The ninth and final key to a successful ISMS implementation is testing – and testing everything, virtually to destruction. The principle is a simple one; so simple, in fact, that this will be the shortest of all the chapters in this book.

Your ISMS has to work in the real world. You’ve identified risks, you’ve deployed what appear to be appropriate controls, and you want to be sure of two things: first, that the controls work as intended and, second, that when they are overwhelmed (as, sooner or later, they will be) your emergency counter-measures also work. In other words, the PDCA approach applies to your overall ISMS deployment and also to the deployment of individual controls. Every control is planned and deployed, every ...