Even the best-organised Information Security Management Systems can suffer unfortunate non-conformances when certification auditors are on site.
Here are five of the trickiest ISO 27001:2013 controls – in my opinion:
Many organisations share a building or main entrance with 3rd party neighbours who they have little control over.
Providing this has been identified on the risk register, this usually isn’t a problem, with most auditors taking a realistic view of the situation.
However it’s what happens next that matters, once in the building, auditors could roam around, follow your staff or try to socially engineer a way in to the building. They may pick-up post from a hall way or look in to your glass offices and see information on screens.
It’s important to have a robust visitor procedure; ensuring 3rd parties are met as they arrive.
2 Screen Locks
Most companies adopt a policy requiring staff to lock their screens when leaving their workstations, which is a sensible approach.
Unfortunately this is a very easy control to audit by visually checking workstations, and a non-conformance could be picked up at any point during the audit.
While session timeouts mitigate the risk, evidence of training and awareness activity can save you from a major non-conformance.
3 Change Control
The requirements around change control in ISO 27001 are surprisingly vague, however organisations can trip themselves up by failing to meet their own change control procedures.
To avoid this, firstly consider carefully the definition of a ‘change’ in your organisation. You might consider that tasks, which already have a documented procedure or work instruction, fall outside the definition.
If you do implement a more detailed change management system, such as that in the ITIL Framework, ensure that it is applied consistently.
4 Asset Management
The asset management control can also throws up some easy non-conformances for an auditor, particularly with manual systems that require asset-tags to be collated to a spread sheet.
A regular spot check of assets can help to reduce errors, while on smaller estates it can pay to check all assets back to their ID and Owner prior to the certification audit.
5 Classification & Handling
Often the idea of classifying and labelling information is a new concept to staff, which is why any policy or procedure around this should be thought out carefully.
There can be resistance to going back through old documents and applying labels. In this case the storage, access and transfer of old documents should be considered. Perhaps an entire storage area (such as a filing cabinet) can be classified as “Confidential” while individual files are only marked when they are accessed or transferred to a 3rd party.
Classification can only truly be embedded through clear and regular awareness of the company’s policy.