Commentary

It is clear that the authors of this standard placed great emphasis on Compliance. Two of the four mandatory controls are found in this section.

As a final comment on the final Clause of the standard it is most important to appreciate this document as being a management standard. The text is designed to allow the rules to be written to meet all sizes and types of organisation. The layout of the standard is intended to steer the reader through the subject in the most appropriate order by stating the corporate objective in the initial policy document and then exploring the ways and means to achieve those objectives.

All that effort could be wasted if there was no way of checking that the working procedures were actually delivering the goods.

Compliance, audit, assurance and review are all terms which address that process of checking if things are working as expected. In most organisations new products, new customers and new trading conditions will be a constant source of change that will cause these security controls to become stale. If the controls are not working, then it may well be that the business has changed as well as the people failing to get it right.

An Introduction To Information, Network and Internet Security
Commentary It is clear that the authors of this standard placed great emphasis on Compliance. Two of the four mandatory controls are found in this section. As a final comment on the final Clause of the standard it is most important to appreciate this document as being a management standard. The text is designed to allow the rules to be written to meet all sizes and types of organisation. The layout of the standard is intended to steer the reader through the subject in the most appropriate order by stating the corporate objective in the initial policy document and then exploring the ways and means to achieve those objectives. All that effort could be wasted if there was no way of checking that the working procedures were actually delivering the goods. Compliance, audit, assurance and review are all terms which address that process of checking if things are working as expected. In most organisations new products, new customers and new trading conditions will be a constant source of change that will cause these security controls to become stale. If the controls are not working, then it may well be that the business has changed as well as the people failing to get it right.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security