It was following a demo of our online software for managing your ISMS, that I was subjected to an uncharacteristic rant by Mark Darby, our MD at Alliantist and founder of ISMS.online.
When I say uncharacteristic, I mean in terms of business. I’ve experienced similar rants about Liverpool F.C. but that’s for another time!
It all started with an innocent product demo to a group of unsuspecting individuals, starting out on their journey to ISO 27001:2013 accreditation. It was all a stroll in the park until we hit risk management, 6.1 of the standard, and our risk management tool.
Not that our risk management tool isn’t impressive. There were appreciative murmurs and excited comments on it’s simplicity and ease of use. But then there was silence.
A little prompt and the problem became clear. Our fine audience had been on an ISO 27001 familiarisation course, they’d bought an off-the-shelf toolkit and they’d demoed a couple of risk management software solutions. They believed risk management was all about managing assets.
It highlighted the sad fact that they were considering risk in terms of the 2005 version of the standard, which offered an asset based approach.
This could be attributed to the bias often received when looking for ISO 27001 assistance. Much of the expert advice given is on the premise of selling, arguably out-of-date, solutions for risk management which are not suited to modern, agile ways of working. It’s a bit like asking you to watch your film on a VHS player…doable but a bit cumbersome, not a great result and just a tad dated!
The simple fact is, ISO 27001:2013 takes a much more pragmatic and up-to-date approach. This is an information security standard requiring a top-down approach to all areas of information security within your business, including those that are not asset based.
Systems providing template asset based risks and automatic vulnerability checking are unlikely to give you a straight-forward view of how these relate to your own specific business. By giving your own proper consideration and evaluation to information security risk, you can treat it based on your unique criteria, not a boilerplate approach with little relevance.
I asked Mark to tone down his rant a little and highly recommend you take 4 minutes to watch his video.
Thankfully our demo audience got it. More than that, they absolutely appreciated the difference and saw how looking at risk in terms of business information reflected the way they ran their organisation.
It was a win:win, we got a happy new client and they got a unique and accredited system that manages ISO 27001, the 2013 way!
Everyone is happy. Accept Mark that is…but sorry Mark, there’s not much we can do about Liverpool!