In this new business era of virtual working, I have been asked how to maintain your ISO compliance with staff working from home and while it poses some problems, it’s certainly not difficult. The first thing to remember is that ISO 27001 defines the requirements for the Information Security Management System (ISMS). This ISMS has several defined activities to ensure the organisation remains compliant with these requirements. Some of these activities occur more often than others.
Less frequent ISO 27001 activities and additional risks
These depend on the type of organisation and how long ISO 27001 has been part of the fabric. The way things are done will then determine how frequently the Risk Committee meets. If the organisation is new to ISO 27001, the Risk Committee may meet monthly, although I have seen clients with weekly meetings. Regardless of the frequency, virtual meetings are an efficient way of ensuring the meetings go ahead.
For most organisations, the sudden dispersal of their staff to home locations introduced additional information security risks. These need to be identified, evaluated and managed as per any other risk in the Risk Treatment plan. Essentially, it is just more of the same but with some additional risks.
The frequency of the meeting should reflect the risks being managed and the timescales when actions are to be completed. Avoiding unnecessary meetings is a good general rule for all meetings.
Maintaining your ISO compliance
Now that the lockdown is being eased in the UK some organisations are considering opening up their offices while others are playing a wait-and-see game. Either way, working from home is likely to be more prevalent going forward for a number of reasons. With this being the case, do any of the existing policies and procedures need to be modified to take into account the long-term dispersal of the workforce? Would it be prudent to produce guidance specifically for staff working from home?
Continual improvement of policies and process
An important aspect of ISO 27001 is continuous improvement. Information Security Managers should always be looking to see how things could be done better. Reviewing existing policies and procedures due to a change in circumstances is part of this process as is producing specific guidance for new situations (such as working from home). Things never stay the same and organisations need to adapt to not only survive but flourish in the new environment.
There is one particular area of ISO 27001 compliance which can be challenging during the lockdown and that is the internal audit. Before the pandemic took hold in March, organisations would have had their internal audit schedule defined for the calendar year. The lockdown starting in March probably had a rather large impact on this schedule, as business priorities were to keep the business functioning (if possible).
Some internal audit functions can be done remotely and would be of value to the Information Security Manager. A policy review, given the change in circumstances, springs to mind but there are others. While ISO 27001 may seem very rigid to some people it does anticipate that changes are going to happen. For example – and it’s not the only one – section 8.1 includes the line “The organisation shall control planned changes and review the consequences of unintended changes…”
It is expected that organisations will modify their internal audit schedule to reflect changes to their operational environment. The aim of internal audit is to ensure that the organisation remains compliant with ISO 27001 requirements. They can also identify areas for improvement that is often a valuable service in its own right and another example of continuous improvement.
How to overcome internal audit difficulties
Difficulties with internal audits usually occur with reviewing section A.11 Physical and Environmental security. This can be done remotely and indeed I know several ISO 27001 surveillance audits by external audit teams have been done this way. They do however require someone to be on-site and walk around with a mobile camera. They are not going to be as methodical as a physically on-site audit, but they are the best that can be achieved given the change in circumstances.
Most of the internal audit activities can be done remotely providing the auditor(s) have access to the required people. This can be tricky as the Covid-19 pandemic provides possibly legitimate excuses to people who would rather be doing something else than assisting with an internal audit. Compromises will be required from everyone with one or two escalations to top management.
Management review and the scope statement
A Management Review is something most organisations do yearly. If the review was scheduled to occur in April, May or June, a delay would be understandable given the circumstances of the pandemic, but it will still need to happen as soon as possible.
The Management Review provides an important channel for top management to review how the information security management system is performing. This is an evaluation of the whole ISMS that includes roles, committees, policies and procedures; and is different from a security review. Basically, it is asking if the current approach to information security management is suitable, adequate, and effective for the organisation.
Depending on how the organisation intends to continue with a dispersed workforce they may want to consider their ISO 27001-scope statement. If the new way of working is to continue the homeworking for most staff, then it may need a revision. It is just one of those things that should be considered when circumstances change but are often overlooked.
While the pandemic has forced changes on how or where people work, there is no viable reason as to why organisations should not keep meeting their ISO 27001 requirements. Documentation (meeting minutes, audit reports, incident logs, etc.) are vital in this respect as it provides documentary evidence that the organisation is doing all the ISO 27001 aligned activities that it should be doing. And many of these activities can be done just as easily from your home as in the office.
ISO 27001 Remote Support
During this Pandemic, Risk Crew has helped many clients with ISO 27001 implementation and support. And I have had the first-hand experience of successfully working with clients remotely. If you have any questions on how to achieve ISO 27001 compliance or certification remotely, please feel free to give us a call, email or chat on the website.