ISMS audit flags

Individuals chosen by senior management to audit Information Security Management Systems are not necessarily well-trained, highly qualified, experienced and (to be frank) competent professionals. ISO/IEC 27001 certification auditors from accredited certification bodies definitely should be, but for various reasons, some of them are, let's say, winging it. Reports indicate that some simply do not understand or accept that Annex A is a set of DISCRETIONARY controls, for example.

As to ISMS internal audits, well Internal Audit Departments are commonly only found in large, mature, heavily-regulated organisations: most either contract out their internal audits, pick whoever failed to duck at the right moment, or simply forgo the pleasure - and value - of independent examination and evaluation.

This week, I've developed a succinct guideline for ISMS auditors, laying out for each of the main body clauses of the standard:

(a) The types or items of evidence worth hunting down: the 'green flags' are a mixture of mandatory ISMS documentation noted in the standard plus discretionary materials typically prepared and other information worth seeking and evaluating.

(b) Warning signs - the 'reg flags' indicative of inadequate, failing or failed ISMSs, the sorts of things that are likely to block certification and destroy rather than generate value.

Get the document here.

If you think $25 is too much for the document, fair enough, move swiftly along. I've invested my time thinking, researching, preparing and writing this ... not to mention 4 long decades learning the trade.