Cees van der Wens

Cees van der Wens (1965) studied industrial automation in the Netherlands. In his role as Lead Auditor, the author has carried out dozens of ISO/IEC 27001 certification audits at a wide range of organizations. As a consultant, he has also helped many organizations obtain the ISO/IEC 27001 certificate. The author feels very connected to the Standard because of the social importance of information security and the power of a management system to get better results.Cees van der Wens:Section 0.1 of the Standard tells you that “the order in which the requirements are presented does not reflect their importance or imply the order in which they are to be implemented.” That sounds like a cookbook telling you that the order in which the ingredients are presented in the recipes does not reflect their importance or imply the order in which they are to be used.Besides the fact that the order of requirements can be confusing, the requirements themselves are generally perceived as vague. This vagueness often raises many questions. Why doesn’t the Standard tell me more precisely what to do? Why do I have to find out for myself?The main cause of the “vagueness” is that the Standard is intended for all types of organizations and that the requirements cannot be too specific. For example, the Standard requires that there must be an information security policy, but not what it must contain. That depends, after all, on what policy is needed within your organization. Nor can the Standard prescribe specific technical and organizational measures because what is necessary depends on your specific information security risks.This is why you must implement an information security management system that meets the Standard, that fits your activities, obligations, risks, and objectives, and that can be integrated with your business processes and management structure. That is quite a bit, and in practice, this is not always easy. This book is intended to help you with it.