ISO 27001 & ISO 22301

Surveillance visits are very often quite different from (initial) certification audits, so in this post I’ll explain why this is so and what the differences are.

It bears mention here that all the issues I’ll be talking about in this post are not only applicable to certification audits for ISO 27001 and ISO 22301, but also to all other certifiable management standards like ISO 9001, ISO 14001, ISO 20000, etc.

The certification audit and its limitations

During the first (initial) certification audit the certification auditor will check whether all the main elements of the management system are in place – all the documentation, all the required records, all the processes, etc. The auditor will also check whether the main processes are working as they are described in the documentation, but such check will be limited because at that point in time the management system will have been in place for only a few months, or even only a few weeks. (To read more about the certification process, read this blog post: How to get certified against ISO 27001?)

On the other hand, the certificate is issued for a period of three years – so, for instance, if the initial certification audit was performed in November 2012, this means that the certificate will be valid until November 2015. Since the certification body guarantees that the management system will be in place throughout the validity of the certificate, the only way for the certification body to check out whether it really works is to send the certification auditor periodically to check out how things are going. And these are called the surveillance visits – they have to be performed at least once a year, or in some cases they are performed twice a year.

In cases where they are performed once a year, and using the previous example of a certification audit in November 2012, the first surveillance visit would be in November 2013, and the second (and last) surveillance visit in November 2014. After this, in November 2015, the certificate would expire and a company could go for the recertification audit.

The purpose of surveillance visits

So the main purpose of the surveillance visits is for the certification body to find out whether your management system really works in everyday operations, or not. It will focus on things that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all the measurements are made, whether all corrective and preventive actions are properly recorded and implemented, whether the top management really supports and cares about the system, etc.

A surveillance visit will also focus on issues that were identified as weak in the certification audit or previous surveillance visit – minor nonconformities, as well as areas where the auditor has made some observations.

The point is, during the surveillance visit the certification auditor will pay far less attention to the documents themselves, and far more attention to how the key processes are performed, how they are measured, and how they are improved – in other words, whether your system really works.

So don’t relax after your certification audit is over – the certification body is highly interested in finding out whether your management system is really functioning, and this is exactly what the surveillance visits will be focused on. And this is one more reason why you shouldn’t implement the standard only for the purpose of certification – the idea should be that the procedures and policies are really used in everyday operations.

Click here to see a series of ISO 27001 and ISO 22301 video tutorials that will help you with your implementation.

Have you ever found yourself in a situation where you have been given the task to write a security policy or a procedure? But you don’t want your document to end up like so many others – gathering dust in some forgotten drawer? Here are some thoughts that might help you…

The steps I’m about to present to you are designed based on my experience with various kinds of clients, large and small, government or private, for-profit or non-profit – I find these steps applicable to all of them. Actually, these steps are applicable to any kind of policies and procedures, not only those related to ISO 27001 or BS 25999-2.

1 Study the requirements

First you have to study very carefully various requirements – is there a legislation which requires something to be put in writing? Or maybe a contract with your client? Or some other high level policy that already exists in your organization (perhaps a corporate standard)? And of course the requirements from ISO 27001 or BS 25999-2 if you want to comply to those standards.

2 Take into account the results of your risk assessment

Your risk assessment will determine which issues you have to address in your document, but also to which degree – for instance, you may need to decide whether you will classify your information according to its confidentiality, and if so, whether you need two, three or four levels of confidentiality.

This step may not be relevant in this form if your policy or procedure is not related to information security or business continuity. However, risk management principles are applicable to other areas as well – quality management (ISO 9001), environmental management (ISO 14001), etc. For instance, in ISO 9001 you have to determine to which extent a process is crucial for your quality management and accordingly to decide whether you will document it or not.

3 Optimize and align your document(s)

An important thing to consider is the total number of documents – are you going to write ten 1-page documents or one 10-page document? It is much easier to manage one document, especially if the target group of readers is the same. (Just don’t create a single 100-page document.)

Moreover, you have to be careful to align your document with other documents – the issues you are defining may be already partially defined in another document. In such case, it may not be necessary to write a new document, maybe only expand the existing one.

If you are writing a new document about an issue that is already mentioned in another document, be sure to avoid redundancy – to describe the same issue in both documents. Later it would become a nightmare to maintain those documents; it’s much better that one document makes a reference to another, without repeating the same stuff.

4 Structure your document

You also need to take care that you observe your corporate rules for formatting the document – you already may have a template with pre-defined fonts, headers, footers etc.

If you already implemented ISO 27001 or BS 25999-2 (or any other management standard), you’ll need to observe a procedure for document control – such a procedure defines not only the format of the document, but also the rules for its approval, distribution etc.

5 Write your document

The rule of the thumb is – the smaller the organization and the smaller the risks, the less complex your document will be. There is nothing more useless than deciding to write a lengthy document no one is going to read – you have to understand that reading the document takes time, and the level of one’s attention is inversely proportional to the number of lines in your document.

One good technique to overcome the resistance of other employees to this document (no one likes change, especially if that means something like an obligation to change passwords on a regular basis) is to involve them in writing or commenting this document – this way they will understand why it is necessary.

6 Get your document approved

This step is rather self-evident, but its underlying importance is this – if you are not a high ranking manager in your company, you won’t have the power to enforce this document.

This is why someone with such a position has to understand it, approve it, and actively require its implementation. Sounds easy, but believe me – it is not. This step (and the next one) are the ones where implementation most often fails.

7 Training and awareness of your employees

This step is probably the most important, but sadly it is one that is very often forgotten. As mentioned before, employees are tired of constant changes, and they surely won’t welcome another one especially if it means more work for them.

Therefore, it is very important to explain to your employees why such a policy or procedure is necessary – why it is good not only for the company, but also for themselves.

Sometimes training will be necessary – it would be wrong to assume that everyone possesses the skills to implement new activities. For you, who wrote this document, it may seem easy and self-evident, but for them it may seem like brain surgery.

End of story?

If you thought you’ve reached the end of your document-implementation story, you’re wrong – the journey has just begun. It is not enough to have a perfect policy or procedure that everyone just loves, you also need to maintain it.

Someone has to take care this document is up-to-date and improved, or else no one is going to observe it anymore – and that someone is usually the same person who has written it. Not only that, someone has to measure if such a document has fulfilled its purpose – again, it may be you.

As you may have noticed reading this article, it is not enough to have a nice template for a successful policy or procedure – what is needed is a systematic approach to its implementation. And in doing so do not forget the most important fact: the document is not an end in itself – it is only a tool to enable your activities and processes to run smoothly. Don’t let the opposite happen – that such a document makes these activities and processes run with more difficulty.

You can also check out our video tutorial How to Write ISO 27001/ISO 22301 Document Control Procedure (commercially sold video).

If you heard that ISO 27001 requires many procedures, this is not quite true. The standard actually requires only four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action. The term “documented” means that “the procedure is established, documented, implemented and maintained” (ISO/IEC 27001, 4.3.1 Note 1).

Note: in this blog post I will not write about other mandatory documents like ISMS Scope, ISMS Policy, Risk Assessment Methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, etc. – here I focus on procedures only.

The procedure for the control of documents (document management procedure) should define who is responsible for approving documents and for reviewing them, how to identify the changes and revision status, how to distribute the documents, etc. In other words, this procedure should define how the organization’s bloodstream (the flow of documents) will function.

The procedure for internal audits must define responsibilities for planning and conducting audits, how audit results are reported, and how the records are maintained. This means that the main rules for conducting the audit must be set.

The procedure for corrective action should define how the nonconformity and its cause are identified, how the necessary actions are defined and implemented, what records are taken, and how the review of the actions is performed. The purpose of this procedure is to define how each corrective action should eliminate the cause of the nonconformity so that it wouldn’t occur again.

The procedure for preventive action is almost the same as the procedure for corrective action, the difference being that it aims at eliminating the cause of the nonconformity so that it wouldn’t occur in the first place. Because of their similarities, these two procedures are usually merged in one.

But why is it that ISO 27001 requires documented procedures that are not related to information security, while security procedures are not mandatory?

The answer is in risk assessment – ISO 27001 does require you to perform risk assessment, and when this risk assessment identifies certain unacceptable risks, then ISO 27001 requires a control from its Annex A to be implemented that will decrease the risk(s). The control can be technical (for instance, anti-virus software for decreasing the risk of malicious software attack), but could also be organizational – to implement a policy or a procedure (for instance, implement a back-up procedure). Therefore, the procedures are becoming mandatory only if the risk assessment identifies unacceptable risks.

One important note though – as opposed to the four mandatory procedures which must be documented, the procedures arising from controls in Annex A  do not have to be documented. It is up to the organization to estimate whether such a procedure is to be documented or not.

You could consider the four mandatory procedures as the pillars of your management system (together with the security policy) – after they are firmly set in the ground, you can start building the walls of your house. This becomes obvious when you look at other management systems – the same four procedures are mandatory there, too – in ISO 9001 (quality management systems), ISO 14001 (environmental management systems), and BS 25999-2 (business continuity management systems). As a consequence, you can use these procedures as the main link between different management systems if you want to develop the so called “integrated management system”.

You can also check out our video tutorial How to Write ISO 27001/ISO 22301 Document Control Procedure (commercially sold video).

You have already implemented ISO 9001? You have heard that ISO 27001 might be a good idea? But how can something that has to do with quality help you implement information security?

It can, more than you may think. ISO 9001 specifies how the quality management systems (QMS) must look like, while ISO/IEC 27001 specifies the information security management systems (ISMS). Therefore, the “management systems” part is the same – so what is it actually?

The philosophy of management systems has grown from the theory developed by W. Edwards Deming during the second half of 20th century, and is based on the Plan-Do-Check-Act cycle. Basically, this cycle consists of the following: in the Plan phase you have to plan what you want to achieve with the management system, in the Do phase you implement it, in the Check phase you constantly monitor whether you have achieved what you planned, and in the Act phase you make improvements, i.e. fill the gap between what you have planned and what you have achieved.

Although this cycle was invented with quality management in mind, it was established as a foundation for all other management systems – information security (ISO/IEC 27001), environment (ISO 14001), business continuity (BS 25999-2), etc. It means that some of the elements you have implemented for the quality management system according to ISO 9001 you can use for the information security management system as well – here is the list:

• Document management – the procedure used for document management in QMS can be used for the same purpose in ISMS, with only minor adjustments
• Internal audit – the same procedure can be used for both QMS and ISMS, although the internal audit itself would usually be done by different people since it is not very likely that one person would have deep enough knowledge of both information security and quality
• Corrective and preventive actions – the procedure used for QMS can be used for the same purpose in ISMS, although it is likely that different persons will be solving issues related to QMS or ISMS
• Human resources management – the same cycle of HR planning, training and evaluation is used for both management systems; naturally, the difference is in the profile of needed skills and knowledge
• Management review – the principles for management review are the same for both management systems; although it would not be recommendable to perform both reviews in parallel, management will already be accustomed to making decisions in QMS, so they will have better understanding of how to make decisions in the context of ISMS
• Setting the business goals and tracking whether they have been achieved – the same mechanism is laid down in both standards, so management will be used to such systematic planning

Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO 27001 (and vice versa) – you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called “integrated audits”, which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.

If your QMS is functioning well, you will find your ISMS project developing rather smoothly – management will have better understanding of potential business benefits, while all organizational units will be accustomed to the necessity of defining precise procedures, responsibilities and documentation.

Having a QMS indeed provides very good foundation for information security – if you already have ISO 9001, do give a serious thought to ISO 27001.

You can also check out our free webinar ISO 27001 implementation: How to make it easier using ISO 9001.