The year is 2025. Over 465 exabytes of new data is generated each day. The global cybersecurity market is worth $241 billion. Your managed services provider is still using a process document dated March 2019, and you’re starting to regret not having gone with that ISO 27001 certified provider.
Hell, at this point you’re starting to think even an in-house ISMS (Information Security Management System) implementation would have been a better option.
But I’m getting ahead of myself; let’s return to the present. Is ISO 27001 all it’s cracked up to be? Whatever your stance on ISO, it’s undeniable that many companies see ISO 27001 as a badge of prestige, and using ISO 27001 to implement (and potentially certify) your ISMS may well be a good business decision for you.
In this article, we’ll take a look at the foremost standard for information security management – ISO 27001:2013, and investigate some best practices for implementing and auditing your own ISMS.
ISO means standards. A standard is just a set of requirements, decided by experts, for doing something specific.
A lot of standards exist under the banner of ISO, for all sorts of things, from quality management, to environmental and social responsibility guidelines, to how to design medical devices.
They’re useful because they help you to write good processes; how to structure, organize, implement, and improve on them.
At the heart of ISO is the principle of systematizing your approach to process management in your company – simple as that! You might be scared of ISO, but there’s really no need to be intimidated. What’s more, recent changes have made it easier than ever to get started with ISO standards.
In this Process Street article, we’ll look at everything ISO, including (but not limited to):
What’s the worst that could happen? Risk management is one of the first things you should be thinking about when planning for pretty much anything in your business.
The truth is, risk inescapable; success of your business is not determined by your ability to avoid risk, rather by your ability to accept, plan for, and take advantage of the varying outcomes risk might present to you.
It might sound negative, but risk management is actually more optimistic than it seems.
The key takeaway is that successful risk management strategies are proactive, as opposed to reactive.
By thinking ahead, you can prepare for and prevent risks before they even have a chance to arise.
In this article, we’ll take a look at how you can use Process Street to streamline and automate your risk management approach, including:
That’s another way of saying someone takes a look at what you’re doing, gathers some evidence, and compares that evidence to what you’re supposed to be doing (in other words, a set of clearly documented requirements).
In the case of ISO, these requirements are known as standards. ISO 9001 is a standard. ISO 14001 is a standard.
Importantly, this understanding of audit implies that there are a few main things being considered by the auditor:
What’s documented by the company (e.g. internal processes, policies, and SOPs)
Evidence gathered to support how these policies, procedures, and SOPs are implemented in practice
The requirements defined by the ISO standard being audited against (e.g. ISO 9001)
Audits performed by companies to assess and analyze their own management systems are known as internal audits. Many resources for guiding companies on how to perform internal audits exist, and foremost of these is the ISO 19011 standard.
For most management system standards, internal audits are an important requirement. Even guideline standards like ISO 26000 for social responsibility depend on reports to evidence the success of their implementations.
As such, ISO 19011 defines a set of guidelines; a framework for companies to plan, implement, and improve upon their audit programs, for auditing the implementation of management systems.
These standards often share a common structure, including certain requirements, terms, and definitions being used. That means ISO 19011 can be used to devise highly economic audit programs, wherein knowledge and processes can be shared and applied across various management systems.
By considering how they might take a broader approach to management system auditing and integration, companies implementing ISO management systems stand to save time, money, and confusion when preparing for and implementing internal audits.
The goal of this post is to provide a spring-board for understanding ISO 19011, and how to get started with internal ISO auditing. In this post, I’ll cover:
What is ISO 19011
7 principles of ISO auditing
Different types of ISO audit
Key elements of an ISO audit
8 free ISO audit templates
If you just want the free ISO audit templates, then here they are: