It had only been possible to get the screen set up the night before, but we are a well-practiced and finely honed operation now and so once Giles released the keys to the van we sleeves were rolled up and the room soon transformed. So efficient that I had a chance to help out on the reception desk and test my skills with sticky tape and making sure I met Amanda’s exacting standards for signage.
Clause 9 in the standard is about Performance evaluation, when I say standard I mean Annex SL as well as ISO 27001 and so applicable to all standards. It’s an expansion of the previous management review process, integrating internal audit together with the formalisation of what, who, how and when you are going to monitor, measure, analyse and evaluate the management system. Time will tell how the balance of qualitative and quantitative measures will evolve. In my view ISO 22301 does this aspect slightly better with explicit linkage back to Clause 6 (Planning) and hence to Clause 4 (context and objectives). For some reason ISO 27001 doesn’t include the cross-reference explicitly to remind us; however the need to judge the performance against information security objectives is still there tying us back to the start and closing the continual improvement loop.
Not surprisingly given the large attendance our usual workshop was harder to run and involve everyone; however it was good to see that the discussions over risk ownership was starting to trigger thoughts in the quality management community and for those with Information Security Management System (ISMS) questions about how they were going to communicate and engage with the wider community.
Questions about controlling information that is given to cloud based hosting services and the potential loss of intellectual property when sharing within the scientific community clearly demonstrated that the collective little grey cells were trying to grasp the new requirements.
As I hoped several of my clients were present and it was nice to meet them offsite, albeit briefly.
Tomorrow is our last day and my last blog in the current series. We will cover Clause 10 - Improvement and hopefully get a chance to reflect on the whole experience. Thank you to those that have followed these pages over the last two weeks. A LinkedIn webpage is being set up which will try to report back on all the questions asked across the 9 days and provide a community for debate and discussion. I’ll be back on the assessor road but will be monitoring the site and if I miss something I’m sure Claire, Amanda or Marie will draw my attention to it.