How not to hire a security executive who’s on parole

One of the first questions to ask during an audit is “Do you have Policy?” (which is part of the ISMS – see ISO-27001)

Then after checking that for completeness and sufficiency start checking if its communicated to staff and if its followed.

Since policy defines how an organization is to be run, this is the top-down approach. Its why bottom up things like pen testing are a waste of time. The policy-driven approach ensures that there are processes and procedures in place, it allows for metrics and for improvement of both the compliance and the details processes themselves.
(CMM etc)

See also “Who Ya Gonna Call?

Zemanta Pixie

About the author

Security Evangelist

Leave a Reply