| Just count to three...
All views expressed on this site are my own and do not represent the opinions of any entity whatsoever with which I have been, am now or will be affiliated.
Contracted to complete a final audit on a company that had dropped certification for six months but had a change of mind. The Senior management team had realized that when bidding for work, management system standards where key in master consultancy agreements and statements of work
- Review position to move forward with certification.
- Check that all documentation was current or required refining.
- Verify employee awareness and responsibilities where understood.
- Visit the secure site and walk through the security system they had established, review internal audit, certification, and accreditation reports.
Consultancy supplying security services to Government and major financial institutions. Previously held ISO 27001 seven years. The security and compliance manager had left the organization under a cloud, a new compliance manager had been appointed
Day of the audit:
Opening meeting with the management team and their information security consultant to go through how the review would take place and how reporting would work. I agreed to give them an overview of my findings and allow 10 days for them to provide any extra evidence.
…We have set aside a secure room and organized the interviews of all managers for tomorrow; they are travelling in from other parts of the Country…And so, the audit began at 09:30 hrs.,
Question 1 – “…could you provide me with either paper of electronic versions of the management system, you can walk me through it on the screen, or I can read it…”
Answer 1 – “I will just get it for you…”
Would you like a coffee? At this point the security consultant was talking about all the high-profile clients they had and how important security was in their work.
Twenty minutes later and a lot of phone calls to the directors, it became very apparent that the requested documentation was not on site, in fact it was nowhere to be found.
Answer 2 – We are trying to contact the previous security and compliance manager, to understand which folder he kept them, you must realise that some of out folders are very sensitive and security is high!
Twenty minutes later, more coffee and more phone calls, and they had established that the previous manager was not available. Now enter the Managing Director. “…I hope all is well and we have been looking after you and we have what you are looking for…” the compliance team rush him out.
The time is now 11:00 hrs., at which point I ask my second question,
“do you have anything available for review, risk assessment, Statement of Applicability, previous audit findings etc.…”
Answer 3 – I am quietly informed “…we appear to have lost everything, we suspect the previous security and compliance manager has walked off site with all of it…”
The time is now approaching 11:30 hrs. I decide to ask for the Managing Director. We both agree to call it a day. He apologises profusely and assures me, he will make sure that all paperwork will be available at my next visit, we schedule the audit for two-week time.
- Lessons learnt.
- At least it was not with an accreditor or certification auditor.
- Far too many to mention.
The audit did go ahead some four-weeks later, the new compliance manager, had probably spent all the time creating documents and trying to rebuild the security system.
Just in case your interested - They later went on to regain ISO27001 certification.