A bad start to week two for me. Unlike week one it had been decided to go for the whole 5 days and so an early start was required to set up at the National Motorcycle Museum. I’m no stranger to early starts; however on this occasion my best endeavours to get up to Solihull to join the team were thwarted by a vehicle fire on the M40 and I sadly arrived after all had been set up (well that was my excuse anyway).
Solihull is a popular venue, being close to the LRQA office and so a chance for several of our colleagues to attend or waddle in, like our heavily pregnant Marketing Manager, Marie, giving me the chance to discuss the finer points of blogging, together with other managers like Ron, Judith and Kieron who had provided help as part of the preparations. I make this point to demonstrate that an event that will host over 1,000 people takes a lot of effort from teams on the front line like ours, but also in the back office.
So having established some of the high level requirements in context, scope and leadership last week, we turn our attention to some of the activities and processes that now need to sit inside that framework. Clause 6 is all about planning; however links back to the issues and opportunities determined in the setting the context. In this way the management system can clearly be seen to aid the delivery of business objectives whether they are addressing the external needs of interested parties or the issues following analysis of the organisation.
Given that these internal and external factors will frequently change a robust and repeatable method needs to be established. ISO 31000 provides a good guide and should help most organisations establish criteria. Perhaps an important point and something I feel is potentially new about ISO 27001:2013 is the need to define criteria that identify when information security risk assessments need to be undertaken.
Many of the organisations I see have defined methods for evaluating risks as part of risk analysis; however the scheduling of that analysis tends to be regular rather than event driven. For me a good system considers both aspects, yes the routine is likely to ensure that periodically they check; but it is important to also review your risks before, during and after organisational changes or in response to an unplanned disruption event. In that way you are ensuring that prompt action is taken rather than waiting to the next meeting.
Having identified the risks the next step is to treat them. For most risk treatment is about reducing the impact or likelihood, but we should not rule out the possibility of taking on increased risk in a controlled manner for a finite time to seize an opportunity. Again this is where ISO 27001:2013 has introduced some subtle but significant changes. For those already familiar with ISO 27001:2005 it’s at this point that you tend to map the controls listed in ISO 27001:2005 Annex A to the risks; however with the new version you are required to determine the controls you want to apply before considering those in Annex A. In principle I’m a big fan of this approach.
Often you see control led systems where organisations judge themselves against the control set first and hence claim that they are compliant. There is then a phase where risk management is retrospectively fitted to justify the controls. The new standard takes the view that it is better to think through what treatments you want to put in place and only then compare them to Annex A to ensure that nothing has been overlooked. In practice it remains to be seen what this will mean, but I think that the logic is a good one.
The tour now moves on to Wotton-under-Edge, a fabulous location in a Grade II listed mansion. After twice setting the event up and once taking it down in one day we are pretty tired, but it’s been an interesting start to week one.