I continue my inspection of Alan Calder’s sample ISO 27001 Toolkit.
Next I focus on “Procedures”. I am hoping this is the area in which things might become clearer. I think I have some advance understanding of what to expect here. I have got a draft staff manual from my solicitor and it tells employees what they can and can’t do with regards to email, internet access and other things. Eg. You can’t visit certain websites from work computers or use work email for private purposes.
The example procedures provided by Alan Calder here state over and over again that “The organisation requires……” For example, the organisation requires that users of notebook computers carry with them at all times the charges and spare batteries specified in the user agreement.” This is good advice and I suppose one has to write it down so that it will be followed and nobody can say that they didn’t know about the rule.
I am presently confused about the difference between policies and procedures within the context of the Toolkit– although I obviously have a clue from life in general. Eg. Procedures are made up in light of a policy and followed in order to comply with the policy.
Similarly, there’s a “Tier 3 Work Instruction” for employees about how to use Voicemail – not to give security information out on recorded messages unwittingly and the like. A third of the text of this work instruction seems to appear on every policy, procedure or work instruction document. Why does one need a “Work Instruction” that lays down rules as well as a procedure – why not incorporate everything in the latter?
Other declarations of the obvious in the sample procedures include, “The IT Manager is responsible for specifying, ordering providing the firewalls, malware, automatic updating and connectivity and back-up facilities….”
The Principles of Plan Do Check Act make another appearance. On seeing it, I turn the page quickly.
The most interesting item among the remaining files is an Information Security Manual – 38 sides of it. However, again it seems to come our with circular sentences that state the obvious.
In sum, this toolkit may be useful to some people. Sure I’ve only seen 10 per cent of it. It has not, however, given me examples of the application of ISO 27001 and what you need practically to do to comply with it or to make your organisation secure. I think that if you’d done an ISO 27001 implementation previously, the Toolkit would save you time. I am starting from scratch and it hasn’t helped me much.
Based on historical entries in my diary