The agenda 14 behind the screens - Day 4

So as we pack up for the weekend a chance to recap on the week, that’s not to say I stood on one side watching the team and didn’t help put the equipment away. We have that down to a fine art now after 4 days of setting up and taking down. Over 400 people have been to the 4 events and for the most part seemed to have found it interesting and enjoyable. The majority are mostly interested in quality, safety or the environment, but I feel that Keith and I have got some people thinking about information security.

In previous blogs I covered context (clause 4) and scope (4.3), now before we close for the week a few thoughts on leadership (clause 5). For many this is probably the key area for this and all the standards and always has been, but the new Annex SL format puts more emphasis on top management getting involved. It’s top management that need to determine the context and approve the scope. As before they continue to have to set policy and objectives and communicate this to the organisation, but there are some new phrases in the standard about directing and supporting other relevant management roles (a significant change in Keith’s view). Certainly one of the topics that was debated in several of the workshops was how attendees were going to get top management more involved.

From my perspective as an assessor I’ll be looking to meet those involved in policy approval, understand from them the thinking and planning behind those high level corporate and business plans and satisfy myself that the objectives being set for the management system align upward with the context and downwards to the methods and measures that will be used to determine whether the management system is working effectively. 

It will be interesting to see what level of documentation will be produced to demonstrate that these high level processes are operating. From my experience with ISO22301 (which already follows the Annex SL structure) the new standard is helping top management to get involved. Perhaps that’s because business continuity planning is all about sustained production or service delivery over the long term, but I also get a sense that more see the link between the business objectives and the need to see the management system as a tool to achieve those objectives. 

They also see the benefits that Annex SL brings in making it easier to integrate all the management systems and hence make them more efficient. From that perspective ISO 27001:2013 is very clear in clause 5.1b) that top management should ensure that the ISMS requirements are integrated into the wider organisation’s processes.


So as I take my driving over the 1,000 miles on my way home I am looking forward to next week. The northern half of the event has been fun with the chance to meet people who are passionate about their products, services and management systems. I am sure that the southern half will be the same, but I’m curious whether there is any difference in their perspective of information security.