Having set up the night before, day 6 started in a relaxed manner. It gave Keith and I a chance to review the feedback from attendees and tweak our approach. As part of every event we seek feedback and try to respond to it each day. Each event has a had a difference balance of interests and so as part of the opening part of our presentation we check on the number of people who are aware of Annex SL and ISO 27001. Typically this has been low; however we were rather shocked by the number of attendees at Wotton who were familiar with ISO 27001. As a consequence we tried to change the emphasis onto the differences between the 2005 and 2013 versions.
You may recall that part of the event is a short workshop session. As with the balance of delegates the feedback on this has been mixed and so again we have tried to adjust the emphasis, recognising that risk ownership is not currently likely to be a requirement for the new ISO 9001 or ISO 14001 standards. However in my view whilst there may not be a formal requirement, most organisations recognise that without someone taking ownership little progress can be made.
I had an interesting experience a few years ago when catching up with an Information Security and Quality Manager as he approached retirement. As part of the handover they had carried out a full reassessment of their risks. When he took me through the change I asked “the scores have changed significantly, why is that?”. After all their products, services and the information that they were protecting hadn’t changed. “Interesting” he said, “we appear to have changed our perception of risk”.
This change in scoring just highlights the importance of getting appropriate people involved. We can apply tools and techniques but it’s people who perceive risk and have different perceptions of risk and therefore whilst systems will minimise variability, ultimately the risk owner is going to be the driving force behind any risk treatment. How we assess whether the right people are taking ownership of risk I feel is going to take time. If you’ve got views on this I’d be interested to hear about them.
So to remain on track with my brief review of ISO 27001:2013 and to some degree Annex SL we need to have a look at clause 7, support. This is all about resources. Who and what is needed to establish, operate and improve the system. The new standards talks about people under the systems control and hence recognises that you may have contractors or temporary personnel carrying out specific tasks.
So how do you know that they are aware of their responsibilities and how are you checking that they are competent to fulfil those responsibilities. A lot of this is standard (pardon the pun) stuff, but there is one particular change that will need some thought. Clause 7.4 has expanded the concept of communication. It was always a top management responsibility, but now it requires more formalisation. In context last week we talked about interested parties now we need to think about them, their communication needs and the good old who, what, when and how requirements are determined and implemented.
The other side of resources is documentation. I find myself treading very carefully here as whilst everyone understands the needs for documentation it is often one of the most controversial aspects and triggers more debates than I feel it should. Clearly there are stated requirements in the standard for certain aspects to be documented. No system is going to effective without a written and approved policy for instance, but there is a nice line in 7.5.1b) “documented information determined by the organisation as being necessary for the effectiveness of the ISMS”. In other words you decide.
Rather than go on I think I’m going to pack up my mouse and leave it there. Perhaps on another blog I’ll revisit this aspect as it’s certainly true that one size doesn’t fit all.
So I had the pleasure of Keith’s company as we drove on to our next site. Norton Park, just outside Winchester in the countryside and with the spring flowers along the hotel drive glowing in the afternoon sun, it was a beautiful way to end the day. Keith’s apparently developing some new training material covering all you need to know for ISO 27001:2013 with a whole new case study. Not one to be missed in my view.