇 said...

人類的聰明,並非以經驗為依歸,而是以接受經驗的行程為依歸。.......................................................

承蔡蔡芸 said...

時時關心,時時感動。..................................................

吳淑惠吳淑惠吳淑惠吳淑惠 said...

良言一句三冬暖,惡語傷人六月寒。......................................................................

韋陳富 said...

好的開始並不代表會成功,壞的開始並不代表是失敗..................................................

張韓涵旺建宇 said...

好熱鬧喔 大家踴躍的留言 讓部落格更有活力..................................................

陳雅吳水以竹 said...

我來湊熱鬧的~~^^ 要平安快樂哦..................................................

怡屏 said...

看到大家都留言-我也忍不住說聲---加油..................................................

瑞陳彥 said...

缺少智慧,就是缺少一切..................................................

牧宇 said...

No pains, no gains.......................................................................

怡靜怡靜怡靜怡雯 said...

知識可以傳授,智慧卻不行。每個人必須成為他自己。. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

怡靜怡靜怡靜怡雯 said...

這麼好的文章當然要回應支持(>▽<)..................................................................

王辛江淑萍康 said...

快樂,是享受工作過程的結果......................................................................

JuliaSmith said...

Very informative blog, thanks for sharing....ISO 27001 Consultancy bangalore

ISO Certification said...

ISO 17025 Document - ISO 9001 gives customers and suppliers a single set of guidelines that is accepted worldwide and that can be followed to achieve a definable level of quality. The third-party certification confirms that a company's systems for accepting orders, reviewing customers' specifications, manufacturing and testing products, and delivering those products to its customers are quality controlled and should produce consistent results.

ISO 27001 consultants said...

This is a great article on the topic of the benefits of ISO 27001 certification.
what is iso 27001

QUALITY SERVICES said...

Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing more informatiom
http://goo.gl/tGqfRs

Dacey Lyle said...

Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!

ISO 27001 Consultant

Anamika Singh said...

I read this article. It has good and helpful information. Thanx for sharing such info.
ISO In India | ISO Services In India

Jimmy Johns said...

Assessment for ISO Certification Halal Certification approach ensures our client's products are rigorously examined to ensure they meet globally recognised standards of Halal excellence. From ensuring all employees directly involved in the Halal process are Muslim and all ingredients are Halal certified to ensuring they meet the Malaysian Standard of Halal. ISO 9001 provides a framework and set of principles that ensure a common-sense approach to the management of your organization to consistently satisfy customers and other stakeholders. In simple terms, it provides the basis for effective processes and effective people to deliver an effective product or service time after time.

general manager said...

This is really helpful article shared,
ISO 9001 training

ayshwariya said...



Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.


Android Training in Chennai

Unknown said...


I thought it was going to be some boring old post, but it really compensated for my time. I will post a link to this page on my blog.
Iso 9001:2015 Certification & Iso 9001 Certification



Unknown said...

I wanted to thank you for this great read!! I definitely enjoying every little bit of it Smile I have you bookmarked to check out new stuff you post.Iso 9001:2015 Certification &Iso 9001 Certification

Mdhamid AnsarI said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!

Iso 9001:2015 Certification & Iso 9001 Certification

kevin said...

Articles and content in this section of the website are really amazing. Great ideas indeed! I will surely keep these in my mind!
ISO 22000 Food Safety Certification &BRC Certification

Reach ISO said...

Yes, ISO certifications are very much needed for the business.

ISO certification companies in Bangalore

Mansi Singh said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
ISO 22000 Food Safety Certification &BRC Certification