This week at Ctrl O we’ve had a visit from someone with such a specialist job, he’s called upon by businesses all over the world, from Singapore to Guatemala, Chicago, Australia and everywhere in between. Stuart Rowson is an information security auditor for the international standard called ISO 27001.
Information security (often known as infosec), refers to the processes and tools that are designed and used by businesses to protect sensitive information from modification, disruption and destruction. The goal is to ensure the absolute safety and privacy of critical data, and it’s an ongoing process for businesses to make sure they keep all risks to a minimum. The ISO 27001 series sets out a framework for organisations to establish, implement, and operate an information security management system (known as an ISMS).
“ISO Twenty-Seven Thousand and One does sound quite sci-fi” Stuart says. “I’m a big nerd so that suits me. I was a huge Star Wars fan growing up- The Empire Strikes Back was my favourite film. I was in punk bands when I was younger and still go to a few gigs. Although I’m more into gaming now- cyber punk”.
Being an information security auditor for ISO 27001 might appeal to the Star Wars fan in Stuart, but he admits, it’s not a great opener at parties. “When people ask what I do, I say “don’t ask!”. Saying I’m an information security auditor is a bit of a conversation stopper- people just have no idea what that is. I sometimes say cyber security which gets more nods of recognition but I try and move the subject on if I can!” Indeed, cyber security is a part of information security, but there’s a lot more to it.
The core staff of Ctrl O head to the office in Yeovil, Somerset, for the day of the audit. This was to be an annual surveillance audit- there are 2 years of annual surveillance audits followed by a recertification audit, which takes place every 3 years. Our main recertification audit was successfully completed in June 2023. The purpose of the surveillance audit is to ensure that businesses are continuing to comply with the requirements of ISO 27001, and maintaining their ISMS procedures, such as carrying out effective internal audits, risk management, training, objective progression and so on.
With clients such as the Ministry of Defence and Ministry of Justice, having robust infosec is the bedrock of the business so something the team take very seriously.
Andy has brought his bike so he can cycle at each end of the train station, and he and John have gone through the guidelines in advance to check where we’re up to. It’s Carla’s first external audit. “Are you going to pass or fail us right here today?” She asks Stuart. He confirms he will be letting the team know on the day if they have done enough to hold on to the certification. “You’re like the Simon Cowell of ISO 27001” says Carla “or maybe the man from Del Monte. Let’s hope you say yes”.
“I’ll certainly be asking a lot of questions” he explains for Carla’s benefit. “To check you’re all doing everything you need to be doing. I’ll want to look through your documentation too. I’ll be going through risk management, training, management reviews, everything to determine the infosec management system is still on track”
Stuart asks things like “can you update me on your security policy?” where documents are discussed and sent over, and “let’s talk about company risk, what have you outlined as your future potential risks?” A risk register is produced and discussed. It’s exactly how you’d imagine an ISO 27001 audit to be.
On a break, Carla asks Stuart more about his job. His company is called Wolf Infosec and Carla asks why. Stuart’s surname Rowson means “son of wolf”, he explains, and he has a wolf tattoo, plus he was wearing a wolf T-shirt on the day he registered, so it all made sense. He explains that he’s specifically a 27001 auditor. He achieved the ISO 27001 Lead Auditor qualification, enjoyed the course (particularly the role play elements) and considered that it could be a good career choice. It’s an in-demand role so he immediately received interest from companies, but it took a while to become a full-time auditor as there is a lot of additional training and experience of audits required before you’re trusted to perform audits independently.
“I only know 4 or 5 auditors like me, but thousands of companies need this audit” he explained. He works with companies around 200 days of the year, with travelling in between. “I try and take a couple of extra days when I’m in interesting places, so I can see the area too”. He enjoys the variety of the work, meeting new people and seeing new areas.
Stuart also reviews our internal audit reports, and after around 6 hours of detailed discussions, a break for lunch, and a fair few cups of tea, he tells us that our certification has been maintained. Despite putting in a lot of work before the audit, it’s still a relief to hear him say the words and know we’re on track. (We put on a poker face while he’s there though. But there’s a few dramatic “phews!” When he’s hit the road).
Stuart is heading to Wales for his next audit, and the team are left talking about wolves, Star Wars, punk bands and tattoos. Anyone who says that information security is boring, is just clearly not talking to the right people…
If you’d like to contact Stuart about his work, you can you can email him on sr@wolfinfosec.co.uk
See how LinkSpace could revolutionise your business process now with a free consultation and trial.
Ctrl O is a registered supplier on Digital Marketplace and is ISO27001 certified (Information Security Management).