2 minute read
Operation
difficult for the organization to marry up differing ways of doing the same thing and it makes the auditors’ job harder (and longer and more expensive) too.
So, to get around this problem of “multiple management systems” the ISO decided to standardise the wording of the management system parts of the standards. They produced a long document with numerous appendices, one of which was “Annex SL” containing a first draft of the standard wording. Over time the ISO is now phasing in this common “Annex SL” wording (also sometimes referred to as the “High Level Structure”, or HLS) and all new standards or new versions of existing standards will have it. ISO/IEC 27001 was one of the first to adopt this new layout and so may be called one of the first “Annex SL” standards. ISO has made good progress in phasing Annex SL in and certain standards, including ISO 22301 (business continuity) ISO 9001 (quality management systems) and ISO 14001 (environmental management systems) now have it.
The good news for an organization implementing an ISMS based on ISO/IEC 27001 is that they will by default be putting in place an “Annex SL” management system. This will make it much easier for them to implement other standards such as ISO 9001 later, if they wish to (see the section on integrating management systems within this document for more information). The ISO/IEC 27001 standard consists of major headings which will be common across other standards (because they are the “Annex SL” headings) which are:
0. Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement
Sections 0 to 3 don’t contain any requirements and so an organization wouldn’t be audited against those. They are worth a read however as they provide some useful background to what the standard is about and how it should be interpreted.
Sections 4 to 10 set out the requirements of the standard. Requirements are often referred to as the “shalls” of the standard because that is the word usually used by ISO to show that what is being stated is compulsory if an organization is to be compliant. The (internal and external) auditing process is basically an exercise to check whether all the requirements are being met by the organization. Requirements are not optional and, if they are not being met, then a “nonconformity” will be raised by the auditor and the organization will need to address it to gain or keep their certification to the standard (see the section on auditing later in this guide).
In order to show that the requirements are being met the auditor will need to see some evidence. This can take many forms and until recently was defined as a combination of
