ISO27001 Foundation Training: An interview with Nick Orchiston

ISO27001 trainer and consultant, Nick Orchiston, tells IT Governance the ins and outs of training, the problems his delegates face and the overall value of choosing training over self-study. In this exclusive interview, Nick reveals all….

Why do you feel delegates choose ISO27001 Foundation training over other study options?

My experience of running the ISO27001 Foundation course is that delegates fall into three main groups: For some, it opens their eyes to what ISO27001 is all about – the course is more than just introduction to the standard as it gives them a chance to interact with experts (cough, cough!), asking any burning questions that text books or the Internet can’t answer. Others may have quite a bit of knowledge already and are just looking for a ‘refresh’ of information to what they already know, especially if their organisation has decided to pursue certification.  And lastly, there are those that need to top-up their CPD points, whilst gaining some useful knowledge.

What is the most common discussion topic in your ISO27001 Foundation training classes?

One topic that does come up quite often for delegates is integrating their ISMS with an existing management system such as ISO 9001. This is often a ‘hot’ topic as it can of course bring  a number of benefits to the business, such as “economies of scale” when combining information security management systems (ISMS) with quality management systems (QMS), common auditing, common corrective action and preventative action (CAPA) etc.

Delegates also tend to seem interested in tools to help them document or automate their ISMS or risk assessment process; anything to make these processes less time-consuming! There are a few tools on the market such as the Standalone ISO27001 Toolkit and vsRisk®.

What do delegates on the ISO27001 Foundation course struggle with the most?

The most common problem delegates struggle with is gaining senior management/board buy-in. Unfortunately I don’t have a magic bullet for this one! It’s best to really understand ISO27001 and information security and then you will be able to put across the benefits much more easily (and with confidence!) to the board. There’s a great little pocket book titled ‘Selling Information Security to the Board’ by Alan Calder, which takes you through the steps to convince management and even includes a chapter on how to handle objections.

Board buy-in is the most common problem, but more recently I am seeing delegates struggle with buy-in from their colleagues. Convincing other departments (especially in larger organisations, such as universities) can be a real problem.  This is because many departments (or certain people within those departments) are reluctant to change. However, once you have board buy-in, it should be much easier to influence other departments.

What surprises most delegates about your course?

I teach both the ISO27001 Foundation and Internal Auditor training courses and what surprises all delegates is the number of information security practices they already implement in their organisation. They find that they are already practising the controls, but are just missing the formalised structure that an ISMS brings.

How do your delegates feel leaving your ISO27001 Foundation  training course?

I believe that many of the delegates leave ‘fired up’ to implement an ISMS and are convinced of the rightness of ISO27001. After attending the ISO27001 Foundation course, many delegates book themselves onto the ISO27001 Lead Implementer course which is the logical next step not only for their organisation, but for their career development as well.  I’ve heard many success stories from delegates since attending our courses of successfully implementing an ISMS and/or achieving certification. Training is definitely a step in the right direction to gaining knowledge and guidance that can’t be found in text books, helping you to really understand the subject.

If you want to ask Nick a question about ISO27001 training, contact him on