Things to watch

The 'things to watch' sections below have been written from an audit perspective and from a certification viewpoint. The observations here cover the most commonly found non-conformities that the author has found in the audits that he has carried out. This information is especially important for those seeking certification.

For those not seeking certification they provide a valuable view of common failings and these can be converted to an internal checklist for internal review purposes.

In summary, just because an organisation has a series of policies, standards and procedures that are appropriate this does not necessarily mean that they have good information security in place. Information security has to be embedded into the business processes and become second nature rather than an optional add-on. All staff and third parties with access to an organisation's information processing facilities have their parts to play - they should know them and carry them out.

The Auditor is looking for objective proof (called records in Certification Body parlance) that you have demonstrable management control over the resources under your stewardship.

An Introduction To Information, Network and Internet Security
Things to watch The 'things to watch' sections below have been written from an audit perspective and from a certification viewpoint. The observations here cover the most commonly found non-conformities that the author has found in the audits that he has carried out. This information is especially important for those seeking certification. For those not seeking certification they provide a valuable view of common failings and these can be converted to an internal checklist for internal review purposes. In summary, just because an organisation has a series of policies, standards and procedures that are appropriate this does not necessarily mean that they have good information security in place. Information security has to be embedded into the business processes and become second nature rather than an optional add-on. All staff and third parties with access to an organisation's information processing facilities have their parts to play - they should know them and carry them out. The Auditor is looking for objective proof (called records in Certification Body parlance) that you have demonstrable management control over the resources under your stewardship.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security