The first and foremost task to do after your certification process is to mitigate all non-conformities/non–compliances that were identified during your certification audit. This must be completed before your surveillance audit is due. Auditors will not be happy to see any of their findings to re-appear again in the following audits. If any of your policy or procedure documents require to be updated, ensure that you document these changes (version control within the documnet), get these document reviewed, approved by management and circulated to authoirzed people.

Keep an eye on any assets been added to your infrastructure. Usually in large organizations it is quiet obvious that you tend to skip this task and get surprises during your next audit. There are also possibilities that an asset has been removed from the infrastructure. Identify the assets, do a risk assessment, update your risk treatment documents and the SOA if required. Since you are already certified, I assume the process of adding assets or removing has already been defined, communicated and followed.

User awareness should be an ongoing process. Try to avoid giving the same details over and over again. Employees will be interested in knowing the latest threats and

• how that can impact the organization
• what measures have we taken to avoid this risk
• by implementing information security practices how have we taken care of such threats
• how much value they as employees have added

Never forget to check the effectiveness of the awareness sessions. You can conduct quizzes, scenario based training programs, online training programs etc, which can be made mandatory by having the performance of individuals mapped directly to their appraisals.

Internal audit should be carried out at regular interval. The interval of audits will be as per your internal policy. There are different areas were the audits has to be conducted. I am sure you would have experienced this during your certification audit. Some of areas are as listed below. For more details on what to look for under each of these areas, refer to my article called “ISMS Implementation guide” which is posted in the same site.

• On floor audit
• Desktop audit
• Awareness audit
• Technical audit
• Social engineering

Some of the other activities that should be carried out on a regular basis, apart from the awareness are as mentioned below:

• Fire drills
• Check for the expiry dates on fire extinguishers
• Penetration testing, Vulnerability assessment
• Testing of BCP implementation

The last one on this article is to measure the effectiveness of your implementation. There is something that you have implemented and you need to know if what you have implemented is useful, valuable to the organization which includes employees and effective. This will also help you in your surveillance audit to a great extent in showing improvements.

How to measure your controls effectiveness is a topic by itself. I am looking forward in writing an article at the earliest. In the meantime there is a document from National Institute of Standards and Technology (NIST), sp800-80, which is still in a draft stage. You can get this document from the following location.

Guide for developing performance metrics for information securitydraft sp800 80