Five ISO 27001 books you should read

Take a plunge into the world of ISO 27001 with these recommended reads


As a professional embarking on your first journey implementing ISO 27001, you are probably hungry for knowledge and eager to make progress. While starting a new project may be exciting, it can also be daunting if you lack relevant experience and cannot rely on internal support and guidance.

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own – a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Here are five books from IT Governance’s own ISO 27001 library that we believe can help ISO 27001 practitioners prepare for ISO 27001 implementation.

The Case for ISO 27001

As the title says, this book explains the business case for implementing ISO 27001 within an organisation. It highlights the importance and outlines the many benefits of the Standard, making it an ideal supporting document for developing an ISO 27001 project proposal.

The Case for ISO 27001 can be ordered from the IT Governance website.

IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the perfect manual for designing, documenting and implementing an ISO 27001-compliant ISMS, and seeking certification. Selected as the textbook for the Open University’s postgraduate information security course, this comprehensive book offers a systematic process and covers the main topics in depth.

Jointly written by renowned ISO 27001 experts Alan Calder and Steve Watkins, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, sixth edition is due to be released 3 September 2015, and is now available for pre-order.

Nine Steps to Success

If you are looking for a concise, practical guide to implementing an ISMS and achieving ISO 27001 certification, consider obtaining a copy of Nine Steps to Success. Written from first-hand experience, it guides you through an ISO 27001 implementation project step-by-step, covering the most essentials aspects including gaining management support, scoping, planning, communication, risk assessment and documentation.

ISO 27001 Assessments Without Tears

With ISO 27001 certification being the final goal for most organisations implementing the Standard, the pressure is usually on the ISO 27001 practitioners to ensure that staff are prepared to answer tricky auditor questions. ISO 27001 Assessments Without Tears is a succinctly written pocket guide that explains what an ISO 27001 assessment is, why it matters for the organisation, and what individual staff should and should not do if an auditor chooses to question them.

ISO 27001 in a Windows Environment

Most ISO 27001 implementations will involve a Windows® environment at some level. Unfortunately, there is often a knowledge gap between those trying to implement ISO 27001 and the IT specialists trying to put the necessary best-practice controls in place using Microsoft®’s technical controls. Written by information security expert Brian Honan, ISO27001 in a Windows Environment bridges that gap and gives essential guidance to everyone involved in a Windows-based ISO27001 project.

Leave a Comment

ISO/IEC 20000 Implementation Toolkit

ITSM, ITIL & ISO/IEC 20000 Implementation Toolkit

Implement IT service management (ITSM) best practice the easy way with expert guidance and fully customizable pre-written documents created by ITIL® and ISO 20000 service management experts.

Guidance and documentation templates from service management experts to help all organizations improve their ITSM, adopt ITIL best practices, and/or achieve ISO 20000 registration

• Developed by service management gurus Shirley Lacy and Jenny Dugmore, the ITSM, ITIL & ISO/IEC 20000 Implementation Toolkit contains a complete set of tools and documentation templates, policies, and procedures that will enable organizations of all types and sizes to assess their current levels of service management and implement processes to deliver better services.
• Completely up to date with the latest editions of ITIL and ISO 20000, this toolkit makes administration and branding simple.
• The Office 2010 version features an integrated dashboard, allowing easy customization of templates, and one-click formatting.
• The ITSM, ITIL & ISO20000 Implementation Toolkit is the perfect investment for organizations that want an optimal route to implementing service management best practice, adopting ITIL, and/or achieving ISO/IEC 20000 registration.

Use SAVE15 at the checkout to save 15% on toolkit, containing all of the pre-written documents you need to accelerate your management system projects. Offer expires Monday August 31 2015.

To download copy of your toolkit: ITSM, ITIL & ISO/IEC 20000 Implementation Toolkit20000

Leave a Comment

CyberSecurity read which belong on every bookshelf


Take a plunge into the world of CyberSecurity with these recommended reads:

1) CountDown to Zero Day

2) Ghost in the Wires

3) Secrets and Lies

4) Spam Nation

5) The Art of Deception

6) Data and Goliath

7) Future Crimes

8) The Artocity Archives

The Artocity Archives

Leave a Comment

Information Security – A Practical Guide: one of the most ‘impressive’ books from ITGP


Information Security A Practical Guide

Corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organization. Many consider information security an obstacle to reaching business goals, and view security professionals with suspicion if not outright hostility.

Information Security A Practical Guide
As a security professional, how can you get broader buy-in from your colleagues?

Mark Rowe, Editor at Professional Security Magazine, has reviewed one of ITGP’s information security titles which aims to address this issue, Information Security – A Practical Guide: Bridging the gap between IT and management.

One of the most impressive books from IT Governance Publishing.

Quick and dirty does it: we’ve reviewed several books on information and IT security published by IT Governance. The latest is one of the most impressive.

Tom Mooney begins this neat little book by recalling that he was struck when starting his career in information security how little he engaged with non-infosec people. IT would shy away from speaking to him, ‘as they feared security would stick its nose in’, and the business viewed security as a ‘dark art’. He likens security to brakes on a car: you would hardly drive a car without any, but you only use them when you have to, as a control. Without them, you will have an accident. As the book’s subtitle suggests, infosec is about ‘Bridging the gap between IT and management’.

Like many books, this would have been half as good if it had been twice as long. As it is, Mooney has provided non-security and indeed security people with a very high ratio of good sense that’s worthwhile to read.

“Offers more than the title suggests”

We’ve known for a while that it’s wisest to do computer security and physical security. In the old days, someone could walk out of a building with your server; now we have the Cloud, people can steal data even more simply, as Edward Snowden and others have. For a dozen years or more, that truth has been reflected in the British Standard for information security management, 27001, that covers the IT and physical sides. Books telling you how to do the two equally well have been hard to find; either the author is a tech guy, lacking know-how of electronic and personnel security; or the other way round. Information Security – A Practical Guide, by Tom Mooney, offers more than the title suggests.

It’s a short book, of ten chapters each of about ten pages each – and that’s something of merit, given how busy the likely reader is likely to be. I would suggest the reader who can learn from this is either the physical security and guarding person who wants to gen up on infosec, or an IT guy who likewise wants to tighten up security. Mooney keeps it plain and simple, in style and content, and again that is a compliment. A middle chapter, “Quick and dirty risk assessments” as the title suggests takes you through how to do a risk assessment, and as important to keep doing them. Besides the nuts and bolts of the work, Mooney arguably does us more of a service in the chapters such as “getting buy-in from your peers” because as in so many other parts of the workplace, it’s no good doing a decent or even excellent job if your non-security staff aren’t doing their bit, or aren’t funding it. “Often security is seen as a blocker or necessary evil at the end (some organizations are better than others.” Mooney advises building relationships; letting people know that their input is valued, and that they can help steer security. If you find yourself working for a place that doesn’t have a high regard for security, using some “fear, uncertainty and doubt” stories is a start, he suggests. Choose stories from the media, and again he advises explaining yourself in plain and simple English.


One observation rather than a criticism is that the author ought to have gone into more detail – but then he would not have written such a concise book. In fairness, he does introduce you to the necessary basics, such as the Senior Information Risk Owner (SIRO), a role often found in UK Government. Instead, Mooney points you in the right direction on such topics as penetration testing (again, with a physical and IT component) and information security policy; first knowing what the ‘risk appetite’ of your business is. While Mooney is writing for the information security professional, such is the spread of IT in the office and organization, this book can apply to anyone in security management. This book is well worth an hour of your time, whether as a refresher, or if you are finding yourself facing more work on the info security side. Recommended.

Reviewed by Mark Rowe, Editor at Professional Security Magazine

Information Security A Practical Guide
Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes, this book explains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed.

Buy Information Security – A Practical Guide now >>

Leave a Comment

Cyber Resilience Best Practices

Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.


Target market


  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.


Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices

Leave a Comment

10 Facts Every Cyber Security Professional Should Know


If you hold any job related to security operations analysis and reporting, you’ve likely been inundated with news stories about data breaches and attacks by hackers on businesses of all sizes across numerous verticals. But with all that noise, it can be difficult to sort out the information that truly matters, like the hard data that helps you decide which solutions to adopt, gives you a powerful case to bring to your executive team for a larger cyber security budget next quarter, or simply reassures you that your peers are facing similar challenges.

For that reason, have assembled some of the most impactful, telling statistics related to information security in one place

1. Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015

2. Some 42 percent of survey respondents said security education and awareness for new employees played a role in deterring a potential criminal. — “US cybercrime: Rising risks, reduced readiness; Key findings from the 2014 US State of Cybercrime Survey,” PwC

3. There are more than 1 million unfilled information security jobs globally; by 2017 that number may be as high as 2 million — “2014 Annual Security Report,” Cisco; UK Parliament Lords’ Digital Skills Committee witness interview

4. The malware used in the Sony hack would have slipped past 90 percent of defenses today. — Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearing

5. The average U.S. business deals with 10,000 security alerts per day. — “State of Infections Report Q1 2014,” Damballa

6. A significant 90 percent of CISOs cite salary as the top barrier to proper staffing. — “State governments at risk: time to move forward,” Deloitte/NASCIO

7. About 43 percent of businesses experienced a data breach in 2014. — “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness,” Experian/Ponemon Institute

8. Just 21 percent of IT professionals are confident that their information security technologies can mitigate risk. — “2015 Vulnerability Study,” EiQ Networks

9. As many as 75 percent of breaches go undiscovered for weeks or months. — Michael Siegel, research scientist at MIT, at a recent cyber security conference

10. In an effort to combat the growing threat of cybercrime, the U.S. Department of Homeland Security increased its cyber security budget 500 percent during the past two years; and President Obama included $14 billion for cyber security spending in his 2016 budget., 2015

Leave a Comment

Cyber Security safeguard offers much more than just protection

What is most beneficial about cyber security safeguards, Well, you will not only benefit from the better protection of your own information, but you will also gain a competitive advantage by demonstrating your cyber credentials.

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

For example, certification to ISO 27001 or evidence of compliance with the PCI DSS (for merchants and service providers) is often a tender or contractual requirement because it proves that an organization has been independently audited against internationally recognized security standards.

Those that implement an information security management system (ISMS) will benefit hugely from improved processes and control of data within the organization.

Furthermore, improving and having demonstrable cyber security can also reduce your cyber security insurance. And finally, it will also dramatically reduce the chances of you experiencing a cyber attack. That’s kind of improvement.

Comments (1)

DISC InfoSec FB Page

“Like” our page on Facebook

DISC InfoSec Facebook Page

Comments (1)

How to identify risks, threats and vulnerabilities for small business

Small business owners are often lulled into a false sense of security, thinking that only major retailers, banks and healthcare companies are at risk of a data breach.

Although a malicious attack is the most commonly discussed threat to cyber security, it isn’t the only type your business should watch out for. Natural disasters, human error and internal attacks can wreak havoc with your systems and data.

vsRisk helps you meet every essential compliance requirement.

  • Includes six pre-populated control sets:
    • ISO/IEC 27001:2013 and ISO/IEC 27001:2005
    • PCI DSS v3
    • NIST SP 800-53
    • Cloud Controls Matrix
    • ISO/IEC 27032.
  • Fully compatible with ISO 27001:2013.
  • Includes integrated, searchable databases of threats, vulnerabilities and risk scenarios.
  • Produces a set of exportable, reusable and audit-ready ISO 27001-compliant reports.
  • Features a controls console that offers a quick view of the status of controls and actions planned.

Have you identified all the risks, threats and vulnerabilities that your organisation’s data and intellectual capital faces?

vsRisk Standalone - Basic

vsRisk Standalone – Basic

An information security risk assessment using vsRisk can provide a deeper understanding of your IT weaknesses and exposures.

 vsRisk has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments. Fully compliant with ISO 27001:2013, this widely applicable risk assessment tool automates and delivers an information security risk assessment quickly and easily. vsRisk Standalone is intended for a single, desktop-based user.

Leave a Comment

Top 50 InfoSec Blogs


DigitalGuardian Top 50 Infosec Blogs list. Top 50 Infosec Blogs


DigitalGuardian by Verdasys offers solution in the DLP area including advanced threat protection. Seems like a worth while list.

Below are the Top 10 InfoSec Blogs from the list.

1. Wired’s Threat Level

2. Roger’s Information Security Blog

3. Dark Reading

4. Krebs on Security

5. ThreatPost

6. IT Security Guru

7. Dan Kaminsky’s Blog

8. Security Weekly

9. Kevin Townsend’s IT Security

10. BH Consulting IT Security Watch

Leave a Comment

Have you heard about the Pwn Phone 2014?



If you have to undertake vulnerability scans or penetration tests at remote sites as part of your day-to-day activities, having to lug around a laptop and other scanning and penetration testing kit can be a real pain. Having the right tools for the job is crucial.

But how can you ensure you have the right tools for the job and eliminate the need to lug around bulky equipment? The simple answer is the Pwn Phone 2014. This sleek LG Nexus 5 mobile phone doubles as a powerful penetration testing device that makes it easy to evaluate wire, wireless and Bluetooth networks.

The most portable penetration device yet, its custom Android front-end and Kali Linux backend, and comprehensive suite of one-touch penetration tools, render it the ideal choice for pen testers who are on the road or conducting a company or agency walkthrough.

Watch a demonstration of the Pwn Phone in the below video:

Go mobile with the Pwn Phone 2014.

Leave a Comment

Independent Risk Assessment

RA toolkit

The essential suite for undertaking an independent risk assessment compliant with ISO/IEC 27001; supporting ISO/IEC 27002 and conforming to ISO/IEC 27005, whilst providing guidance to multiple internal Asset Owners.

Risk assessment is the core competence of information security management. This toolkit provides essential information, guidance & tools YOU NEED to undertake an effective ISO 27001 risk assessment.

The No 2 Risk Assessment Toolkit has the added benefit of supplying five soft cover versions of Risk Assessment for Asset Owners: A Pocket Guide. This enables you to provide a copy of the pocket guide to each member of staff involved in the ISO 27001 implementation, so that they can understand the risk assessment process.


What’s included?

Information Security Risk Management for ISO 27001/ISO 17799 (eBook): provides comprehensive guidance on risk management, in line with the requirements of ISO 27001. It is essential reading for anyone undertaking an ISO 27001 risk assessment.

The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management.

This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.


vsRisk™- the Cybersecurity Risk Assessment Tool : vsRisk is a unique software tool designed to guide your organisation through the process of carrying out an information security risk assessment that will meet the requirements of ISO 27001:2005.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.


The Cybersecurity Risk Assessment Tool which:

  • Automates and delivers an ISO/IEC 27001-compliant risk assessment.
  • Assesses confidentiality, integrity &; availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001.
  • Supports / conforms / complies to ISO/IEC 27001, ISO/IEC 27002, BS7799-3:2006,ISO/IEC TR 13335-3:1998, NIST SP 800-30 and the UK’s Risk Assessment Standard.
  • One year of support get all software updates and unlimited telephone and email support for a year.

vsRisk™ – the Cybersecurity Risk Assessment Tool comes in two forms – Standalone or Network-enabled (single user licence). vsRisk Network-enabled (single user licence) has exactly the same functionality as the vsRisk Standalone version – but can be installed on a network.


Risk Assessment for Asset Owners: A Pocket Guide (eBook):
This Pocket Guide to the ISO27001 risk assessment is designed to assist asset owners and others who are working within an ISO27001/ISO27002 (ISO17799) framework to deliver a qualitative risk assessment.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.

Benefits of a risk assessment

  • Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.
  • Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses.
  • Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day.
  • Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.


Leave a Comment

When to use tools for ISO 27001/ISO 22301 and when to avoid them

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Comments (1)

Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide


10 Minutes with… ITGP author Andy Nichols – Exploding the Myths Surrounding ISO9000

by Leave a Comment

In our latest author interview, we meet Andy Nichols, author of Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide, and talk about quality management and certification.

ITGP: Thanks for speaking to us Andy. Let’s begin with your book. Most books on ISO9000 only cover the rules and requirements of ISO9000 and how you might implement it. Your book seems more ambitious. What was your thinking behind Exploding the Myths?

AN: I decided to write Exploding the Myths Surrounding ISO9000 as people are often confused about the purpose of implementing a quality management system to meet ISO9000, and what third-party certification involves. Some common myths have endured for more than 20 years – one of them being that ISO9000 is: “say what you do, do what you say”. I felt it was a good time to expose these myths and provide practical guidance on what an organization should consider, instead, when implementing ISO9000 and preparing for external certification.

ITGP: You felt there was confusion regarding the purpose of ISO9000 and certification?

AN: When I look at various online forums, people are posting questions about the basics of quality management and are clearly confused. Although, as you say, there are many books describing how to implement a quality management system, the background to ISO standards etc., these are mainly written from the theoretical point of view. Little has been written to address the “hearsay” which has accompanied the development of ISO9000 over the past 25 years.

ITGP: It sounds like this advice is long overdue and based on plenty of experience.  How did you get started in quality management?

AN: I began my career in Quality back in the late 1970s. We relied very heavily on inspection and QC in those days. Luckily, in the mid-to-late 1980s, I was responsible for developing a quality management system to meet a NATO contract requirement using AQAP-1, which is the “great grand daddy” of what we know as ISO9001 today. We did what the AQAP-1 quality requirements told us, and delivered fault-free equipment and installed it without a hitch. This allowed me to pursue roles as implementer, supplier, quality and certification body auditor, as well as consultant and trainer.

ITGP: So, you’ve been meeting customers’ quality requirements right from the beginning of your career?

AN: Yes. The experience of implementing a quality management system to meet a customer’s contract provided an excellent foundation for understanding the basics of implementing quality management systems, without the confusion of third-party certification.

ITGP: Based on all your experience, can I ask what advice you have for those just beginning to use and implement ISO9000?

AN: For those starting out in quality management, and evaluating implementation of ISO 9000 it’s important to remember that much of what is required is already being done, if you are satisfying your customers. What’s needed is some formality to those processes and activities which are working well and then to work on improving them. ISO 9000 brings about a maturity in the way an organisation operates and then requires that management takes a long hard look at its performance and asks what needs correction and what needs improving.

If any organisation finds itself doing something “because of ISO” or “to keep an auditor happy”, then they have to question why this is happening.

ITGP: One final question before we run out of time.  Are there particular parts of your work that you enjoy?

AN: In my position as certification body sales manager, I’ve found that assisting clients in understanding the certification process, what’s expected at each step and how to be successful is the most rewarding. Many organizations are new to the process of certification – even though they may have experience of customer audits, security audits etc. Being able to complete their knowledge, before they select a certification body and begin the process is enjoyable.

ITGP: I can appreciate that ensuring the client is properly informed is very important in making the right choices about ISO9000 and certification. I guess that’s also what made you write the book in the first place.  We’re out of time sadly, but many thanks for speaking to us.

AN: I appreciate the opportunity.

Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide

Leave a Comment

Do it yourself solution for ISO27001 implementation


ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.


This package does not include certification fees which are paid directly to the certification body.


The ISO 27001 do-it-yourself package contains:

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Leave a Comment

SEO Powered By SEOPressor