Management responsibilities

Make it happen! A common term among auditors is “management commitment” – are you doing this for the badge or to genuinely having a system, up, running and working for the improvement of you company? A good auditor can smell commitment a long way off, you may not enjoy the audit experience, but they are here to help you.

You should ensure everyone is aware of the Information Security Management System (ISMS) and they are aware of how it affects the way they work. Specific attention should be paid to those closely involved prior to access to classified information. There is a section in the guidelines stating that employees are “motivated” to fulfilling ISMS requirements – how you would ensure this is a personal choice – seems an odd statement to us.

Ensure appropriate skills and qualifications and are made aware of any changes to the ISMS and how it affects their modus opperandi.

Open an anonymous channel to receive any “whistle blowing” – yes this is a new one in the latest standard.

Information Security Awareness, Education and Training

All employees and contractors should be provided with awareness and training appropriate for their roles. An awareness programme should be established and maintained and applied to new recruits prior to them using classified information. The programme should be updated to reflect new threats or areas of weakness identified by the information security operation.