Having set up the night before another relaxed start with a chance to catch up on some of those things that get put on hold whilst my focus is on the event. All the rooms we have used have had their own challenges for this one a large column, holding the concertina walls that enable it to be split in two stood proud from the screen end meaning we had to bring the screen forward and move the tables so that it was visible from all corners. There was some debate about whether it was better to front or rear project. The latter is definitely the better as it avoids any risk of our shadows falling across the screen as we are presenting and also provides for some fun as people move around behind. Some of our silhouettes are more appealing than others.
Nearly there now with our journey through the standard clauses, just 8, 9 and 10 to go. ISO 27001:2013 Clause 8 - Operation, is interesting for its brevity in many ways. Barely half a page it covers operational planning and control, information security risk assessment and risk treatment. Perhaps the key point is the link back to clause 6 where all the major planning goes on and therefore having done that, as Keith says, “you then just need to get on with it”.
From an assessors perspective I’m interested in how organisational and system change is handled as change is often a major source of issues. People are unaware or unfamiliar with the new controls, perhaps the communication hasn’t reached them or they haven’t attended the training courses, either way the inherent risk levels are higher due to the increased uncertainty. One of the most common pitfalls we find as assessors is the limited or lack of risk assessment associated with change.
Organisations are generally good at the routine risk reviews but when it comes to updating records as part of change management we tend to see more variable results. I’m sure that this has some to do with how organisations define “significant” as criteria for judging when to carry out these ad hoc risk assessments. The last part of Clause 8 is about operational risk treatment. Again a good source of documentation and records for the assessor to see. Risk treatment plans come in all shapes and sizes, some are embedded with risk analysis other are separate documents. In all cases though I’m looking for how actions are being progressed and if not what is that telling us?
So we move on to London, our largest event. I spend a lot of time in London so I’m sure it will be a good opportunity to catch up with some of my regular clients “off the record” as it were. I’m also wondering whether we will beat the ISO 27001 interest we experienced in Wotton-under-Edge. Tomorrow will tell!