The agenda 14 behind the screens - Day 2

"Breakfast at 7" was how we started day 2. Perth racecourse is a great venue with lovely views across the track, but not available until the morning so no choice but to go for an early start and set up first thing.

My crash course in audio-video continued. Today it was all about microphones. How to optimise where your clip mike should go. Not too high and you tend to look down, not too low and it rubs against the lapel on your jacket. For the handheld ones don't get too close to the speakers. And the last tip, always check that the cover on the battery pack is secure. Fortunately Keith always starts our session with a few words, which on this occasion gave me the chance to put the batteries back in that had fallen on the floor.

Whilst I hope that these blogs provide a lighter insight into the The agenda 14 tour, there is a serious side and as we travel round country I hope that 'Behind the Screens' brings a few thoughts on ISO 27001:2013. Over the next 8 days I'll try and cover the main parts as I see them. So let's start in Perth with Context.

Key to any Annex SL compliant standard is Context. Who we are, what we do, where we are going and what we hope to be, are the sort of simple thoughts that go through my mind. As an assessor there is little point in getting into the Information Security Mnagement System (ISMS) until I've understood the context for it is critical to shaping the whole management system. Corporate plans, operating model, legal or regulatory frameworks, customer base and market all play a part. Useful techniques like PESTEL analysis, whilst not essential often form part of my questions as they provide a simple way of ensuring that the conversation with top management is balanced, open and is likely to cover the contextual needs. 

After all we can all think of risks, but which of those risks are significant, which risks are likely to have an "effect on the uncertainty on objectives". Without a sense of prioritisation brought about by the focus on business objectives there is a fair chance that the resultant ISMS is not appropriate to the organisation and any conclusions I draw will have little value.

Coupled with context are issues and opportunities. At Wigan someone asked "how do you define risk treatment?" The process of risk modification is the straight answer, but looking again at the standard it interesting to note that it recognises that you might want to increase risk to take advantage of an opportunity, not just reducing the likelihood or changing the consequence or impact.

So what did I learn in Perth . . . other than where to put my clip mike? For me it was about the importance of getting the basics right. Whether you are in to quality, environment or information security. There is little point in trying to establish your management system without due regard for the context. However once identified you have the starting point for a system that can be tailored to ensure that the management processes will meet your business needs . . . present and future.

And so to Newcastle and the next stage in my journey round the UK and the next part of ISO 27001:2013 . . . Scope.

Sadly the drive south lacked the sun of the drive north, with only a few glimpses of stunning coastlines. A stop at Bamburgh castle provided a memorable highlight with the turrets appearing from the coastal mist in the time honoured way of such a formidable structure and the chance to confirm that, yes, the North Sea is at it coldest in April . . .