Optimise your ISMS

There is a new edition of the ISMS standard (ISO/IEC 27001:2022), and you are encouraged to start planning your transition now, if you already have an ISMS, or using the new standard if not. Here is how to optimise your ISMS.

Book cover for An introduction to ISO/IEC 27001:2022 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

One of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, showcasing and exploiting your ISMS.

Critical success factors for operating an ISMS

ISO/IEC 27001 specifies what you must do to achieve conformance, not how to do it. It is like being given the ingredients and told to make a cake, but not being given the recipe. Whilst there are many good recipes, some are much better than others. For success:

The standard should be moulded to your organisation, not the other way round. Much of what you need, likely as not, will already be in place — it just might not conform to ISO/IEC 27001. Just how far off can be determined by a gap analysis, and that is an analysis between what you are doing and the requirements of Clauses 4–10 of the standard, not the Annex A controls, as those are not requirements.

Graph showing completion dates versus ascension dates for actions
placed on an Integrated Management System (IMS) To-Do-List (TDL)
since 2008. The graph shows how frequently actions are placed on
the TDL. They are not clustered around the certification dates,
which are six-months apart, showing that the IMS is in regular use.

Treat your ISMS as a journey, not a destination. Clause 10 explains what to do about nonconformities and improvements. Record all your ISMS related actions on a To-Do-List; assign target completion dates and responsibilities, and monitor regularly. Don’t forget to reassess your information security risks at planned intervals and when significant changes are proposed or occur; and update your risk treatment plans accordingly — the information security threat landscape changes frequently😮

Look forward to your certification audits — they are opportunities to showcase your ISMS — show it off with pride.

Lead from the top. When top management leads by example, it increases awareness, builds information security into the culture of the organization and makes it much easier for everyone else to implement.

Treat information security as a management issue. This is why top management plays a leading role. It is to direct and control the organisation in all of its respects, one of which is information security.

Read and understand each and every requirement. Use the definition of terms given in ISO/IEC 27000 and where necessary, ISO 31000, the ISO identical core text and the Oxford English Dictionary or Oxford Dictionaries Online. The requirements of ISO/IEC 27001 are in Clauses 4–10. Notes are not requirements. The controls in Annex A are not requirements.

Documented information is not required for everything. ISO/IEC 27001 is very clear on what is required

Documented information	ISO/IEC 27001 Clause
Scope of the ISMS	4.3)
Information security policy	5.2 e)
Information security risk assessment process	6.1.2
Information security risk treatment process	6.1.3
A Statement of Applicability	6.1.3 d
Information security objectives	6.2
Evidence of competence	7.2
‘documented information determined by the organization as being necessary for the effectiveness of the information security management system	7.5.1
‘...to have confidence that operational processes have been carried out as planned.’	8.1
‘...results of the information security risk assessments.’	8.2
‘...results of the information security risk treatment.’	8.3
‘...evidence of the monitoring and measurement results.’	9.1
‘...evidence of the audit programme(s).’	9.2
‘...evidence of the audit results.’	9.2
‘...evidence of the results of management reviews.’	9.3
‘the nature of the nonconformities and any subsequent actions taken...’	10.1
‘the results of any corrective action.’	10.1

and you are permitted to supplement the requirement, if you determine that it is necessary for the effectiveness of your ISMS. Write down what you do, not what you think would please an auditor. Many nonconformities are caused by documenting your aspirations rather than what you do.

Want to know more?

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

We also have some technology that can help you to create an ISMS with all the aforementioned desirable properties. Just because you already have an ISMS does not mean that you cannot take advantage of IMS-Smart On-Line. Think of it as upgrading to a brand new car, and take advantage of the ISO/IEC 27001 transition period to do it.

If you have any question about ISO/IEC 27001:2022 or IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.

Logon to your IMS-Smart product
USER NAME
PASSWORD
Don’t have an IMS-Smart product? Learn more, register an evaluation copy, read the books.

Search the ims-smart.com website
SEARCH TEXT

Upgrade your ISMS to this year’s shiny new model