I have been playing around with ISO/IEC 27001/2 and the Department of Health's Information Governance Toolkit (IGTK) over the last few days, and it's reminded me of something I noticed years ago. Basically, when it comes to auditing against anything, an auditor tends to always ask the same sort of questions. The IGTK and 27001/2, despite their initally obvious differences (e.g. the emphasis on pseudonymisation in the IGTK, and the assumption that continuous improvement is normal in 27002), have these same questions at heart. So here goes.
If you are going to do anything (information security, quality, business continuity etc), pick a topic in it (say password management) and ask yourself the following questions:
1) Is it happening?
2) Is it documented?
3) Does what's happening actually match documentation?
4) Does what you have documented meet requirements?
5) Is compliance between activities, documentation and requirements reviewed/monitored?
6) Are required changes/improvements identified and implemented as required?
7) Is someone formally responsible for all the items above?
8) Is the whole thing approved and supported by top management?
9) How can you prove that any items in the above list are true (assuming that they are)?
If you can get through the above - especially Question 9 - succesfully, then you are in a pretty good position with regard to the questions an auditor may ask.
No comments:
Post a Comment