I am now used to looking at the ISO 9001 Standard document itself. The ISO 27001 Standard document I have is 36 pages long as opposed to 20 pages for the ISO 9001 Standard. We’ve got even more Plan, Do, Check, Act in the ISO 27001 document. However, I soon suss out that the key bit we are looking at is Clause 4 onwards.
To start with Clause 4 is pretty similar to the corresponding clause in ISO 9001. 4.2.1a talks about the establishment of an Information Security policy suitable for the business and a scope. Guess I can get my head around this.
4.2.1c is more problematic. I am told to “define a risk assessment methodology for my organisation” and “develop criteria for accepting risks and identify the acceptable levels of risks”. I just have limited concept of what is involved here. This sounds like a job for McKinsey or Accenture but not me. The ISO 27001 Standards says more information about Risk Assessment Methodologies can be found in “ISO/IEC TR 13335- Guidelines for the management of IT Security = Techniques for the Management of IT Security”. There is no way I am going to be a sucker for that document! I’d rather disk by head in the hard disk crusher!
I can feel myself sinking lower in the water and looking up at this massive wave towering above me made of long words, jargon and confusion. Around this mix, there is an information security industry built which comprises lots of people who make money regurgitating long words which few outsiders understand. Right now the wave is looking really big – and its about to swamp my enthusiasm – for today at least.
Back to the ISO 27001 Standard – when I have done a risk assessment, I then to treat the risks. This involves “selecting control objectives and controls”. What are those? No idea.
Next I’ve got to prepare a Statement of Applicability in which must apparently list my controls and my control objectives and give my reasons for selecting them. My problem here is that I need an example of a Statement of Applicability – yes to see the PRACTICAL implementation of all this. Information on which still can seemingly cannot be found anywhere.
My brain and vision are blurred by the time I turn over to page 6. I am not reading every sentence just kind of prodding the content with the eyes to see how painful it might be. But these bits, namely 4.2.2 through 4.3.1, are broadly familiar. They are talking about implementing the ISMS , monitoring and reviewing it and maintaining it.
And blow me, over the page is my old friend “Control of Documents”. And I am not being sarcastic – when you read him he might be one of the most boring friends I know but, right now ,I am really please to see him. He’s hanging out with another buddy, “Control of Records”. This is okay, I now understand now what these guys are about.
The next couple of pages aren’t so bad either – though I am skimming quite fast now – improvements to the system, preventative and corrective action etc. I want to keep my hard disk shredding company as straightforward as possible. These could be called problems (Non Conformities), temporary fixes (Corrective Action) and Solutions (Preventative Action) could they not? Life could be simpler if these people wanted it to be!!