Thoughts Of A New Internal Auditor
A cold and windy morning in March and ahead of us stood 3 days of BSI inspection. The day started with the introduction to the entire company of Ian Shorten from IT Governance and Chris Mead from BSI (from now on known as The Auditor!)
Our CEO Neil was his usual exuberant self, introducing Ian and The Auditor and stealing our information security officer’s (ISO) thunder. The Auditor started by explaining that he would be checking the actuality of our controls by sampling them and checking staff awareness. For those not up on ISO 27001:2013, controls are defined in the standard, and as a company we decide which (if any) to implement.
"A.8.2.1 Classification of information - Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification."
The company has identified all of our assets and performed a risk assessment against each of them. This allows us to identify the controls that can help reduce (treat) the risk. We then produce procedures that implement these controls. E.g. Information labelling policy.
Still with me? The Auditor then goes through each area of control, for instance 'Asset management and information classification' and examines our policies to see if they meet the requirements of the standard, and the applied controls. Now when I say examine, I really mean challenge. The Auditor would ask, how did you arrive at that, or I didn't see mention of....
Our information security officer was in the hot seat for most of the three days, I only got a minor grilling during the software development section. By half past three on the third day The Auditor informed us he was recommending that we be issued with a certificate. I met Neil in the corridor who was beaming as the inspection had found zero non-conformities!
The three day inspection has been a different challenge for me but very interesting as I have seen more of this great company than I have before and I look forward to auditing all my colleagues this year and maintaining the standard set out by the ISO certification.
Duncan Parsons | Software Development Team Leader & ISMS Lead Auditor