David Watson was one of the earliest exponents of the standards, and is one of the most well known industry figures. In this series of articles for the ISO 27000 Newsletter he outlines some of the most common errors and mistakes he has encountered over recent years:
COMMUNICATIONS AND OPERATIONS MANAGEMENT (Section 10)
There are often no standards and little or no documentation of the Corporate Systems;
Rarely is there an effective and properly implemented change management process. There are sometimes no formal change management processes or records of change meetings available. Change management meetings often have the wrong level staff attending, have whole business areas that do not/will not get involved, and no minutes for meetings to show changes successfully and unsuccessfully implemented;
There is often no management software for the network, or any form of planning for the IT systems or capacity;
Rarely are Service Level Agreements in place and if they are they are rarely monitored and used effectively. Sometimes the business has unrealistic ideas of IT Service availability and the IT Department cannot meet the requirements without serious investment, which the business may not be willing to provide. This can lead to a breakdown in relationships between business units and IT;
Often the Information Security Manager is not advised of new projects or is so stretched that he cannot make the time to provide assistance;
I often find a backup process that does not provide full backup integrity or recovery capability.
SECURITY POLICY (Section 5)
This can be an enormous can of worms, as policies are:
- Often missing (Some companies do not even have a set of policies!);
- Frequently out of date;
- Often unknown by staff especially third parties and most especially IT Contractors and Consultants;
- Not enforced;
There are often no ecords to show who has received the policy with supporting training, and there is rarely evidence of policy review.