How to avoid disastrous assumptions with ISO 27001 Clause 9

Many professional learnings are only really useful in the business world. But there’s one principle that helps me in every part of my life, from getting the kids to school every morning to planning that dream post-Covid holiday. It’s this:

  • Assumption is the mother of all disasters

If you just make assumptions rather than actually checking things out, you won’t catch problems and issues when they’re still small and easy to fix. You’ll only spot them once they’re impossible to miss and probably disastrous.

Fortunately, there’s an easy solution. Don’t make assumptions. Replace them with practical, constructive, structured audits. That can seem boring and tedious, but it’s always essential.

Why oversight matters

Through his attention-to-detail powers, in a previous role one of our colleagues:

  • Helped his then client avoid major financial and reputational damage
  • Saved the lives of many blameless undersea creatures
  • Prevented a major international incident

He was auditing an undersea storage unit before its ocean-floor installation. He found out that a supplier had used the wrong kind of paint on it. The paint would decay quickly. Then the storage unit would decay quickly. Then it would break open.

The unit was designed to safely contain radioactive material for undersea measurement purposes.

You can imagine the rest.

Everyone assumed that checking the paint job was a waste of time. How could anyone possibly get something so basic so wrong? Our colleague was actually criticised for being too picky. But, once again, real life proved that assumption is the mother of all disasters.

Oversight in ISO 27001

Because auditing’s so important, ISO 27001 covers it in some detail. Clause 9 of ISO 27001 asks you to think through how you’ll:

  • Measure and set targets for your ISMS’ effectiveness (Clause 9.1)
  • Regularly audit it to make sure it’s hitting those targets (Clause 9.2)
  • Keep your senior management in the loop (Clause 9.3)

That gives you a very useful infosec oversight checklist, whether or not you’re compliant or certified. Though we do need to reach out to Clause 10.2 for a very important final detail:

  • Consider making improvements to your ISMS based on what you’ve found

Clause 9.1: Measuring and setting targets for your ISMS

An unexamined ISMS isn’t worth having. But to examine it properly, you need to know what you’re looking for, where you’re looking and who’s looking for it. Clause 9.1 asks you to plan:

  • Which parts of your ISMS you need to keep an eye on
  • How you’re going to monitor, measure, analyse and evaluate them
  • How often you’ll carry out all those checks
  • Who’s doing the checking
  • How they’ll report their findings

Make sure you document it all. Having a single set of clear practical guidelines will stop people from making assumptions. We know where they can lead…

Clause 9.2: Auditing your ISMS

Now you’re ready for your actual internal audit, as specified in clause 9.2. This is where you check the paintwork and kick the tyres. Sucking through your teeth is also an option.

Basically, you’re checking that your ISMS:

  • Meets all the targets you’ve set for it
  • Is well run and properly maintained

Just one audit won’t do the job. You need to plan for regular audits. Each new audit needs to reference previous ones, so you know for sure that you’re picking up and responding to any issues. So each new audit needs to be clearly and consistently documented and reported.

You also need to make specific people responsible for each audit. They should have a clear scope for each audit. And crucially, they need to be objective. Choose auditors who will challenge your assumptions, not confirm them.

And each audit should be a positive, value adding process. Ideally, auditors look for conformities and maybe work with the auditee to find potential improvements. Your auditor’s NOT looking for non-conformities. It just happens that sometimes they’ll spot them.

Clause 9.3: Keeping senior management in the loop

Assuming that senior management know how things are going is always a mistake. You need to make sure they understand, buy into and (where necessary) shape your ISMS. After all, as Clause 5 notes, they’re ultimately responsible for your ISMS.

So, clause 9.3 asks you to carry out regular, planned management reviews. You’ll update senior management on how well your ISMS is protecting your organisation, covering:

  • Specific issues spotted and how you’ve fixed them
  • General performance against the targets you’ve set
  • Any comments or feedback from interested parties
  • What your auditors are telling you
  • Details of ongoing risk assessment and treatment
  • Improvements you’re planning to make or have made

You should also draw on their big-picture overview of your organisation. Make sure they share details of any internal or external issues that could affect the scope and workings of your ISMS. And of course you’ll catch them up on actions arising from previous reviews.

Oh, and there’s one big assumption to challenge. People usually assume that the management system review has to be done as a meeting. But where does it say that in clause 9.2? Our hint: It doesn’t…

One last assumption we want to avoid

So that’s how Clause 9 of ISO 27001 helps you replace vague assumptions with practical, constructive, structured audits. Then you can follow Clause 10.2 and act on them.

Hopefully we’ve shown you how the process works and given you some useful tips to help you keep an eye on your own infosec measures.

But that sounds like exactly what we want to avoid: an assumption! So if this post has been useful or inspiring, let us know for sure.