Information Security Experience

I was responsible for running a programme of ISO27001 certifications for six separate companies. The result was first-time certification for all six independently, after ten months effort and a lot of persuasion. 

I have 14 years of experience as an ISMS implementer and manager, liaising with top management to maximise the effectiveness of the information security management system, to ensure that certification is a whole business activity, and not one that's handled by the security team. Gaining certifications (at the first attempt, on time and to budget) for six subsidiary companies gave me the opportunity to train others and to locally certify them as ISMS Managers.

Managing the ISMS to its full effectiveness has given the opportunity to create various policy and process areas that correspond with information security domains shown throughout this site, such as risk management.

Risk management is a very difficult area in terms of complexity for any organisation, but is a very important part of the standard and its controls; this is what sets the benchmark and rules for risk management throughout your organisation.

The approach of ISO 27001 is best practice that opens up information security to the whole business (or those areas in scope). This takes it out of the old adage "it's the duty of the security team", and allows operational business areas to manage the security of their people, processes and technology.

It sets out a standard framework for your business to establish, implement, operate, monitor, review, maintain and continually improve an ISMS. I've been doing this for some years, and have clarified many sticking-points in implementations of the standard.