Sometimes things that seem very different can have surprising similarities. Like the joke; what is the similarity between a ladies foot and a rubber duck?

After completing a training on auditing information security (ISO27001) I found some surprising similarities with the Bayard Academy’s change management approach. Although the topics of security auditing and change management might seem very different, in both cases they are focused on stakeholder needs.  The success of a change project relies on understanding who the impacted parties are and what they need and expect.  When you know that you are able to give the stakeholders what they need, and can even measure it, using for example the Organisational Readiness tool, you can make the change with confidence.   On the other hand, the purpose of conducting an audit is to see if the organisation is doing what they are supposed to, but the definition of what they are supposed to do should be based on the needs of its stakeholders.  So when we do an audit for information security, we have to look at how the stakeholder needs have been defined.  In both cases, the list of stakeholders must be carefully selected and verified as complete; from local and international governments to even the cleaners who have access to the office. In both scenarios, communication is key.  It is important to communicate what will change or what was not compliant, but more importantly the message must be focussed on why.  When the ‘why’ question is understood, then the change or the audit will be successful.  The ‘why’ can be tuned for all the different stakeholders but the underlying purpose needs to be defined and understood from the top of the organisation to the bottom. Nine times out of ten, people are the reason that change is either a success or a failure, therefore it is very important to involve and engage with the people who are affected.  Only when the stakeholders are actively involved can the change process proceed.  The involvement of the stakeholders of an audit is also vital, because the success of an audit depends on the quality of the information received from the stakeholders. An audit is an opportunity for improvement, and if the reasons for the audit are communicated and the stakeholders are engaged, the result will be seen as a positive opportunity to improve the organisation and meet the stakeholder requirements; bringing with it an opportunity to change. An audit is often seen as a painful process where someone tells you what you are doing wrong, and changes are viewed with suspicion, but when the reason ‘why’ is clear and is aligned throughout the organisation, both changes and an audit can have very positive outcomes.  So the two different activities actually have many similarities. And the rubber duck and the ladies foot joke?  They both go “squeak” when you stand on them.  

Paul