What should you tell all your staff just before the ISO27001 auditor comes on site?
Possibly nothing. If you are not concerned at all about what happens during the audit then you do not need any such communication. Also, if this is a surveillance audit you probably don't need to send out any such communications as the risk to the loss of the certificate should be quite low. Some sort of communication is much more common just before Stage 2 audits or recertification audits where there is a risk of not getting the certificate if there are too many findings. It comes down to how "defensive" you want to (or need to) be.
However, it is common for organisations to send out a communication to all staff a few days before the audit. This is for two main reasons:
? If the audit is on site you may need to remind the staff about such things as locking their screen before they leave their desk. Make no mistake - if you have an auditor on site they will be observing what goes on. If your auditor is not going on site but is doing a remote tour around the office using a live stream from a phone they will still be looking out for screens left unlocked when there is no one at the desk.
? The auditor may want to talk to some people to assess the overall level of awareness of information security topics in the organisation. It is possible that the auditor may select people for this at random by walking around the office. If this is done remotely then this is less likely but the auditor may still want to talk to some people using a video call.
What you should you tell everyone?
This is of course likely to vary considerably but below is an example of such a communication. It is a bit long so you should try to shorten it based on what you think is important.
Note also that if suitably reworded then content of this kind could reasonably be included in annual information security training or ongoing regular information security awareness campaigns.
----------------------------------------------------------------------------------------------------
Hi Everyone,
Next week some external people (auditors) will be on site and/or remote to check that we meet all the requirements of ISO27001 and it is important to us that this goes well. Not all staff/departments are in scope of this audit. If you receive this email, you are.
Please remember the following:
? Lock your screen when you leave your desk.
? Do not leave confidential documents on your desk overnight. They must be locked away.
? Put all confidential waste in the confidential waste bins.
? Do not leave any confidential documents on a printer.
? Do not leave your laptop out on a desk overnight. Take it with you or put it in a locked cabinet.
? Keep your pedestals and cupboards locked overnight.
? Make sure that all the doors in and out of the office/building are kept shut.
? Wear your ID badge at all times.
? Do not let anyone you don’t know “tailgate”/”follow” you when you come into the office.
? If you see someone walking around the office that you do not know please ask them who they are.
The auditor is likely to want to talk to some people and we cannot predict or necessarily control who they may want to talk to. It might be you. Someone from the information security team will be with you if this happens. You will not be left alone with the auditor. If an auditor tries to talk to you without one of us present please decline to talk to them.
The auditors are not allowed to “touch” anything. If you see them doing so please let us know immediately. They can only observe and talk (and walk and sit down…).
As preparation in case the auditor does want to talk to you please make sure that you are aware of the main principles of the information security training and main information security documentation – notably the Acceptable Use Policy. It is not expected that you should be able to remember all the detailed content but should be able to talk a bit about what it covers - for example about being careful about links in emails.
If the auditor talks to you they may want to ask some general questions relating to information ?security. Below are some possible questions and how you might answer them but please try to use your own words.
Have you heard of ISO27001 and do you know what it is?
“ISO27001 is a standard that states how an organisation should manage information security. We are doing it for several reasons but primarily because it helps us in many ways including clearly demonstrating to our clients that we take the confidentiality of their data seriously.”
领英推荐
Where are the company’s security policies? Please can you show me them?
“All security policies are available in SharePoint”. Click here to access them. www.btrp.co.uk (It is worthwhile keeping this link if you do not already have it.). It is not expected that you know all the detail - just some of the principles of what they talk about.
Have you had any training in information security?
“Yes, I completed information security training when I first started and I do it again annually.“
How do you lock your screen?
macOS: Command + Control + Q
Windows: Windows Key-L
When and why should I lock my screen?
“I lock my screen whenever I leave my computer unattended.”
“I lock it so that no unauthorized access can take place when my computer is unattended. This is important for me as I have people in my house/flat who have nothing to do with our company and I would not want them to see any confidential information I was working on.”
Do you have to handle confidential information?
This question is around how you would handle such information to ensure it remains confidential. A response could be that your team puts everything into a secure area on the system which restricts access to people who need to have access.
You could also say something like “Whilst at home I am careful to do what I can to ensure that other people in the house do not inadvertently see any confidential information.”
Can you give any examples of confidential information that you have access to?
The answer will depend on your role, but anything related to clients or personal information about anyone would be regarded as confidential.
Have you been given any specific guidance about working when travelling or from home from an information security perspective?
“Yes. We have been given guidance in the Acceptable Use Policy and in the separate policy about Remote and Mobile working.“
“It covers such things as not using the laptop on a crowded train and not connecting to the Wi-Fi in a coffee shop.”
Has the approach to the confidentiality of information changed because you are working from home more?
“Not really. We have always taken the confidentiality of information very seriously. Because we are not travelling as much or going to other offices as much that means I think that the confidentiality of paperwork and laptops is probably better than it was. There are other people in my house/flat who do not work for the company and I need to be careful to ensure that they do not have access to any company confidential information.”
If you are asked to share your password, what should you do?
“I would always refuse to share my password with anyone.”
If you receive a suspicious email asking you to do something, what should you do?
“I would not click on the link and would forward it onto security@[company].com.”
If you lost any information (e.g. company documents), how would you deal with this?
“I would send an email to security@[company].com”
If you are made aware of, or think there is a possibility that information in the company has been or could be made available to someone who should not have access what would you do?
“I would report it immediately to security@[company].com.”
Please let us know if you have any questions or you have any comments on this.
Information Security Risk & Compliance Manager
2 年We have our first recertification audit next week and I’ve just exactly this to all staff. Also sent a more detailed one to heads of department. Always good to keep people in the loop and just let them know the audit is taking place and they may be approached and asked questions.
Head of Network Delivery
2 年Be yourself and act according to routines and processes , then you are safe!
I solve problems. BCMS. ISMS. ERM. etc.
2 年Do not offer information, only answer what is being asked for.
Operations Manager at BSI
2 年Very interesting Chris but as an external auditor I have never asked such formal black and white questions. I ask them about their work and how they do it. Questions that are pertinent to their role. We don't quote 27001 or use 'standard' speak. How they communicate with others, how security is part of their BAU. Questions may be formed following a discussion with senior management of what concerns or worries them. I don't prepare any of this so it becomes a discussion rather than a question paper. This is far more effective to understand the security culture of an organisation.
Driving Cybersecurity Strategy, Compliance, & Innovation | CISO | PhD | Nordic Skiing Grit Enthusiast
2 年You need to see to that the relevant staff is available, starting with the CEO, and that they are not occupied in meetings etc. during the Audit. Since it will be quite a bad audit if no staff have the time to answer questions. But, not more than that - the processes should be well known and used every day.