| Waiting in the Wings

Waiting in the Wings

All views expressed on this site are my own and do not represent the opinions of any entity whatsoever with which I have been, am now or will be affiliated.

Consultancy engagement to correct and educate, after initial mistakes on a security project for ISO 27001, followed by hand holding when the certification auditor is on site.

  • Review previous work conducted by a consultant.
  • Make Corrections to the scope and the documentation.
  • Educate members of staff on the requirements of a ISO27001.
  • Carry out internal audits on the work the security team had conducted at project milestones.
Private Bank, requiring reassurance from regulators that security is in place and that they are working under best practice.

Day of the audit:
Opening meeting with the Certification auditor to discuss the schedule and reporting over the five days they are on site. Visit planned for disaster recovery site on day three.

Day one to three all going very well, with the departments and control owners able to address all the auditor’s questions and concerns.

The evening of day three, myself and the auditor decide to catchup on progress over a bite to eat. From the office we are using we see a fish restaurant / market and decide to walk over. Once inside we are asked to choose the fish and shellfish we would like, and how we wanted it cooked. Food arrived and very fresh and tasty. As we are splitting the cost, we ask for the bill.

Oh my! The cost is about five to six times more than we expect, luckily for us, one of the Bank’s Managers is eating with his daughter, we ask him to check the bill, and he says yes, it is correct, his comment was “…you did check today’s market prices…? fish is expensive here, it is why we do not bring visitors to the Bank here…”

We pay and leave the restaurant, wondering how we can justify and claim back our portion of the bill from our travel and subsistence allowances.

Day four of the audit progresses with no issues all is going well and we have the final day to get through. The security team and Security Director is in a positive mood.

Day five, final day. The morning goes well, we go for lunch, with one last interview to take place that of the CEO, allowing 14: to 15:00 writeup time for the auditor before a presentation of findings to around 30 managers and employees in the Bank’s auditorium.

We arrive at the CEO’s office, escorted into his office, and complete formalities. the following is a snippet of what happens.

Auditor – “…As you are aware, I am here to discuss your certification to ISO 27001 information Security and would like to discuss your view on Senior Management responsibilities…”

CEO – He looks over to his Security Director “…Do we do security…?”

At this point, the Security Directors shoulders drop, and his jaw hits the floor. Security Director – “…Yes, this is the final stage of our six-month programme…”

CEO – “…I cannot remember agreeing to this…”

At which point the certification auditor and I are escorted out of the office and into a waiting room. The door closes behind us and for twenty minutes we wait for someone to return. The door opens and the Security and Finance team now go into damage limitation.

Luckily for them, the auditor has already concluded they would recommend the Bank for certification. Their final statement to the Security team was “…These things happen, it was almost as if he was waiting in the wings, to say that…”

We push forward with the arranged closing meeting and leave.

Outcome Good Points:

  • All departments and processes in place and a solid approach to assets and risk management.

  • Outcome Bad Points:

  • Education and awareness could have been better, and the training did not appear to cover all levels of responsibility. This also goes for location and environment you may be in.

  • Overall
    I have considered what may have caused the problems:

    • Always make sure that those at the top of tree, know and understand what is going on.

    Just in case your interested
    They Bank have continued with the same consultants and certification auditor for the last ten years.
    I will only use your Details to make contact, once any work is completed I will destroy the information