Take pride in your ISMS and show it off to your auditor |
|||||||||||||||||||||||||||||
Showcase your ISMS Showcasing your ISMS consists of showing-off your ISMS to your certification auditor. Show it off with pride. Your auditor is looking for evidence of conformity both to your own requirements and the requirements of ISO/IEC 27001. You know what these requirements are. You know how you conform. Show that evidence to the auditor. Showcasing is an enjoyable experience. Showcased audits are geared towards discovery of opportunities for improvements, rather than nonconformities.
There is a new edition of the ISMS standard (ISO/IEC 27001:2022/Amd 1:2024), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance and optimising other parts of your ISMS. You can also exploit your ISMS. The purpose of an auditThe purpose of an audit is to find evidence of conformity both to the requirements of the standard and to the organisation‘s own ISMS requirements. The purpose of an audit is also to find evidence that the ISMS is effectively implemented and maintained. Effective means that planned events are realised and planned results are achieved. There are several ISO/IEC 27001 requirements that refer to “planned intervals”. There should be evidence that these schedules are being adhered to (that is the “planned events are realised”) and what was planned was achieved (e.g., the audit addressed its intended scope, the meeting followed its intended agenda, the training course fulfilled its intended training objectives…). Knowing what the auditor is looking for, and where it is, is keyWhen the auditor asks question, he or she is looking for objective evidence of conformity. With practice, you will know from the question what clause in the standard is being referred to and how best to demonstrate conformity. Keeping track of the audit plan helps. Sometimes the auditor will phrase the question in a way that is unfamiliar to you, or appears to be asking for something that you don’t have. Don’t be fazed by this. Politely ask to which clause the auditor is referring. Auditors, particularly on their first visit, will not know how you refer to things, and can even ask to see something that they have seen in an audit with a different organization. Knowing where the evidence is is key. It means that you can locate it and present it quickly. The emphasis should be on showing results — yes, you have a written procedure for something, but the proof of the pudding is the evidence that it is being applied. This is why there are more requirements in ISO/IEC 27001 concerning results than processes. The auditor will also observe the manner in which the you present yourself. Are you full of confidence, demonstrating great knowledge of the standard and your ISMS, or are you timid, uncertain and wavering. How showcasing worksWhilst where the evidence is is key, knowing what the next question the auditor is likely to ask means that you can pre-empt them, showing pieces of evidence one after the other. For example, the auditor asks to see your internal audit programme. Show it and explain how it works. Say “… and here are our results. Would you like to see an audit report?”. The likely answer being “yes?”, you can then open up the report and explain the findings. If there are nonconformities or opportunities, show how your organisation implements the requirements of Clause 10, by following (say) the nonconformity through to its successful conclusion. Essentially, showcasing is being able to anticipate the auditor’s questions, one after another, showing all the all evidence needed to demonstrate conformity in a joined-up manner. We call this a “showcasing unit”. Showcasing demonstrates very clearly that you know what you are doing and the ISMS is well maintained and well managed. Speak with authority and pride. An early example can be found here, where in the space of a few minutes the auditee had demonstrated how an ISMS had fulfilled about 50% of the ISMS requirements. What are the essential ISMS attributes for showcasing?Apart from having intimate knowledge of your ISMS and ISO/IEC 27001 (including what is a requirement and what is not), being able to locate and present evidence quickly is essential. Showcasing should be slick, just like giving a PowerPoint presentation, and just like a PowerPoint presentation, the next “slide” should be just “one-click” away. Therefore it is essential to be using technology that:
It is also useful if you have an aide-mémoire ready-to-hand that reminds you, for each the ISO/IEC 27001 requirement, of what the evidence of conformity is, and where it is. If you don’t know precisely where something is, use the search facility, or CNTR-F. Don’t scroll up and down. The auditor will try to read everything that is on the screen. If remove it by scrolling, it will frustrate the auditor. If you pause and what is being displayed is not relevant to your showcase, the audit will disappear off a tangent and you will loose control. How can I practice?Practice by encouraging showcasing in internal audits. Help your companions to learn the likely question flows and showcasing units:
How IMS-Smart can helpWe can help in three ways:
If you have any question about ISO/IEC 27001:2022/Amd 1:2024 or IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist. |
|||||||||||||||||||||||||||||
This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies |
|||||||||||||||||||||||||||||
© IMS-Smart Limited, 2023-24 | |||||||||||||||||||||||||||||
Page last updated: June 3, 2024 | |||||||||||||||||||||||||||||