The seven quality attributes of an ISMS

  
  The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last
 

1. Easy to demonstrate conformance — everything is just a click away

We use PHP generated HTML for our electronic documents and store all the documented information in a database. You view it using a browser. ISMS documented information is hyperlinked, so in many cases, what you need just a “click away”. No more searching filing cabinets for printed paper. Just click. This enormously speeds up certification audits. Once you see where the auditor’s questions are leading, you can click away and quickly display all the evidence needed to demonstrate conformance.

2. Risk assessment results that top management and risk owners can understand

We drive risk assessment using 9 event-scenarios, the necessary controls for which guarantee coverage of the ISO/IEC 27001 Annex A controls. The scenarios are easy to understand, e.g., Loss of a mobile device. Risk assessment is just the estimate of how often this could occur and the severity of the consequences.

3. Risk treatment plans that top management and risk owners can understand

We use the “tell-it-like-a-story” approach. Our risk treatment plans are designer plans, i.e., they specify the interrelationship between controls and explain how they work in concert to modify risk. Being written as a story, it is easy to comprehend how the controls act to prevent the event, detect the event should it occur and react to the consequence if all else fails.

4. Distinguish between controls performed by you and by other organisations

If your IMS organisation is part of a larger organisation, e.g., a department within a faculty of a university, or perhaps just part of that department, your organisation is unlikely to be responsible for implementing all of your necessary controls. Controls concerning HR and physical security are likely to be performed by other parts of the larger organisation to which you belong. We have a way to deal with this.

5. Actions are recorded in a TDL and linked to the reports that generated them

As we use designer RTPs, we use a To-Do-List (TDL) to record ISMS actions (e.g., nonconformities, risks and improvements). These are linked to the reports (e.g. audits and management reviews) that generated them, so when reading, say an audit report, audit actions are marked as outstanding, overdue or completed, and are updated when their status in the TDL is changed.

6. Require people to acknowledge reading and understanding ISMS policy pages

There is an ISO/IEC 27001 requirement that persons doing work under the control of your ISMS organisation are aware of your information security policy, and there are information security controls related to this requirement that you are likely to consider as being necessary. We have a facility for users to acknowledge that they have read and understood all of your custom pages that you have so designated, and you can easily produce reports to see which pages have not been read and by whom.

7. Guarantee that every requirement in ISO/IEC 27001 has been fulfilled

We use a conformance table that lists every ISO/IEC 27001 in one column and an explanation of how it has been fulfilled in the adjacent column. Never get caught out unawares in a certification audit. Just ask what clause is the auditor is referring to and look up the conformance table to determine the source of evidence and show that to the auditor.