"How do you fancy two weeks away from assessing, touring the country talking about information security?". Not everyone's cup of tea I know but when offered the chance to join ‘The agenda 14’ tour with the ‘Agenda’ team, I jumped at the chance. "It won't be easy you know" 9 sites, 1,100 faces and many, many miles in two weeks.
So, on 31 March I packed my bags, put on my black tee shirt and jeans, the official roady attire, and drove the first 200 miles to Wigan. Coincidentally the 31 March was also the day that the government launched the new Computer Emergency Response Team UK with £860m to prevent cyber-attacks. So with Victoria Derbyshire in my ears reminding me that 1 in 4 of us wouldn't recognise a phishing attack, I felt the omens were good and an interesting two weeks lay ahead.
I'd been to ‘The agenda’ before, but only for the odd day. So to have two weeks immersing myself in a subject I enjoy without the need to write a report at the end of the day was a great opportunity. Yes the miles would be long, but as I found today in the drive from Wigan to Perth, with the sun shining on the Cumbrian hills and southern uplands, Britain has some spectacular countryside and a good chance to catch up on my audio books that had long been stored away for just such a trip.
Arriving at Kilhey Court, just outside Wigan, I was quickly put on cable duty. "You'll need the 20m for the far side, but should be ok for the speakers this side" were my initial instructions. "Don't forget the health and safety bit, cables go over doors not in front, we have 134 people coming tomorrow" so started my crash course as an audio-visual understudy. "One-two, one-two, sounds good, now try mike 2" and so on until all was well and we were ready for day 1.
Day 1 dawned with a loud dawn chorus and thoughts of how to explain the changes to ISO 27001:2013 going through my mind. Keith and I had agreed a split of the material, he was to run through the structure with me adding a bit of colour through cases published on the Information Commissioners Office.
The new version of ISO 27001 will certainly bring some challenges for many. Like ISO 22301 being based on Annex SL, it puts far more emphasis on context, leadership and risk as part of strategic planning. But this to me makes sense. Why would you not want to design your Information Security Management System (ISMS) to align with your business objectives? With risk redefined as "the effect of uncertainty on objectives" an ISMS then just becomes a management tool for dealing with those security issues and opportunities that your business needs to concentrate on to achieve its corporate or operating plan.
The Wigan audience seemed to get this too. With only about 10% having any plans for ISO 27001 cases of lost laptops, failures to dispose of boxes of printed material and sensitive information being emailed to the wrong addresses, caught their attention. Perhaps a full ISMS isn't for them all, but it was great to see people going "you know what, this information security stuff isn't all about IT, I need to ask some more questions back at the office".
And so to Perth, a new audience and the next chapter in trying to raise awareness of the need for us all to get involved in protecting the information we are entrusted with.