We sat down with Rachael to chat about her role as ISO at AuditComply and to ask her about some of the challenges she sees when it comes to implementing and maintaining ISO27001.

Can you describe a challenging experience you had while implementing or maintaining ISO27001 compliance and how you overcame it?

When introducing a brand new standard to the company it’s kind of hard to know where to begin! Fortunately, Vertical Structure was able to guide us every step of the way. There is quite a bit of learning involved and also trying to figure out how you will be able to work the standard into your day to day processes. Fortunately, a lot of the building blocks are there but you really will need complete buy in from your team to make it work. Start at the top and hopefully, everyone else will follow suit! From the start, explain the importance of implementing the standard and the benefits of certification for all departments and all people within the company and then make sure you inform the team at every stage of implementation- the successes and the failures. This way it becomes a team effort and not just the ISO's responsibility.

What emerging cyber security threats do you believe will have the most significant impact on businesses in the next year?

I think there is still quite a lot of naivety around AI and cyber security. I think we are going to see an increasing threat from that angle in the coming months!

How do you prioritise and manage risks in your company?

I’m in a fortunate position that AuditComply is a risk management platform so I was able to utilise our own tool to manage our risks. From the initial risks we mapped out in the audit preparation process I was able to build my risk library and then to offset that, the control library and over time have built on those foundations .From my risks and controls I can schedule out all my compliance activities (Internal Audits, management reviews etc) , tasks and other relevant assessments to manage our risks.

This helps me monitor my risks through the success of the controls in place and make amendments where necessary.

Using the analytics function on the platform I can also monitor my risks, making sure they are within my appetite range, see how they have performed throughout the year, has the risk decreased from its inherent scoring or if it has increased- make changes to my controls to better control the risk.

What key qualities do you think are essential for effective leadership in information security, especially in the context of ISO27001 compliance?

Patience is definitely an essential quality, be patient with the process and with the team- it's a learning experience for everyone! Organisation is key:

• Get yourself into a good routine with the ISMS activities
• Don’t leave it all to a few weeks before an audit!

If you can schedule out your compliance activities on a monthly basis you can cover all the requirements of the standard in good time and it makes it all seem less overwhelming.

Can you share an instance where a security incident provided valuable insights or led to significant changes in your ISMS practices?

I think it's important to regularly review all of your IS incidents and events so you can recognise trends directly affecting your business. For us, phishing attempts have become more and more predominant. It's usually in response to posts about the business or colleagues on our LinkedIn pages. When we announce a new team member we find they are usually inundated with requests from the ‘CEO’.

Incidents like this really make us value the importance of cyber training and also building a healthy cyber awareness culture within the org, from day 1!

What advice would you give to someone starting their career in information security?

Try and educate yourself as much as possible (and time allows) with webinars, YouTube, articles online and sign up to any relevant newsletters. There are so many great free resources out there!

As the landscape of IS is always changing and evolving, this will keep you in the loop.