1.Talk to each concerned employee irrespective of designation, or skill sets to gauge level of awareness, attitude and execution. These can be three different things.
High degree of technical skill sets, even in the domain of information security or know how, and irrespective of how responsible and knowledgeable a given individual may appear to be and how high in an organizational echelon, does not guarantee the existence of good attitudes about maintaining high standard of security for organization. We may need to watch out for those rebelling against compliance needs. Rogue natures can become contagious and may defeat the purpose of safeguarding programs.
2. Understanding the difference between habits and compulsions can tell whether causes are superficial, that is owing to individual malpractice or deep rooted: perhaps lurking in the organization’s processes, authority chains, and institutional knowledge.
3. Understand the processes related to assets whether capital or information, their users/roles, intended uses along their respective life cycles, to separate the intended versus the unintended. The later could be already existing in the processes, systems, and/or their users, or there could be large enough holes for such possibilities to develop and grow.
4. In doing above, follow the standard diligently to list all relevant controls with justifications as to why any given control is relevant versus it isn’t. This helps in structuring the process of gap analysis. Always refer to standards for definitions, and controls. Also, ensure that you/your company have a genuine license to use standards.
5. Lastly, be consistent with your assessment ratings. This is something which is always difficult to do. In fact there are statistical tests to measure this very quality. Inherent cognitive biases and sheer fatigue can lead to inconsistencies that tend to provide justification for rejection of an otherwise honest assessment.
To learn about ISO 27001 standard, please visit http://www.iso.org/iso/iso27001.