PECB Accredited Training

We are pleased to announce that we are now able to offer accredited PECB (Professional Evaluation and Certification Board) training courses in-house for clients wanting to develop staff competencies in the areas of implementation and auditing of their management systems.

Courses can be provide for ISO/IEC 27001, ISO 22301, OHSAS 18001, and ISO 9001, as well as ISO 31000 and ISO/IEC 27005 for risk management.
Contact us for more information and quotation.

The proper context for policy writing

For a while now I've been intending to post a couple of example documents, such as policies and typical processes, for downloading on my website. Sitting here in my hotel room tonight, with nothing better to do, I figured I would get to work on an example/template for an ISMS Policy.

Sounds easy. I have no problem banging them out when I'm busy at work helping organizations to prepare theirs. But I've been sitting here for hours now and have little to show for it.

I'm phrasing it this way, then phrasing it another way, then changing my mind and looking at it from a completely different angle altogether. Which statement should I put in and which should I leave out? Who am I speaking too? What's the purpose of the policy? Who is actually doing the speaking? What is my focus? What is the actual message?? I have no idea!

The problem, I believe, is that I just don't have any context. In an implementation we go through a whole bunch of things before we get to the point where we, or I, will sit down and write the first draft of a management system policy. At that stage, it just kinda flows. And when its reviewed by the top brass, it makes sense and is relevant to them.

It just bought home to me (again) the importance of process, and why these ISO management system standards make you do what they make you do.. i.e. to 'understand the context of the organization' - and also why I am so adamant about not using generic templates as a general rule of thumb.

I'm sure I'll put something up at some point, but be warned if you end up downloading it, you will probably end up having to re-write the entire bloody thing as you find it doesn't fit your own business context!

Why do we trust in certification bodies?

Are you a believer? Do you accept that a company that is implementing and maintaining a management system based on ISO/IEC 27001 will have effective information security management processes appropriate for their unique business environment?

If you don't, then its pointless worrying about how or why we should trust certification bodies since their role is essentially to provide a greater degree of assurance to the interested parties of the certified organization of ongoing conformity to those standards. 

In certification, you are putting your faith in the abilities of the individual auditors that carry out the audits on behalf of the certifying body. If two different and competent auditors plan and conduct the same audit, both will emerge with different findings. In order to have confidence in this process, you must also understand how it works, its value and its weaknesses.

National accreditation bodies, like UKAS in the United Kingdom, help to give us confidence by auditing the certification bodies, essentially on our behalf, and ultimately removing the accreditation if the certification body is not fulfilling its own management system requirements and complying with standards such as ISO/IEC 17021 (Conformity assessment requirements) - which, for example, requires that certification bodies and their auditors are independent in conducting the audit. For example, certification bodies cannot also be consultants.

Another important requirement is that certification bodies must have effective processes in place for selecting and training auditors to ensure the necessary competence - very important given that we are being audited by people, and all are different. Good certification bodies will ensure consistency as much as possible, and to a high standard.

So to answer my own question, we often trust in 'accredited' certification bodies because we understand that they are being monitored by a competent, independent third-party (a national standards body) and have to maintain certain standards in order to remain accredited.

Are there good and bad certification bodies? Are there good and bad auditors? YES to both! Its certainly not black and white, and good auditors can have bad days too! But ultimately, the certification process is a convention of trust. Ultimately, it is the reputation of the certification body and its accreditation that we are looking to for that trust and is the main reason why an unaccredited certificate of conformity issued by myself would likely be perceived as being worthless compared to the certificate of a known certification organisation.

A final thought. When you see the little green lock icon in your browser window whilst typing in your credit card details for a spot of midnight shopping, and the URL reads HTTPS - Do you stop to ask the question, "Why do we trust in Certificate Authorities"? SSL Certificate Authorities (CA) - those who issue the digital certificates to the e-commerce websites that we trust with our credit card and other personal details are businesses too. 

When it comes to selecting a certification body as an implementer, or evaluating a supplier who is certified, it is primarily the independence, reputation/brand, and history of the certification body which is providing you the degree of assurance that you are probably looking for. But its not a guarantee.

ISMS Assets and Scope

ISO/IEC 27005 suggests that there are two groups of assets to be considered, primary and supporting. Primary assets are 'process' and 'information', supporting, or secondary assets are everything else.

In your scope statement, it is normally a good idea to identify your major primary assets or asset groups - since this is normally core to the reason you would be implementing ISO/IEC 27001. So it is typical to see 'customer information' identified in the scope statement, for example. This in-turn indicates to 'interested parties', customers in this case, that any process, people, technology, etc. that touches on customer information (human, technical, physical, or whatever) will be considered -- regardless it is owned and managed by your company or if it is outsourced.

A VPN therefore, is a secondary asset and [normally] has value (is important) to your organization because customer and other information may be travelling in-through-and out of the hole and has a role in protecting the confidentiality, integrity, and availability of the information which travels through it - its a control. But equally, it presents a risk, since it can fail and render information unavailable among other things. 

This is where scoping starts to get a little more complex because we are now talking about boundaries and interfaces and since a VPN is most often used to facilitate the transfer of information securely from point A to point C, via a third-party B. Your ISP could be point B in this example, an entity which would be out-of-scope of your ISMS (you have no control over their security environment) but represents a boundary and itself is an asset since you depend on them to be able to send and receive information in your business. Note also that a VPN is not something that is required in the process of sending and receiving information, but we implement them as a means to manage risks, primarily concerning confidentiality.

So to make matters more complex, not all assets are things that are in-scope per say. Like personal mobile telephones, are they assets? Not owned by the company, but often used by employees to do their work -- and often containing highly sensitive and important business information.. so they are an asset. As is your home office, where you take your work home for the weekend, making it an asset, but likely out of scope. Does your organization implement controls to manage these risks? Do they recognize the risks?

So scope and assets are two different things. Scope is simply telling us where we can and will apply our ISMS Policies and procedures and what is covered in terms of core business and information. Boundaries, interfaces, and out-of-scope process are something we must be aware of so that we can assess the risks and put in place the appropriate controls and manage the risks, commonly done by way of contractual arrangements and other methods.

Scope statements will normally make reference to information (actual information - not the database that contains the information which is a secondary asset), processes, and locations. It doesn't have to be detailed and complicated, but it is very important and should be accurate. It plots out the big picture for us from which we can dig in to the details.

The scope also gives us a starting point for our assets - so if customer information is mentioned, we can start to figure out where and how that information is used throughout the business processes - that leads us to want to draw up an asset register - so that we don't forget, and others can improve on our work in the future, etc. By following the process, we'll also start to identify those secondary assets, like the database that holds the information and needs to be available to users -- and then we find users become an asset, etc..

So how do we identify these assets in our ISMS? Try the following: Draw a process diagram for a process that is in scope (inputs, activities, outputs, resources, controls/management) -- identify information that is created, used, destroyed.. etc within this process - the process and the information are your primary assets. Then look at how and what uses those assets within that process.. they are your secondary assets. It all goes into your asset inventory because this gives us the context of our risk assessment. And generally speaking, it is normally a good idea that each department or function is made responsible for maintaining their own inventory of assets.

This is why scoping and the identification of assets is so important, since its drives the implementation of the whole ISMS. Miss something important and the ISMS will add no value to your business. Include things that are irrelevant, and you will be burning valuable resources.

Which brings us to a final consideration when establishing the scope.. what is the purpose of the ISMS? A question that must be answered by top management. Answer that, and things will start to become more clear, and it all starts by firstly understanding the Context of the Organization.

Another airport lounge experience

There is ALWAYS a wireless internet connection available to weary travelers in airport lounges who need to stay connected. Its just always there. And I think its generally expected - am I wrong? I just don't recall a time when I've been in a lounge where you just couldn't get connected.. even if it meant paying for it.

Until today that is. The Marhaba Lounge at Dubai airport, which normally provides a free connection, has, according to a member of staff, been cut off by their service provider and negotiations for its return are ongoing. 

The impact? No matter the actual reason or story behind the scenes, you still have unhappy - paying - customers (and a non-complimentary blog entry :). 

Its a good reminder of how important outsourced processes/services are for many businesses and how critical it is to identify and manage risks when depending on those who exist across the other-side of your ISMS boundary. 

Let's hope they work fast to get back that illusive service and take steps to prevent a recurrence of the same issue again. 

A = Availability

Airline information security failures

In my work I get to travel a fair amount, Across Africa and the Middle East mostly. On my travels I'm always thinking to myself, "why don't you guys implement ISO 27001 and make the world a better place?" Here's an example of one of those times.

Recently I was traveling home from Riyadh, Saudi Arabia, on one of the region's low-cost carriers, +flydubai. I arrived in plenty of time at the airport, checked in (no online checkin unfortunately), made my way through the immigration and security queues, and headed for the gate noted on my ticket. When I got there, there was no airline representative and no information on the screen. No Fly Dubai plane parked outside either. On the airport information screens it was mentioned, "Fly Dubai - Gate 17 - Counter closed" so I took this to mean that I was too early. 

It'd been a long week so as usual, I wander off to the business lounge to eat, drink, and relax while I wait for the "Gate Open" or "Boarding" announcement on the screens.

After some time, the announcement is updated to "Delayed". Trying to get some more information, I go back to the gate. Still no rep' from the airline, and no plane outside the gate. I'm starting to feel frustrated at this point. The airline staff on the next gate inform me that the plane didn't even leave from its origin yet, and based on that I estimate I have at least another two hours before there is any chance of departing. Annoyed with the lack of information, I return to the lounge figuring I'll just monitor the screens for an update.

An hour and a half passes. Still nothing.. until suddenly my flight vanishes from the screen! Aggravated and slightly concerned, I go back down to the gate. Nobody is there. Confused, I ask the neighboring counter staff, who inform me that the flight already departed - I am one angry customer!

Fortunately there is another flight leaving an hour later. I assume, given the circumstances, that there would be some concession. No such luck. I am charged full price for a new ticket, and worse, it is a business class ticket since there is no space on the flight in economy. Its no longer low-cost, as the price I'm charged is as expensive as the regular carriers. 

The manager refuses to come out from his office and sends his subordinates (those with no authority to make decisions) and despite a last plee for a reduced price on the ticket, I am refused, left with a choice to either reside forever-more in a Saudi airport, or pay through the nose for a second ticket home. 

Those of you reading with a more stuborn view of business and the concept of customer satisfaction are probably thinking that I should have waited aimlessly all day next to the gate so that I wouldn't have missed the flight. Others, maybe those who travel more regularly, probably understand why I didn't.

Regardless, the point is, why doesn't Fly Dubai have an ISO 27001 management system and make the world a better place? With information availability and integrity at its heart, an information security management system could make Fly Dubai, and others like them, more competitive, improve their reputation, and essentially, make them more profitable. I for one will not be using them again (at least not willingly) and certainly can't recommend them to collegues or friends. 

Incidentally, I was subsequently informed by the airline staff -- whilst they were busy blaming me for my error -- that the "Counter Closed" message displayed on the information screen in the lounge was actually a reference to the checkin counter being closed, not the boarding gate counter being closed as I'd wrongly assumed. Why passengers who are already checked in and waiting to board a flight need to be informed about the checkin counter's closure I have no idea. 

Information security failures such as this one can have subtle but cascading effects in the long term. I'm just one voice. But repeated failures will eventually impact their reputation and perhaps change opinions about the benefits of a low-cost carrier. It would have cost them virtually nothing to stick me in one of the empty seats on that next flight. Or at least to acknowledge some degree of responsibilty.. Or even just to give me the benefit of the doubt and offer me a discounted ticket - I am (used to be) a paying customer after all. 

Good practice is good practice for a reason. Wake up airline people and start adopting these standards!

Ok. Time to head to my gate as I post this whilst sitting patiently in an airport lounge and hoping that the information provided is accurate. 

Did anyone else experience the same or similar problems? Does it bug you also, or is it just me? Feel free to post your comments, thoughts, and own experiences.  

Improvement planning and objective evidence

In a recent audit of a client’s business continuity program, an auditee in the company’s communications department who was responsible for the internal communications protocol, offered up – when asked – an improvement opportunity that he had identified a month earlier regarding the early warning process that they were currently following.

At the time I was auditing, the authorized procedure for providing notification to staff of an impending disruptive incident (an approaching sand storm for example)  involved sending out a red colored alert message by email and SMS to all staff, at all levels, and to all locations and offices across the entire country in which they operated to warn staff of the coming event. In this case, the communications specialist had identified that by sending messages indiscriminately to everyone, staff whom would be unaffected by a localized event may become complacent of the little red notice’s importance and hence impacting the effectiveness of the procedure. The proposed solution was to review this procedure and to see if it could be improved upon by having the capability to target the messages to specific audiences.

In any management system audit, such an initiative is a very positive finding since it is evidence that continual improvement is in fact occurring, as indeed it should be if we are properly aligned with the subtleties of the process approach, PDCA model, and continual improvement mandated by all ISO management system specifications. In ISO 22301, this requirement basically falls under clause 9.1 Monitoring, measurement, analysis and evaluation for identifying the improvement and clause 10.2 Continual Improvement for taking action. However, it is the next step wherein many organizations often fall short, especially within those who have only recently established their shiny new management system and haven’t thoroughly come to grips with the complexities of the process approach. The next step is obviously to plan the improvement action; and the next audit question then, is likely going to be something along the lines of, “Please show me the plan!”

Unfortunately, organizations with a less mature understanding of the requirements of management systems and more importantly this PDCA culture think that by just fulfilling the minimum stated requirements of the standard that they are fully meeting their obligations and have a conforming management system. But this is not necessarily so, as auditors are not there to simply tick boxes, but rather, to audit the intention, implementation, and effectiveness of the management system – they’re auditing the process itself and there must be sufficient objective audit evidence made available to the auditor so that a determination can be made as to the extent of conformity to established requirements.

In the case of my auditee, the communications manager, he was unable to provide evidence, other than a few inspiring words and a couple of emails that had been largely ignored by the recipients, of any real commitment or support to actually implement the improvement that he had identified.

PDCA (Plan – Do – Check – Act)

The processes approach means that once the process weakness or improvement opportunity is identified (at the C – CHECK stage) then it should be evaluated, and if appropriate, acted upon (A – ACT). A decision to take action leads us back to the beginning of the cycle.. P – PLAN, and therefore, there should be audit evidence available in one way or another for the decision having been taken (who decided? Who authorized the action?), and planning of the improvement itself.

Not to get in to a discussion about documentation requirements, and it is true that a plan may not (or is not required to) necessarily be documented, records are still typically required to be maintained as evidence. The point is that there must still be objective evidencethat the organization is in-fact planning and that it is in control of its own processes, has management support, and that the necessary resources are committed for the process to achieve its objectives. A member of staff making the claim that he is planning to do something without then supporting that claim with something a little more tangible is likely to fall short in an audit and certainly doesn’t give an auditor any confidence. In terms of planning, there should at least be some clarity on the basics, which would include accountabilities and responsibilities, planned actions, a clear time-frame, and not forgetting.. an objective! (You are taking action to actually achieve something, right?)

In most other management systems there is still the age-old requirement for “Preventative Action” which does mandate clearly this need to record evidence of improvement planning; however, the days of a preventative action procedure are limited and as is the case in ISO 22301:2012, we now look to clause 6.1 “Actions to address risks and opportunities” for this requirement to “plan actions to address .. opportunities” and to “integrate and implement [these] actions.”

Conclusion

To ensure that you are getting the most out of your ISO 22301 internal and external audits, ensure that your management processes identify and include requirements for maintaining evidence of the management system’s effective implementation. It is generally a good idea to document any improvement plans and activities.

For implementers, it is wise to ensure that not only is the necessary documentation produced during the implementation stages of a certification project, but that management culture is also developed inline the process approach to management.

I hope this article has been helpful. Feel free to post questions or comments, or to share your own experiences or views on the topic.