Following a successful InfoSec Europe 2013 at Earls Court, London, Steve Watkins (Director, Trainer and Consultant at IT Governance Ltd) reflects on the most popular enquiries relating to ISO 27001 …
Key questions and answers:
- When is the new ISO 27001 coming out?
- What changes are there to the control framework?
- What will it mean for our ISMS/certification?
Back in January, IT Governance’s CEO, Alan Calder, issued some information on the Draft International Standard that was put out for public consultation.
I blogged about the latest news prior to the exhibition and what a new standard would mean for those with certification. Nothing has changed as of yet, and if you are considering ISO 27001 there is little point in delaying your project. We share any news when it arrives, so keep up with the latest on Twitter (@ITGovernance and @swatty70) – watch this space!
ISO 27001 for SMEs?
A number of visitors were asking about an Information Security Management System (ISMS) standard for SMEs, suggesting that ISO 27001 is not suitable for small organisations.
I maintain that ISO 27001 can be applied to small organisations and work really well for them (see Eagle and Ascensus case studies as examples), and that it is the approach used by that those claiming it is not applicable that does not suit.
Is there an ISO 27001-equivalent standard specifically for the UK?
Not yet, and technically there will not be. However, the draft of PAS 555 – the “Cyber security risk – Governance and management – Specification” came out for public consultation in late 2012/early 2013 and my guess is that it will become the default qualification criteria for UK businesses looking to supply the public sector. It will of course take a while for any form of third-party certification scheme to establish itself, but in the meantime (guess what?) ISO 27001 is a good starting point and an ISMS that reflects that can certainly encompass PAS 555 compliance.
And finally the most popular query regarding training …
Which is the best course, the ISO 27001 Lead Auditor or ISO 27001 Lead Implementer?
Unsurprisingly, it depends on what you are looking for from a training course/qualification. The Lead Auditor certificates still has the greater degree of traction with potential employers, arguably for all the wrong reasons – it is actually the ‘Lead Implementer’ course that is designed to give a delegate the knowledge to be able to manage a successful ISMS/27001 certification project. The Lead Auditor should provide the delegate with the means to conduct audits on other organisations; I say ‘should’ as some of those I have seen concentrate more on enabling the delegates to pass the end-of-course-exam as opposed to developing audit skills! The Lead Audit course also gives an insight into what a competent auditor from a client or certification body should be looking for if/when they come calling. (For the record, the IT Governance Lead ISMS Auditor course has always been positioned to develop the candidates audit skills to enable them to conduct an effective audit of an organisation’s ISMS using ISO 27001 as the framework and in doing-so, enable them to pass the exam also – a slight, but important difference!)