How ISO 27001 Can Help You Win Trust Fast!

Show Notes

Summary

In this conversation, Ian Shorten, an independent information security consultant, discusses the fundamentals of ISO 27001, a standard for managing information security. He explains its importance in today's interconnected world, the core concepts of the standard, and the journey organisations face during implementation. Ian emphasises the need for a culture of security awareness across all levels of an organisation and provides practical tips for successfully implementing ISO 27001.

Takeaways

ISO 27001 is a management system for information security.

It's not just for IT companies; all organisations need it.

Understanding information as an asset is crucial.

Confidentiality, integrity, and availability are key attributes of information security.

Creating a culture of security awareness is vital for all employees.

The implementation journey can take from three months to several years.

Risk management doesn't have to be overly complicated.

Regular maintenance of the ISMS is essential for effectiveness.

Most problems in security are caused by human error, not technology.

Get a grip on your information assets early in the process.

Chapters

00:00 Introduction to ISO 27001 and Information Security

02:55 Understanding Information Security Management Systems

05:35 The Importance of ISO 27001 in Today's World

08:09 Core Concepts of ISO 27001

10:39 Identifying and Managing Risks in Information Security

13:11 The Role of Controls in ISO 27001

15:51 Flexibility and Adaptability of ISO 27001

18:33 Implementation Journey for ISO 27001

21:49 Implementation Timeline for ISO 27001

23:24 Understanding Existing Controls and Technology

25:15 Common Pitfalls in Information Security Management

28:57 Scalability of ISO 27001 for Small Businesses

31:01 Creating a Culture of Security Awareness

33:45 Maintaining ISO 27001 Compliance

36:52 Top Tips for Starting ISO 27001 Journey

Key Links

Auva Website: www.auva.com

Apple Podcast:  https://podcasts.apple.com/gb/podcast/by-all-standards/id1771677594

Spotify: https://open.spotify.com/show/79OUNj3vY9dmESR3okwHJa?si=871837f56dc149b6

Youtube: https://www.youtube.com/@auvacertification/podcasts

LinkedIN: https://www.linkedin.com/company/auva-certification-ltd 

Instagram: @auvacert

Michael Venner:  https://www.linkedin.com/in/michaelvenner-isocertificationexpert/ 

Ian Shorten: https://www.linkedin.com/in/ian-shorten-8a100012/

Ian Shorten: ian@ianshorten.co.uk 

Chapters

• 0:00: Introduction to ISO 27001 and Information Security
• 2:55: Understanding Information Security Management Systems
• 5:35: The Importance of ISO 27001 in Today's World
• 8:09: Core Concepts of ISO 27001
• 10:39: Identifying and Managing Risks in Information Security
• 13:11: The Role of Controls in ISO 27001
• 15:51: Flexibility and Adaptability of ISO 27001
• 18:33: Implementation Journey for ISO 27001
• 21:49: Implementation Timeline for ISO 27001
• 23:24: Understanding Existing Controls and Technology
• 25:15: Common Pitfalls in Information Security Management
• 28:57: Scalability of ISO 27001 for Small Businesses
• 31:01: Creating a Culture of Security Awareness
• 33:45: Maintaining ISO 27001 Compliance
• 36:52: Top Tips for Starting ISO 27001 Journey

Transcript

0:00

Think ISO 27001 is just an IT thing. Think again. In this episode, we break down the fundamentals of ISO 27001, the global standard for information security, and explain why it's essential for every business in 2025....You'll learn what ISO 27001 is really about. the biggest mistakes companies make. why it's not just about technology. How to build trust with clients and regulators. and how to get started with limited resources. If you're a leader, founder, IT manager, or just want to protect your business from costly data loss, this one's for you. so Ian, thanks for joining us. If you want to just give a little introduction to yourself. So yeah, my name is Ian Shorten. I'm an independent information security consultant, sometimes quality management systems consultant as well. Started out about 20 years ago with doing some internal auditing and some quality management type roles. And then I moved to a certification body where I was a full-time auditor. And then I jumped the fence to become a consultant as well. So I've been helping organisations implement their management systems, but also... doing audits and that. And for the past few years, I've been doing that for myself as a brain for rent expert trainer, auditor, consultant and so on. So that's pretty much what I do now. Yeah, because I know we've obviously rented your brain quite a bit recently to get our accreditation. So that'll be an ongoing relationship. Yeah. so today we're going to talk about ISO27001 kind of the fundamentals of it really, not going too deep, just to make people aware of what it is, because it is a growing standard, isn't it? It's very prolific at the moment. it's becoming more popular as well, I think. So it'll be interesting to see where it ends up. Yeah. mean the standard has been around for a few years hasn't it? But it's obviously just gone through a transition. as an ISO standard, it started in 2005, but prior to that, it grew out of being a UK national standard. So it was a British standard before that. And yeah, it's grown up alongside the evolution of information as a key asset and information security being a concern. yeah, it's been around a fair while. Hmm, but now it's, think with all the emerging technologies, it's now gaining credibility, isn't it? Credibility is probably the wrong word. and the transparency of the kind of things that go wrong as well. think it's always on the news, isn't it? Yeah. moment. OK, so for those new to ISO 27001, how do you explain what it is and what is it for? But for the completely uninitiated, it's a management system standard. And that means it's about the organisational arrangements for managing a thing, a discipline, we might call it. So it's about the organisational structure and processes around managing the security of information. And we'll probably go into a bit of what that means exactly. But yeah, it's about having what I like to think of as a framework or a skeleton of structure around organizing activities associated with a particular thing. this thing is about information management and its safety and security. Okay, yeah, because I think some people wrongly assume it's just for IT companies, isn't it? And to be fair, probably because it's information management and everybody relies on their IT, IT is going to be involved a lot in the activities of an information security management system, but not entirely. And it's about the organisation itself, the people, the hierarchies, the structures, the arrangements and all of that kind of thing. Okay, so what kind of data or information are we really trying to protect when we say information security? Well, everybody, all organisations, think, whether they're private companies or public sector, they all rely on information, I think, to operate a business. I can't think of any kind of industry or business that doesn't rely on information because you need to know things. But I suppose most people think of the information that they need and that they're managing about people. Privacy has been a big story over the last, almost 10 years, I suppose, of worrying about people's data security or privacy. So there's that, and that's part of it because 27001 is about privacy and cybersecurity and information security. Other information that organisations need, the kind of things that you need to operate a business, to take decisions. Perhaps it could be intellectual property, but it could be anything really, it could be any kind of information. The difficult question is really, well, what is information? Yeah, and that is a kind of philosophical level of question, but it's often people think that that's data or data, if you like. And it can be that, it can be, and then that's information in an electronic format or numerical format, it's called data, but it's any other kind of information, the things that you can know and learn and understand and communicate with and about, that's all information. So it's not just the document, it's the stuff that you're holding in your head, okay. things in your head, yeah. Your knowledge is information, right? interesting yeah that is a more philosophical I think isn't it but yeah it's an interesting yeah how do you protect that? Yeah. Yeah. And also I think that there's an understanding that there are laws around that kind of thing as well, not just privacy, but intellectual property as well as another thing, which is about information and knowledge and protecting that. some organisations think about it in the sense of, well, I've seen some shoe company that's been around for 150 years just went out of business because they were breached in some kind of criminal hack. But also, I don't want somebody else in some other part of the world to steal my designs and make something that I'm trying to do more cheaply or, you know, that kind of thing as well. So there's protection on all kinds of levels and we need to think about those things. So I see a lot of organisations now have Cyber Essentials or Cyber Essentials Plus How's that different to ISO27001 then? What's the difference? Why would you maybe go for both or one or the other? You can go for both and cyber essentials and cyber essentials plus UK government scheme. And it's just basic cyber hygiene things that you should do. and, they're, they're sensible things to do, of course. And it's a scheme for which you can have a recognition that you've done those things, but it's based on completing a form type self assessment, or if it's the plus version, it includes some kind of external penetration testing of your network. So yeah, it's an easier, perhaps a first step kind of thing to do. And the government and government agencies sometimes ask for cyber essentials as a minimum to be involved in doing business with them. Certainly at the technical level, if there's any kind of interconnection going on. But it has no certification scheme as such, which would have an auditor to come and provide assurance to checking that the management system is in place. It's not even a management system scheme, the cyber essentials. Whereas ISO 27001 would kind of put that framework around it that I talked about and incorporate that into a structured and assurable way of doing things. So ISO 27001 is a bit broader as well, isn't it? So Cyber Essentials focuses on your IT controls, cyber controls, but ISO 27001, like you say, is broader, what's in your head and visitors entering your premises, you know, it's kind of a broader standard, isn't it? much more considered is not where a cyber essentials is where you've got to do you've got to have your access management and you've got to have network security, you've got to do password management, those kind of things. And it doesn't consider how much and why and to what extent and for what systems. And so it's it's very much a list of things to do rather than a consider what you need to do and plan how you achieve your objectives. Why is ISO 27001 becoming more critical now than ever? I think, Primarily the reason is that the organisations are so interdependent and then people think about their supply chain or the other organisations that they partner with and those with whom they share information or rely on the provision of information or information management services like the Internet of Service, everything as a service nowadays. The cloud is sometimes cool. And so people are concerned about what other people are doing when they're connected or when they have access or they have custody of their information and look for some kind of assurance about how do I know that they're safe? Am I safe putting my... It's like your money in your bank, you know, is it a safe bank or, you know, it's the same kind of thing, but it's information. you know, I'm giving it to another company, are they safe with it? And having an ISO 27001 system in place and certification of that system by an independent who can check it. Yeah, that's one, I think that's the primary driver at the moment. But also there's an element of... The necessity of it when you see, as like I said, people going out of business is on the news every day or some organisation has been hacked and flights have been canceled and people are losing their jobs because of some kid on the internet or some criminal gang who's doing something somewhere else to try and extort money. the level of consciousness about that kind of thing has risen, I think. So there's that's another reason why. sensible organisations are going to think about what can I actually do to protect myself. Yeah, I don't want be on the news or in prison because obviously there's legal implications now as well. Yeah, definitely. Yeah, know something. Yeah, yeah, exactly. Yeah, yeah. Okay, cool. So can you walk us through the main concepts of ISO 27001, the main elements that people need to be aware of? So, a management system, I'll start with just a basic management system, which begins with understanding the organisation and what it needs to be and what it needs to achieve. So, what we call a context and understanding issues that need to be thought about, things that need to be addressed, and who are the stakeholders and what do they want, what do they need. And an understanding of the organisation, which leads to a determination of what do we need a management system for and where do we need it to fit? And what are the potential things that we need to plug into that? And then the decision to define a management system and to set an overall strategy for that through a high level policy. assign responsibilities for people to do things and to lead it. And, and then go ahead and plan what needs to happen. So the planning part comes from understanding the order of things which plug into the management system. And then it's about completing the plan and operating that and monitoring its performance and, and, and trying to improve that and also fixing when anything goes wrong. in a plan, do, check, act kind of way. The thing about the information security management system is specific to that general idea, which I just presented, is that in the heart of that, in the planning and operation of it, is the idea of information security risk management. And so understanding what our information is, what are the potential harms that can befall it. And what do we need to do to try and prevent them, detect them and react to them if they happen? It is the core element of an information security management system. And alongside ISO 27001 has a big list of controls in it. And perhaps explain what a control is. In ISO terminology, it's a... measure that modifies risk. That means it's something that you do to change the risk, typically to reduce the level of risk to try and make it lower, less likely to happen or if it does happen it's less impactful. So having some controls in there and there's list of controls in ISO 27001. So you have these controls to try and reduce the level of risk to not to eliminate them, not to wipe them out completely, but to reduce them to something which is acceptable. you know, and importantly known, I think, is the thing. It's actually about identifying, yeah, we do know there's a risk. We're doing something about that and we know what we're doing. We know that it's working. Got you. So how would someone identify the risks? That's probably a bit of a broader term I guess, but if I'm starting off, what do I do? What do you do? Well, I think the first thing is as part of the implementation of a management system, you need to understand what's going to be the method for doing those things. For identifying and analyzing and evaluating and treating risks, you need to think about how do we do that? And the question you asked. the answer is, as far as ISO 27001 is concerned, there's not a fixed answer to that. you do whatever is appropriate to achieve what you need to achieve. It's kind of a rubbish answer, it's the right answer to say, there are lots of models out there. There's no fixed way to do it. You can do whichever you like or you prefer or whichever works best for you. I would recommend that one of the first things you need to do is understand what information exactly. And we talk about the information as being an asset, that's something of value. Well, what is it though? How do you put your finger on it? How do you say, this is the information? Is it personal data? it that customer relationship management system database? Is it this software library or what is the information in particular? So having an understanding of your information assets. So then you can understand, well, what what harm would befall me or the company. If I were to lose that, lose its availability, or if somebody else were able to steal it or modify it in some way, or it disappeared suddenly for some technological reason that I don't get. So understanding all those things, and that's the kind of identification of risk is to say, if there was a threat, if there was some kind of power cut or a lightning strike or a hack or whatever it would be, And that's the identification of a risk. ISO 27001 says you need to identify your risks to information assets and then find out about them to analyze the extent of them and the likelihood of their occurrence and figure out if they are acceptable to you because the risks might be okay. And then if they're not okay, and try to make them acceptable. We'll do something else about it. So it's not just, I think you said in there, it's not just information being stolen, it can also be information being lost. Is that right? Is that? Oh, okay. That's interesting. In the information security world, there's this kind of Holy Trinity, a triad of attributes of information, which are key to understanding information security. And those are confidentiality, integrity, and availability that the CIA or the ICA, if you want to do it in a different order or something like that. But Yeah. Confidentiality is that feature of keeping your secret secret, you know, that you don't allow unauthorized access to, to your sensitive or valuable information. availability is about it being actually so you can use it when you need it. It's accessible. You can, when you, when you need to look at that database or you need to call that file from somewhere, then you actually can do that. So you can carry on doing your business. It's that important thing. And the other part, the I for integrity, it means the accuracy and completeness of the information. You perhaps know when you see a printout or something and half of a sentence is missing, it's been truncated, or you try and print something out. Listen to me, old fashioned, printing things out still. But you know what I mean. When it all gets, you get like some sort of strange alien language. You can't read it. That's no good. It's broken information. That's the other attribute. Information is great. You've protected it, but you actually still have the accurate and complete information. Interesting, okay I wasn't aware of that. Yeah that does open it up a lot more doesn't it? Because know the days are quite high for an ISMS audit and I kind of, I went on one years and years and years ago but I need to go on another one just to observe, appreciate it little bit more that actually this is quite a broad standard that covers many facets. Indeed, an ISO 27001 seems so small when you look at it. It's quite compact. There's not really a great deal of it, but there's a lot to it in understanding how it's applied. Yeah, okay. So you mentioned the controls, which I know in Annex A aren't they, believe, at the back of the standard. Do companies need to implement all of them or just what's appropriate, applicable or what they want? Do they get a choice in that? you do get a choice. It's not like a list, it's not like the cyber essentials thing we talked about. Here's a list of things that you need to do because the, the use of the controls or any controls is on the basis of I am already doing that for part of my risk treatment or I intend to do it as part of my risk treatment. So, you only really need them if there is an appropriate risk that needs to be modified in your ISMS model. Now there's a few things to say about that. One is that it does actually require in the standard when you, when you go through risk treatment, you look at the list in Annex A and make sure you haven't missed out anything which is necessary. Okay. So you, but, but it is also true to say that there are some controls which just can't be appropriate for some organisations because you don't have those kinds of risks. So some of them are specific to a kind of technological issue or a function that an organisation might have. And they're just not ever going to have, you're not going to have that risk. So you don't have to have that control. So you are allowed to say, yeah, that one doesn't apply to me. I haven't got any appropriate risks to it. But typically there'll be a fair percentage of them, at least 90 % of them, I guess, that could be applicable to almost any organisation. The other thing to say is you actually don't have to use the controls in Annex A as the basis for your risk treatment. You could use some other control set and there are many about there depending on industry and your country of origin and where your customers are. There are other control sets which might need to be used and that's fine. You can use those instead. You still have to do that comparison with Annex A but your selection of controls could be from some other scheme, like, what's the one with the credit card payment things? Payment card industry data security standards, they've got a set of controls. And sometimes organisations have customers in America, so Americans like their national, what is it, a NIST? yes, and they got SOC 2 and things, haven't they? Yeah. Okay, that's interesting. can use all of those schemes and fit them all into ISO 27001 and they all fit within that framework, that skeleton of structure for an organisation. Yeah. I know they've got a framework for the ideal controls for access. I can't remember what they call it. It's like a checklist, I suppose it is, in how to control the system to make sure it's or to prevent hacking and things like that. So I guess that is along those lines that we could say if we were implementing ISO 27001. This is Google's workspace recommendations. We've adopted them as part of our controls. Yeah, okay, that's interesting. So there's flexibility, of flexibility in the system. And if, for example, a company has an ISMS and information security management system in place and perhaps ISO 27001 certification, wins some new business from a customer in, I don't know, pharmaceutical industry or in the USA or something, and that customer needs a particular... set of controls or a particular bit of assurance, it could be fairly straightforward to say no problem, we'll do the comparison with those with what we've already got and we can incorporate that into our ISMS. It's pretty straightforward to do, probably with very little extra effort in terms of changing controls or anything like that. So hopefully it has that kind of broad coverage. Yeah, gotcha. Okay. So what's the typical journey to implementation look like? How to organise a, it's probably a bit of a, how long's a piece of string, but where do they start? How do they roll it out? How long does it take roughly? How long does it take at a bare minimum at a sprint, three months to get everything in place if it's not too terrible? Six to nine months is much more typical and potentially as long as you like for very large organisations and with multiple locations and more complex. It could be in, you count it in years rather than months. Typically we start with a project and assignment of responsibilities within that project with half an eye pointing at who's going to be doing this after the project ends. So it's involved people in the project who are also likely to be involved in managing the management system itself and its functions. Okay, the journey. Yeah, the good thing is that most organisations are already doing a fair chunk, if not most, of what's needed for ISO 27001, but perhaps not in a way which is systematically understood as part of a wider structured approach. And so in terms of changing direction and adding more technology and... implementing more controls, that's not too painful for most organisations because they will find that those things were already being done. And perhaps through their supplier, like Google or Microsoft or Apple or something, already doing those things for them, it's just about knowing and understanding, yes, there is a risk here, but okay, here's how it's being addressed by my supplier, Apple or Google or whoever. And so, having that system and the linkages to show how information is being protected is not so bad. you heavily reliant on the IT department or outsourced IT to help you with the implementation or is it a bit broader than that? need, obviously IT is gonna be a big part of it, I understand. Yeah, it's a fair chunk of it because of the technological aspects of it. most organisations, I'd say most, fair percentage of organisations have a low understanding and low reliance on technology. They use them just as an information machine or you've got a laptop or a desktop or something that's connected to the internet and... That's about as much as you know about it, that you know how to send an email or write a letter or access a cloud system on the internet. Does it need IT to do those kinds of things? I think probably not. When it comes to the technological side of systems and networks and doing vulnerability updates and patches and things like that. Well, yes, that's the IT and network security teams who would do that kind of thing. But no, it's not too IT heavy. If there is an IT department, and some people still do have their own IT department, if there is one, then yes, they will be involved. the organisation is the big part of it, the management system framework. you need sort of the leadership team management, same as you ordinarily would in a I say normal, ISO 9001 system for example. It's fair to say that ISO 9001 is normal, it's the oldest I think of the standards and probably the grandfather of them all. You still need those leadership and people being in charge of the things that happen in their department and controlling that. So where do most organisations get stuck or go wrong? Is there a thing that everyone trips up on? Common. Yes, it's so hard to pick. I think the most complex part will be the information security risk management. For those who haven't done risk management at all before, or perhaps information security specific risks, it probably needs a bit of training or understanding or knowledge or use of an expert advisor. Where people go wrong, I think is more likely in... in the performance evaluation part of it. what I think is a nice thing about ISO standards is that it gives you great flexibility to apply the standard as you need to for your business model, which is great. But it says things like plan what you need to achieve, plan to achieve your objectives and determine how you're going to measure that essentially is how do you know you've done it? Where's the dial? Where's the indicator that says, yes, you are performing where you need to be? And that's a complex part, I think, even for the management system framework itself. But that needs to be applied for risk treatments as well, for controls to say, how do you know if your password policy is enough? are you doing what you said you were gonna do when it comes to network security? And then that's difficult to know. So it's that kind of metrology, How do you measure the information security? I think that's the difficult bit and sometimes it's misunderstood and then therefore sometimes got wrong a little bit. and I suppose if you don't identify the initial risks front end, you're going to miss stuff and then come the back end and an auditor comes in and says, what about this? They go, totally missed that. That's where I guess people need to take time to plan and identify the risks really. yeah. I won't name names, but I've been, for example, and audited a software company and asked where's their backup, are you thinking to make a backup of things in case it gets lost or broken and you have a backup? Show me the backup of your source code. Oh, we don't appear to be doing a backup. And this is a software company. And you think that's a big, an obvious risk, but yeah, you don't. didn't actually think about that one or didn't apply it when you did think about it. But that's another good thing about management systems, I think, is that it gives you the opportunity, it tells you to check to do these things and to find out, there's something we fixed. Thank goodness we found it, we can make it better now. m And that kind of cycle of improvement is built into it as well. That's where I think there's benefit to ISO systems and certification. You're getting fresh eyes coming in that are totally independent of your business, just questions a few things and makes you go, yeah, actually, we did think about it. Because sometimes you're too close to it, aren't you? You we all are. We make mistakes here. Everyone does. Because you're just too close to it. Fresh set of eyes coming in, just start prodding a little bit. But you're right, it does make you improve. It does. I know we've had some. questioning our encryption before and things like that. You know, we've put in a lot of improvements for the better. It cost me a bit of money, but it made me sleep at night. Yeah, okay, so how can it be practical for small businesses? it does sound like a big standard, a lot of elements to it, a lot of things to control. Yeah. businesses implement all of this or does it get little bit too much for them? It can be, and I've seen it done in a business of one person. uh And so yeah, it does, it is achievable in a kind of compact way. Like I said, it's scalable. It can apply, the system can work for organisations of one to multinational corporations. And actually it's probably easier for the small business to do it because it's more compact. for smaller businesses, kind of micro businesses or, you know, less than 50 people, it's probably the easiest model. The downside for small businesses is organisations will no doubt be doing the people changing hats to do roles and other people's roles and to try and juggle different tasks. And that can have long-term problems with management systems generally, I think, but certainly for information security. And smaller organisations are less likely to have their own IT department, their own data security officer or whatever, and specialist in house. And so the focus then will probably be more on whoever's doing the buying and supply chain management of those who provide services. And I think that's a model which is growing actually that organisations don't have their IT department. They may not even have an HR department or a, you know, all sorts of things are outsourced and done with partners and other companies and suppliers. That doesn't prevent there being risks. It doesn't prevent the need for managing those. But it might be that the controls that we talked about are being applied through a supplier by another company, perhaps a landlord. Hmm, okay. I guess some, I can think of a few clients where their HR is done by their parent company and sometimes the purchasing is as well, so they need to think about those controls. Don't they really? Because it's not all controlled in-house. A supplier, for want of a better word, is looking after it, so what's the risk? Cool. So how... how do you create a culture of security awareness beyond the IT team? So the IT team, I guess, are fairly conscious about it and understand it. You would hope so, yeah. So what about everyone else? Because everyone's got a part to play in this standard, haven't they? It's not just the IT department. Yeah, I think for that, it really needs to come from the top. It needs to be led by the leaders of the organisation the directors, the managing C-suite or whatever. All teams follow the captain and do what the leader says. So that's why it has to come from the top down. How do you develop the culture? Keep training, keep talking about it. make that communication happen, remind people somehow. It's an interesting fact that most information security breaches, the big stories that you hear, that company that went bust a couple of weeks ago, do you that? It's like, I think they were a shoe company that had been around for 100, since the 19th century. and went bust because somebody's login credentials were compromised. It's a human problem. It's not the IT department that caused that and it's not a technological failure, most likely. It's probably because somebody did the Post It note with their username and password on it stuck to the screen. Or they use the same password for everything because... That's just, and their home things and their work things and somebody's breached their home, their Facebook or whatever, I don't know. And then thought, well, I'll try out their work account or whatever. And the hacker has been able to get in because, but this is why you need a culture because most problems are caused by people, not by computers or their systems. one of the big supermarket ones that got done recently, that was through the help desk, wasn't it, or something. Someone phoned up. I think it was something like that, one of them. I remember a story, I can't remember who it was, but it's just someone just phoned up the help desk and just managed to get their information and what have they. That happened. But you're right, it's the human element. To her, it's human. you need that culture. And we talked about it just now, but people need to talk about it around their lunch table or their coffee bar or whatever and say, this is something that can happen. We need a strategy to deal with this. we have got a strategy and this is what it is. So let's do that. Once the system is in place and someone's certified, how does maintaining it look? Is there a lot of work to upkeep it or is it fairly ticking along quite easily? My instinctive answer is no, it'll just keep purring over like a well maintained V8 rumbling in the distance. To me, maintaining means keeping something going and up to date and fixed. And so... Yes, an ISMS needs to be maintained, but I think most often it needs to be maintained because the organisation moves and evolves and this evolution is something that often happens quickly. There is a need to review and to reassess risks on a fairly regular basis, at least annually would be the typical, or if anything changes, you think of something else or you... change the business model in some way, or adopt a different supplier. then, you know, you think about the information risks there as well. so the maintenance is that, and at the technological level, there'll be ongoing things to do with patches and tests and, and inspections and so on. and there's also the, ongoing maintenance of like of all management systems, which is doing internal audits and checking those performance measures. looking at the dials and making sure everything is all right. So there's that kind of maintenance that goes on. So I don't think it's particularly arduous for information security as opposed to other disciplines or other standards. it's just a good practice keeping it going and normal routine activities really keeping up to date. Unless legislation changes, I suppose. There's that there. I guess this is my mention. One particular aspect of information security as a as a topic is that there also needs to be the reaction part of it. I we've talked about risk management and risk prevention, but there is also this need to be able to respond to incidents. Now, now to me, there's a correlation between what is a risk. to information and what is an information security incident. And the difference is just the passage of time. So a risk is a potential incident and sometimes risks are manifested in some way and then you will have some kind of impact and it's being able to respond to that and recover from it quickly is an important element of the risk management. So in terms of what we were talking about maintenance, there may be the need to jump in every now and again go, ha ha, we need our response plan. We're have to clean that system and restore from backup or whatever the incident response might be. So there's that aspect of it as well. I suppose that's not really maintenance, that's more kind of emergency response. that's what made me think about ISO 14001 and ISO 45001 which follow the same kind of principles by the sound of it. But then when something does go wrong, you get an emergency situation where someone's had an accident or a big spillage. OK, what went wrong? We've got to prevent that from happening again. yes, suppose it follows the same ethos, very similar and to me just makes sense, really. Just sensible. yeah, why wouldn't you? it's kind of a Duh moment isn't it? Yeah, of you would. Okay, interesting. So what's the one piece of advice for a company starting their ISO27001 journey? Get a grip on what information assets there are. We talk about an inventory of information assets. It sounds like a really easy thing, or we just write a list of all the information, but it's not that easy, and you need to know what information you have and where it is, who's responsible for it. And before you can even start thinking about, well, what risks does it face? So get that information inventory done. pretty soon after you start the project. It's one of the first things that you're gonna need is really important, even though if you read the standard chronologically, you wouldn't see it until you're near the end. You need to get into it fairly quickly. So that's my number one top tip. The models for doing the risk management, there are a lot of tools out there. I think they're almost all software as a service type things now. So it's all cloud services and a lot of them subscription models. You really need to know that you like the one that you're going to use if you're going to use it. But that you have confidence that it can help you meet ISO 27001 requirements. And it's not too constraining in the sense that it's designed for some other kind of risk management and it won't help. But there's nothing wrong with just doing it in a spreadsheet or kind of homemade tool. Doing risk management is a kind of complex and specialist task. Another top tip associated with that is that it doesn't have to be scientific in outcome. The reason for using the risk management model in the ISMS in my view, is to inform an appropriate level of risk treatment. And so it doesn't have to be exact. It doesn't have to be kind of measured to a point one of a penny of what the impact would be if there was a loss of availability for half an hour. You don't have to be that detailed about it. So fairly low definition risk management enough so you can have informed judgments about managing risks. So don't go try and get too into the weeds with the risk management. It's good advice because in the aerospace scheme we've got an operational risk which sounds very similar and some people just get so complicated with it. The whole score in it. I'm like what the hell's going on here? Just step back, keep it simple guys, just know exactly what you're looking at. yeah, just understand why you're doing it really, because that'll tell you you don't need to get so excited. Okay, good. Brilliant. Okay. Well, that's been really interesting. I know I've learned quite a bit. And I'm sure we'll jump on another one just to get a bit more detailed in certain areas because it's definitely a standard I'm not 100 % aware of. So yeah, more knowledge helps me. more about the controls next time perhaps and talk about how they fit in. Yeah. about that. yeah, maybe we'll do that. Brilliant. Okay, super. Thanks for your time, Ian, and we'll catch up soon. Thanks. Bye bye.