Unlike the interim surveillance audits which tend to focus on specific areas, a recertification audit will give the entire ISMS a thorough once-over. Since your ISMS has been in operation for some time (~3 years), the auditors will naturally expect to find a mature ISMS that is nevertheless moving forward, proactively responding to the inevitable changes using the Corrective And Preventive Action (continual improvement or maturity) processes embedded within the ISMS.

Recertification requires a formal audit.  That can be tough for organisations that have let their ISMS drift or decay after the elation of their initial certification. Renewal of your certification is not a forgone conclusion! The audit’s prime focus will, of course, be to check and confirm conformity with ISO/IEC 27001. The key issue is to determine that you are effectively managing your information security usng the framework specified in the standard.

Use this simplified 8-point checklist as a basis for planning the things you need to do before the audit:

1. Check that your ISMS internal and external audits are fully up to date, with plans in place for future audits. Are all audit findings/observations, recommendations and agreed actions either completed and closed off, or currently in progress (with clear signs of that actually happening, in practice)?  Use the results of recent audits to drive forward any necessary changes and to reinforce the concept that the audits are all about making justified improvements. (It is worth double-checking that any other similar audits covering information risks, controls and compliance/conformity are also addressed.)

2. Collate evidence of continuing management commitment to the ISMS such as minutes of security committee meetings, decisions and actions taken, approved CAPA plans and the results of follow-up or close-out actions, and budgets.

3. Complete a full management review of the ISMS, including your SoA and RTP. Document all findings and recommendations as preventive or corrective actions and ensure all actions are suitably initiated, allocated and managed. Try to get all significant issues closed off, or at least well under way, before the audit ... which means doing the management review in good time.

4. Review your information risks. If there have been significant changes in the external business environment (e.g. new legal or regulatory compliance obligations, new ISO27kstandards, new security partners), internal situation (e.g. reorganisations) or IT (e.g. new platforms and application systems), you may need to redo your information risk assessment from scratch using the documented methods, and update your RTP. All risks should be treated, in other words avoided, controlled, shared or explicitly accepted by whoever is accountable and, for significant risks, there should also be contingency plans in place in case the controls fail.

5. Review all the ISMS documentation (policies, standards, guidelines, procedures etc.) to ensure it is up to date, complete, formally approved/mandated/signed off, version-controlled and made available to those who need it (e.g. uploaded into the ISMS area on your intranet). Ruthlessly seek out and destroy old or outdated ISMS documentation.

6. Get your information security awareness and training activities bang up to date and ensure a plan is in place for future activities. Ensure everyone knows where to find the ISMS policies and related materials and is aware of the content (a useful tip is to give everyone a shortcut to the information security documentation on their desktops). Ensure everyone is familiar with, and in fact actively complies with their responsibilities towards information security, for example any obligations arising from privacy legislation and relevant information security procedures.

7. Check the documentation relating to any recent information security incidents, for instance to confirm that corrective or preventive actions were documented and duly completed. Step back from the detail to confirm that the process is operating smoothly.

8. Review your information security metrics. Given that your ISMS has matured, are they still relevant and useful or do they need adjusting? Have you in fact been routinely reporting and measuring against them (collate recent evidence to prove it) and have any actions necessary been taken (again, check those CAPA plans)?

Get yourself round each area of the business and grill likely audit interviewees (both managers and staff) regarding their part in the ISMS. Ask them some searching questions (try the auditors’ favourite “Show me...” to check that they can actually produce solid evidence substantiating whatever they claim or believe to be true) and try to find the weaknesses or concerns before the auditors turns up - not to hide them but to address them! This is invaluable preparation or training for the auditees. Tell them up front that you are not being harsh with them but are asking stiff questions to help them prepare and make the actual recertification audit go more smoothly. It’s tough love.

Remember that the ISMS is dynamic, constantly adapting to changing business needs arising from evolving information risks. It will never be perfected or finished as such but, so long as it is properly managed, reviewed and fully supported by management, you will be fine.

That depends on the nature and scale of the changes. 

Minor changes to the ISMS are expected to occur as it naturally evolves in line with changing business needs for information security, for example through the action of various internal reviews triggering corrective and preventive actions: these should have no effect on your certification status since they are an anticipated and normal part of any ISMS. 

Larger scale business or organisational changes may involve more significant changes to the scope of the ISMS, for example other parts of the business being integrated with the ISMS, mergers/acquisitions or downscaling/divestments: these may be substantial enough to invalidate your original certificate without at least a surveillance visit from your certification auditors, but it's impossible to give hard-and-fast rules. 

Whether your ISMS changes are deemed substantial enough to invalidate your certificate, or to warrant recertification, depends on several factors such as:

• The scale or size of the change/s;

• The nature or type of change/s;

• The likely impact of business and organisational changes on your ISMS and/or information risks and hence the risk treatments required;

• How long it has been since your last certification or surveillance audit, and how long before the next one; and

• The certification body's policies and practices in this regard.

Aside from the certification angle, you should definitely update your information asset and information risk/control registers and maybe your SoA. You may need to update your security policies and perhaps restructure the team managing and running the ISMS, which may well imply the need for a new budget. Don’t forget to check your ISMS internal audit plans too, and if appropriate adapt your metrics accordingly.

Try these five tips for size:

1. Culture is heavily influenced by management, especially senior management. This is one of the key reasons that genuine senior management support is essential when implementing an ISMS ... which implies the importance of addressing senior management, helping them understand and appreciate the value of information security from the earliest opportunity.

2. Corporate culture is also heavily influenced by powerful opinion-formers within the organisation (at any level of the hierarchy), by internal communications and networks (both formal and informal), and by the wider business/industry and national cultures in which people live. These are influenceable to varying degrees. An effective information security awareness program will identify and target the people/groups, themes, messages and styles across all these areas.

3. Culture is an emergent property or characteristic of the organisation, demonstrated by people's actions and beliefs even when they are not being watched.  This includes senior management: it is no good them saying “This awareness and training session is essential for everyone” if they don’t make the effort to attend and actively participate.

4. Changing corporate culture as a whole may be viewed as a massive long-term change management activity. Anyone who truly understands how to do massive change management reliably can make a fortune! It is a very complex and difficult topic, highly dependent on the specific context, plus the history leading up to the decisions to change. A serious information security or privacy incident, for example, is a classic trigger to “Do something, now!”.

5. Culture is dynamic: it will continue to change or evolve after it has been (somehow) pushed in a certain direction, and that future evolution is not entirely controllable. This is the main advantage of rolling or continuous security awareness programs, since a single awareness event or course will gradually be forgotten and awareness levels will decay unless constantly refreshed. Using a sequence of security topics is a good way to make sure that the materials remain interesting and engaging, along with having excellent awareness content prepare by people who understand and empathise with the audiences.

Plan to develop and enhance the security culture over the long term. Investing time and effort consistently into this will pay dividends - it is worth it. Tackle it in bite-sized chunks rather than all at once, aiming for incremental, solid improvements rather than dramatic but often short-lived effects. 

It's tough to give simple advice on metrics: it is arguably the hardest part of what we do. But here goes.

It is unrealistic to expect a standard set of security metrics, in just the same way that there is no universal set of security controls: there are simply too many variables. In time, a core set of reasonably commonplace controls and metrics may emerge from the mire but there will probably never be total consensus. Even if there was a standard set, you would still have to extend it to suit your unique situation anyway. In short, there is no way around figuring out the information risks, controls and metrics that matter to your particular organisation.

Metrics-related references that you should check out include:

• ISO/IEC 27004 - the current 2016 version is useful, the next promises to be even better;

• SecurityMetametrics.comfor an FAQ on security metrics and security maturity metrics designed to support ISO/IEC 27002. Selecting security metrics that are appropriate for your organisation starts by figuring out things such as who are the audiences for the metrics, and what do they expect to achieve with the information. 

• "IT Security Metrics" book by Lance Hayden explains the Goal-Question-Metric structured approach in the IT security context;

• "You are what you measure", a paper by Hauser and Katz, warns about inadvertently driving the organisation the wrong way as a result of inappropriate metrics;

• NIST SP800-55 Measurement Guide for Information Security (2024) – volume 1 (identifying and selecting measures) and volume 2 (developing an information security measurement program). Well-written, up-to-date, and FREE!

As you read through that lot, start thinking hard about what you and your management might really want to know about how you are doing on information security, and start defining and prioritising the collective requirements. This is the crux of your problem. Management probably wants to know things like “Are we secure enough?” or “Are we more secure now than last quarter?” and “What are our most significant information risks?” and “Why is information security so expensive?”! These are really tough questions to answer, so work hard to refine them and make them at least partly answerable.

Hint: look at those parts of the ISMS which caused you the most grief when designing and implementing it. Are there parts of the ISMS that remain self-evidently painful to operate? If so, these are classic ISMS process improvement opportunities, and hopefully good places to gather metrics that will help you justify, plan and make those improvements, with the spin-off benefit that you will be making things easier for those involved.

It may seem too early but it's almost certainly worth talking to your management about what they might expect during this metrics design phase. Look at what kinds of metrics they get from other management systems. Find out what they actually use versus what they get, and look for clues about what kinds of things work best in your organisation. Consider phoning your peers at other similar organisations for some good ideas. Find out what formats and styles of reporting they like best or hate most. Ask them what few reports they could really not do without. Think minimalist at the start.

Next, start looking at the realities of gathering information on those things you really want to know, and continue refining your requirements. Some metrics will be straightforward (great! These are probably keepers), some will be feasible but more difficult (bear these in mind - may need more work) and some will be so awkward and/or costly that the effort required to measure them will outweigh any benefit obtained (park these, at least for now: you may revisit them later as your ISMS matures).

Be careful with any existing infosec metrics: some of them may be being measured simply because they are easy to measure, such as simple counts of things (“23 malware incidents this month”, “23 million spams blocked today” or whatever). Unfortunately, such simple metrics typically don't tell management, especially senior management, anything really worthwhile. While a few may have value to the Information Security Manager as operational metrics, most are at best ‘nice to have’ numbers rather than “Oh boy, this one is in the red, we’d better turn dial ZZY to the left 20 degrees”!

Most of all, avoid the temptation to list and discuss all the information security-related things you can measure, like a giant shopping list. Some of them may be worthwhile ingredients, but most will be distracting and unhelpful. Trust me, this is not an effective way to start designing your ISMS metrics. If you must have one, keep the shopping list to yourself but share the menu.

Finally, towards the end of your lunchtime (!), it's time to start experimenting, trialling a few metrics, getting the data gathering, analysis and presentation processes working and getting feedback from management. Give them some ‘sample’ reports and ask them if they know what to do about the things you are reporting. This is where all your pre-work starts to pay off, hopefully. If you have chosen well, you should by now be ready to routinely report a few good metrics, and more than that use management should be using them to make decisions. Management should be saying “Ah, I see, yes, nice, let's have more of these ...” and “Mmm, that's not quite what I had in mind. I really need to know about ...”.

During this stage, you will inevitably find that you need to gather more detailed ‘supporting’ metrics to underpin the high level/strategic management stuff, and you will also figure out that there are various routine/operational issues and controls within the ISMS that deserve measuring and using for day-to-day purposes by the Information Security Manager and team.

Now is the time to work on defining targets. At what level, exactly, does metric 26 go ‘into the red’? Why there? Is it a point or a range?  Whereabouts on the scale can we relax?

Then, over the next several decades (!!), keep on refining your metrics, testing new ones, dropping the ones that aren't working and responding to changes in your ISMS, the risks and controls, the people, the fashions, the good ideas you pick up at conferences ... and extending the answer to this FAQ with your wisdom.

Start by studying the ISO27k standards – in particular the core set:

• ISO/IEC 27000 (overview & glossary)

• ISO/IEC 27001 (formal ISMS specification)

• ISO/IEC 27002 (catalogue of information security controls

• ISO/IEC 27005 (information security risk management process)

ISO27k "Lead Auditor" or "Lead Implementer" courses can be a quick way to tackle the basics, depending on the nature and quality of the course materials and the competence of the trainers ... but 'basics' is the crux of it.  A few hours or days in class is barely a start.

Continue your self-development by actively researching and learning about governance, risk and control concepts.  Become familiar with NIS2, DORA, PCI-DSS, COBIT, privacy laws and so on.  Take a proper look at the remaining ISO27k standards, and others such as ISO 22301 and the NIST SP800s. Impress potential clients with the breadth and depth of your knowledge.

Real-world experience is crucial. Take on small projects. Do research. Write papers. Participate actively in professional communities such as the ISO27k Forum. Seek mentorship or guidance. Read voraciously. Accumulate knowledge, experience and expertise in governance, risk and control, in security, privacy, resilience and so forth. Your competence, credibility and hence success as a consultant influences the nature and quality of your work, and vice versa.  

You'll know when you have gained sufficient wisdom to make a real difference - and so will your peers and clients. Meanwhile, slog.