The ISO 27001 Episode
Transcript
- The video features an interview with Joseph Kirkpatrick, the president of KirkpatrickPrice, discussing ISO 27001 certification.
- What is ISO 27001? ISO 27001 is described as the “grandparent” of all information security frameworks. It is an information security management system certification that was first published in 2005.
- Updates to the Standard: The standard has been updated twice, in 2013 and 2022, to remain current.
- Benefits of Certification: ISO 27001 certification is particularly valuable for companies with international clients as it demonstrates a commitment to recognized security standards.
- The Role of a Partner: A partner, like KirkpatrickPrice, can help identify issues before the official audit, serving as an independent auditor to help clients prepare.
- Certification Process: The certification process has two stages:
- Stage 1: A review of documentation and interviews to assess readiness.
- Stage 2: The audit itself, where evidence of implemented controls is examined.
- Common Audit Findings: Auditors commonly focus on:
- Internal and External Issues: Organizations must document their internal and external issues related to information security.
- Needs of Interested Parties: Companies need to show they understand the needs of all stakeholders.
- Risk Assessment: A robust and current risk assessment process is essential.
- Information Security Objectives: Clear objectives and plans to achieve them are necessary.
- Management Review: Evidence of consistent management oversight and involvement is critical.
- Importance of People: ISO 27001 certification requires a collaborative effort from various departments, not just IT.
Notes
ISO 27001 – Information Security Management Systems
ISO/IEC 27001:2022 – Information security management systems
What’s new in the 2022 version
What You Need to Know About the ISO 27001 Revisions | KirkpatrickPrice
Annex A Control 5.35 – Independent Review
You have to conduct an independent review of your ISMS, which could be an external party or an operationally-independent internal resource.
ISO 27001 Certification Bodies
British Standards Institute (BSI)
Mastermind Assurance
Performance Review Institute (PRI)
Stage 1 Audit Report
Minor nonconformities
These are not seen as serious. You must simply develop, follow, and complete your own internal Corrective Action Plan (CAP) before Stage 2. You are not required to send your CAP for minor nonconformities at Stage 1.
Examples of minor nonconformities include:
- A two-month lapse in the audit program
- A training record not available
Major nonconformities
These are more serious and you’ll need to produce a CAP for the certifying body with all actions completed before Stage 2. You will need to submit your CAP before scheduling Stage 2 and we will pay particular attention to it at our next visit. Send your CAP to your auditor.
Examples of major nonconformities may include:
- Document changes routinely made without authorization
- No future planned internal audits
Stage 2 Audit Report
Minor nonconformities
- Unlike at Stage 1, a written Corrective Action Plan (CAP) must be sent to your certification body at Stage 2, as this is when a certification decision is made
- The CAP will be reviewed by your Client Manager and must detail the nonconformity, the cause, the proposed corrective action, who is responsible and the date the action will be implemented; you will have five working days to do this
Major nonconformities
- If a major nonconformity is raised or remains outstanding from Stage 1, an additional visit will need to be booked; this is to confirm the implementation of an effective CAP
- This additional visit will take place within 30 days; however, you may request to have the visit earlier
- Major nonconformities must be addressed within six months of the assessment and prior to the issuance of the certificate
- Send your CAP to your Client Manager
Opportunities for Improvement
- When conducting an audit, your Client Manager may encounter a situation that doesn’t qualify as a nonconformity, but could improve your system
- These Opportunities for Improvement (OFI) are revealed during the audit process and include any suggestions for improvement, as well as any findings that could lead to potential nonconformities
- While it’s not required to include OFIs in your CAP, your Client Manager will include them in your auditing report to encourage continual improvement
Example ISMS – Clause 4: Context of the Organization
https://ww2.kirkpatrickprice.com/6222025/Context-of-the-organization
Example ISMS – Clause 6: Planning
https://ww2.kirkpatrickprice.com/6222025/Risk-Assessment
Example ISMS – Clause 9.3: Management Review
https://ww2.kirkpatrickprice.com/6222025/Management-Review
Send a Question
Do you have a question for our podcast? Send it to us here.