DNA database claims

[Ian Batten]

>>
> My take is that if an organisation is not at least 27001 compliant  
> (compliance should be attested by certification...), then it will  
> not be easy to attest that due care is being taken of the  
> information they hold - never mind any higher levels of assurance  
> that may be required.

Quite so.  One of my personal bugbears is people who claim to be  
compliant to a standard, but don't hold registration.  If they're  
compliant, it shouldn't be hard to get registered.  If they can't get  
registered, they aren't compliant.

Moreover, it's one thing to be compliant on a given day.    
Registration carries with it an obligation to surveillance audit  
(twice per year in our case) and part of that audit is in turn an  
examination of the internal audit.  People who claim unregistered  
compliance simply don't have that.

We thought we were 27001 compliant.  When the time came to actually do  
the work, we found that there were a whole host of things that we  
didn't do completely, that seemed trivial, but were actually hugely  
beneficial.  As an example, correctly functioning management  
reporting.  As another, robust measures of effectiveness.

My next task is 25999, and again I've got agreement that although the  
driver is customers who want ``aligned to'', we're actually going to  
do registration.   Partly because registration means you're on the  
front foot whenever the legitimacy of your management system is  
questioned.  But mostly because if you're not registered, you're just  
making bold claims.

But we're on the same page: 27001 doesn't prove an organisation has  
effective security, although it does prove that at least they're  
making some effort.  Absence of 27001 however pretty much proves they  
don't care and can't be bothered.

ian