Preparing managers to be ISO27001 certified

This morning, a new member of the ISO27k Forum asked us some questions about his organisation's upcoming ISO/IEC 27001 certification audit (paraphrased below). 

Since these are commonplace issues, I address them here on SecAware blog for the benefit of others in the same situation now ... or at earlier stages. Management being ready for the certification audit has implications for the way an ISO/IEC 27001 Information Security Management System was originally initiated/conceived, scoped, planned and approved, as well as how it is managed once it comes into operation.

1. Does the auditor need to talk to the CEO or would another member of Top Management such as the COO or a VP be sufficient?

That is for the auditor to decide. CEOs are invariably busy people ... but the CEO's non-involvement (even before being asked!) hints at a lack of support or engagement from senior management*. If other senior managers are more willing and able to be interviewed, that should suffice, especially if they subtly or directly confirm that the CEO supports the ISMS, or if the CEO has overtly supported the ISMS (e.g. by personally endorsing or mandating the information security policy). See also Q4 below.

2. Approximately how much time is required for an audit interview?

Half an hour or so. Minimum would be 5 to 10 mins. Maximum, maybe an hour or more (possibly over a few sessions).

3. What kinds of questions would the auditor ask of the top management?

Auditing managers for '27001 certification is likely to revolve around the standard's requirements in this area. Studying clauses 4 and 5 dispassionately should indicate the points the auditors will explore e.g. relating to clause 4.1: 

• How does the ISMS support or enable the achievement of business objectives involving information, risk, security, compliance, safety etc.?
  
  
• Why has the organisation decided to adopt (invest in) '27001 and be certified? What has driven this initiative? And why now?
  
  
• What benefits is the ISMS expected to achieve for the business? What difference will the certification make? How will it be exploited commercially? What benefits are already achieved?

These are rhetorical questions, intended to get interviewees to open up, describing and expanding on their understanding and, in the process, covering off the specific requirements of the standard (e.g. relating the ISMS to the business context). 

4. How should management confirm its commitment to infosec and compliance?

This is key! Evidently there was approval and some level of support and resourcing to get the ISMS designed, built and ready to be certified. The auditors may look for evidence of genuine management commitment to protect and exploit valuable yet vulnerable information - a deliberate strategic investment for the long term. So, was the true goal simply to get the piece of paper on the wall/website and then quickly forget about it? Was this a crude, tactical move with superficial goals and intent ("to be certified" or "to land a major contract") ... or is the organisation genuinely intent on "becoming more secure" (whatever that actually means) and being able to demonstrate that?    

Here are some ways to demonstrate senior management's genuine commitment:

1. Dig out the original proposal and approval for the ISMS implementation project.  Presumably management discussed and agreed a set of objectives in some form, with parameters such as resourcing, timescales and budgets.  Were the resources adequate, generous or tight?  Did you track achievement of the objectives, and how is it going?  Is [at least some part of] management actively involved in the tracking, providing guidance and direction e.g. additional resources, clarified priorities?
    
2. The ISMS should be an integral part of information, IT, risk and compliance management.  Various management activities should therefore involve contact points with the ISMS, exchanging information, aligning goals and strategies and policies, collaborating on points of common interest etc.  Setting up those contact points, reporting, coordination meetings etc. is part of the ISMS build, and there should be evidence that they are happening now e.g. agendas and minutes of meetings, with relevant managers being willing and able to explain their interest and involvement with the ISMS.
   
   
3. Strategies, policies, initiatives etc. should cover infosec where appropriate.  For example, privacy involves adequately securing personal information against unauthorised/inappropriate disclosure (the compliance aspect) while at the same time facilitating its availability and use for legitimate purposes (the business aspect).  Resolving the tension between those two is something management might address by clarifying the rules in policies etc.
   
   
4. Last but not least, managers should be willing and able, even keen, to explain enthusiastically how much they value all the work going on within or relating to the ISMS.  This demonstrates their understanding, interest and support.  If nobody wants or is able to talk about this stuff, or if everyone is clearly evasive or vacant, the auditor will get a strong impression that management is not behind the ISMS. 

Being audited can be a stressful experience, especially the first time, even for experienced managers. Last year, I prepared a little guidance leaflet for a client to share with potential auditees to get them prepared and put them at ease.  The free ISO27k Toolkit includes a basic version, while SecAware ISMS Take-off includes a matching pair of generic leaflets giving advice to both auditors and auditees about audit interviews. 

Lastly, I'll emphasise clause 9 of the standard which is relevant here:

• There should be mechanisms in place to monitor, measure, analyse and evaluate the ISMS performance (clause 9.1), hence there should be evidence of that, and managers should be using the metrics, reports, trends, issues etc. as appropriate. They should be sufficiently familiar with them to bring them up if asked, and perhaps provide examples or know where to look for them. If there are or have been issues with the ISMS performance (e.g. conflicting priorities, resource constraints), managers should know about them and preferably be able to talk about their resolution.
  
  
• You should have planned and ideally conducted at least one ISMS internal audit (9.2) and management review (9.3). These are golden opportunities to engage management with the ISMS, explain its purpose and objectives, and practice the process of being questioned/challenged in this area, responding positively and openly. Practice can round-off the sharper edges of a certification/compliance audit and generally reduce unnecessary stress. 

* Did you notice that I'm using "senior management" while the questioner and the standard use "top management"? The latter term, formally defined in ISO/IEC 27000, refers to the highest levels of management within the scope of the ISMS, not necessarily for the organisation as a whole. The former term is ambiguous ... but as far as I am concerned, that is appropriate in this context: even if the ISMS is limited to some business unit, site or department, I believe the company executives and ideally the directors ought to at least know broadly what is going on because if they don't, that suggests poor governance and a lack of appreciation of the importance, relevance and value of information risk and security management for the business as a whole. OK, so they may not be familiar with the details but the generalities are part of their role, I feel. You may not agree!