Take pride in your ISMS and show it off to your auditor

  
  Want to know how to transition your ISMS from ISO/IEC 27001:2013 to ISO/IEC 27001:2022/Amd 1:2024 — read David Brewer’s new book
 

Showcase your ISMS

Showcasing your ISMS consists of showing-off your ISMS to your certification auditor. Show it off with pride. Your auditor is looking for evidence of conformity both to your own requirements and the requirements of ISO/IEC 27001. You know what these requirements are. You know how you conform. Show that evidence to the auditor. Showcasing is an enjoyable experience. Showcased audits are geared towards discovery of opportunities for improvements, rather than nonconformities.

Book cover for An introduction to ISO/IEC 27001:2022/Amd 1:2024 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

There is a new edition of the ISMS standard (ISO/IEC 27001:2022/Amd 1:2024), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance and optimising other parts of your ISMS. You can also exploit your ISMS.

The purpose of an audit

The purpose of an audit is to find evidence of conformity both to the requirements of the standard and to the organisation‘s own ISMS requirements. The purpose of an audit is also to find evidence that the ISMS is effectively implemented and maintained. Effective means that planned events are realised and planned results are achieved.

There are several ISO/IEC 27001 requirements that refer to “planned intervals”. There should be evidence that these schedules are being adhered to (that is the “planned events are realised”) and what was planned was achieved (e.g., the audit addressed its intended scope, the meeting followed its intended agenda, the training course fulfilled its intended training objectives…).

Knowing what the auditor is looking for, and where it is, is key

When the auditor asks question, he or she is looking for objective evidence of conformity. With practice, you will know from the question what clause in the standard is being referred to and how best to demonstrate conformity. Keeping track of the audit plan helps. Sometimes the auditor will phrase the question in a way that is unfamiliar to you, or appears to be asking for something that you don’t have. Don’t be fazed by this. Politely ask to which clause the auditor is referring. Auditors, particularly on their first visit, will not know how you refer to things, and can even ask to see something that they have seen in an audit with a different organization.

Knowing where the evidence is is key. It means that you can locate it and present it quickly.

The emphasis should be on showing results — yes, you have a written procedure for something, but the proof of the pudding is the evidence that it is being applied. This is why there are more requirements in ISO/IEC 27001 concerning results than processes.

The auditor will also observe the manner in which the you present yourself. Are you full of confidence, demonstrating great knowledge of the standard and your ISMS, or are you timid, uncertain and wavering.

How showcasing works

Whilst where the evidence is is key, knowing what the next question the auditor is likely to ask means that you can pre-empt them, showing pieces of evidence one after the other. For example, the auditor asks to see your internal audit programme. Show it and explain how it works. Say “… and here are our results. Would you like to see an audit report?”. The likely answer being “yes?”, you can then open up the report and explain the findings. If there are nonconformities or opportunities, show how your organisation implements the requirements of Clause 10, by following (say) the nonconformity through to its successful conclusion. Essentially, showcasing is being able to anticipate the auditor’s questions, one after another, showing all the all evidence needed to demonstrate conformity in a joined-up manner. We call this a “showcasing unit”.

Showcasing demonstrates very clearly that you know what you are doing and the ISMS is well maintained and well managed. Speak with authority and pride.

An early example can be found here, where in the space of a few minutes the auditee had demonstrated how an ISMS had fulfilled about 50% of the ISMS requirements.

What are the essential ISMS attributes for showcasing?

Apart from having intimate knowledge of your ISMS and ISO/IEC 27001 (including what is a requirement and what is not), being able to locate and present evidence quickly is essential. Showcasing should be slick, just like giving a PowerPoint presentation, and just like a PowerPoint presentation, the next “slide” should be just “one-click” away.

Therefore it is essential to be using technology that:

  • uses browser based technology, with lots of hyperlinks
  • presents ISMS documented information in an easily navigable form
  • has comprehensive search facilities.

It is also useful if you have an aide-mémoire ready-to-hand that reminds you, for each the ISO/IEC 27001 requirement, of what the evidence of conformity is, and where it is.

If you don’t know precisely where something is, use the search facility, or CNTR-F. Don’t scroll up and down. The auditor will try to read everything that is on the screen. If remove it by scrolling, it will frustrate the auditor. If you pause and what is being displayed is not relevant to your showcase, the audit will disappear off a tangent and you will loose control.

How can I practice?

Practice by encouraging showcasing in internal audits. Help your companions to learn the likely question flows and showcasing units:

Clause Links to How
5.1 5.2 Top management establishes policy, so show it
6.2 Top management establishes objectives, so show them
6.1.2 8.2 Explain the risk assessment process and then the results
6.1.3 Explain the risk assessment process and then the risk treatment process
6.1.3 8.3 Explain risk treatment process and then the results
6.2 9.1 Objectives must be monitored, so show the results of doing that
9.1 10 Monitoring and measuring, internal audits and reviews can give rise to nonconformities and opportunities for improvement, so show how clause 10 works
9.2
9.3
  • Each major clause in ISO/IEC 27001 forms a natural showcasing unit.
  • There are links between such major clauses that can allow you to join showcasing units to create a longer one (see the table).

How IMS-Smart can help

We can help in three ways:

  • David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).
  • We also have some technology that can help you to create an ISMS with all the aforementioned desirable properties. Just because you already have an ISMS does not mean that you cannot take advantage of IMS-Smart On-Line. Think of it as upgrading to a brand new car, and take advantage of the ISO/IEC 27001 transition period to do it.
  • We can train you.

If you have any question about ISO/IEC 27001:2022/Amd 1:2024 or IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.