Is ISO 27001 among the top ISO standards?
Do you know which ISO standards are the most popular? And whether ISO 27001 is among the most popular? There is both good and bad news for information security enthusiasts – ISO 27001 really is among...
View ArticleHow to choose a certification body
If you are implementing ISO 27001 or ISO 22301 (or any other ISO management standard), you’re probably wondering which certification body to hire. What are the criteria you should apply when making the...
View ArticleISO 22301 benefits: How to get your management’s approval for a business...
If you think your management loves to listen to you talk about your great idea for a disaster recovery site, or a perfect tool you’ve discovered for handling business continuity plans, you’re wrong –...
View ArticleList of mandatory documents required by ISO 27001 (2013 revision)
With the new revision of ISO/IEC 27001 published only a couple of days ago, many people are wondering what documents are mandatory in this new 2013 revision. Are there more or fewer documents required?...
View ArticleInfographic: New ISO 27001 2013 revision – What has changed?
Click here to register for a free webinar What’s new in ISO 27001 2013 revision: How to make a transition from ISO 27001 2005 revision.
View ArticleHow to make a transition from ISO 27001 2005 revision to 2013 revision
If you already implemented ISO 27001 2005 revision, you are probably thinking to yourself: “Oh no, now that the 2013 revision is published, we have to do it all over again.” Well, this is not quite...
View ArticleHow to address main concerns with ISO 27001 implementation
Last week I delivered two webinars on the topic of ISO 27001, and I have asked the attendees to send me their top concerns regarding ISO 27001 implementation before those webinars. I’ve summarized most...
View ArticleISO 27001 Case study for data centers: An interview with Goran Djoreski
DK: More than a year and a half has passed since you were certified by ISO 27001 – what are your impressions? Was it really worth it? GD: It was definitely worth it, since it turned out that an ISO...
View ArticleNFPA 1600 vs. ISO 22301 – Similarities and differences
If you are a business continuity practitioner in the U.S., you’re probably wondering which standard to apply – NFPA 1600 or ISO 22301. After all, they are both business continuity standards, and they...
View ArticleHow to define activities when implementing business continuity according to...
In several places in ISO 22301, it is required to define the activities within the company; not only this, activities are a basic unit upon which the business impact analysis is made. So what are these...
View ArticleHow to approach an auditor in a certification audit
If you’re going for the certification audit, you are probably wondering how to approach the auditor. In my opinion, the most important thing is not to forget that auditors are only people, and no...
View ArticleHow to make an Internal Audit checklist for ISO 27001 / ISO 22301
If you are planning your ISO 27001 or ISO 22301 internal audit for the first time, you are probably puzzled by the complexity of the standard and what you should check out during the audit. So, you’re...
View ArticleHow to implement business impact analysis (BIA) according to ISO 22301
I’ve spoken to many business continuity practitioners, and most of them (both beginners and experts) are telling me that the most difficult part of ISO 22301 implementation is the business impact...
View ArticlePractical use of corrective actions for ISO 27001 and ISO 22301
Is your company one of those that has no idea what the purpose of corrective actions is? Do you prepare your corrective actions only a couple of days prior to your certification audit? And do you think...
View ArticleNew book – Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
As you may have heard, on December 19 I’ll publish my new book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. So, if you are a business continuity practitioner looking for some...
View ArticleISO 27000 series – What to expect in 2014
If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent on the ISO27k series of standards. Since there are quite a lot of them (see the list here), it is a...
View ArticleISO 27001 gap analysis vs. risk assessment
Very often I see people confuse gap analysis with risk assessment – which is understandable, since the purpose of both is to identify deficiencies in their company’s information security. However, from...
View ArticleIs the ISO 27001 Manual really necessary?
Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential clients because I told them that we do not have such a...
View ArticleOverview of ISO 27001:2013 Annex A
Annex A of ISO 27001 is probably the most famous annex of all the ISO standards – this is because it provides an essential tool for managing security: a list of security controls (or safeguards) that...
View ArticleSetting the business continuity objectives in ISO 22301
Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have...
View ArticleWhich one to go with – Cybersecurity Framework or ISO 27001?
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If...
View ArticleWhy is management review important for ISO 27001 and ISO 22301?
Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one of the most misunderstood and most underappreciated elements of these standards....
View ArticleShould your company go for the ISO 27001 / ISO 22301 certification?
If your company is in the process of ISO 27001 or ISO 22301 implementation, you are probably wondering whether to go for the certification. And, as you probably know, certification is not mandatory –...
View ArticleRisk assessment vs. business impact analysis
If you are implementing ISO 27001, or especially ISO 22301 for the first time, you are probably puzzled with risk assessment and business impact analysis. What is their purpose? How are they different?...
View ArticleThe most popular ISO 27001 & ISO 22301 blog posts
This is my 100th blog post! When I started this blog four years ago, I never dreamed I would have that many things to write about… And yet, the more I write, the more ideas I have – right now, I have...
View ArticleISO 31000 and ISO 27001 – How are they related?
Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, ISO 31000 could be quite useful for ISO 27001 implementation – it not only offers...
View ArticleHow to identify interested parties according to ISO 27001 and ISO 22301
One of the hot questions these days is related to clause 4.2 in both ISO 27001 and ISO 22301 – Understanding the needs and expectations of interested parties. Actually, their identification is not so...
View ArticleHas the PDCA Cycle been removed from the new ISO standards?
Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA cycle?” And, on first sight, you might be misled because the standard really doesn’t...
View ArticleRisk owners vs. asset owners in ISO 27001:2013
The 2013 revision of ISO 27001 introduced a new concept: the risk owner. Since this concept brought quite a lot of confusion with information security practitioners, here’s an explanation of what the...
View ArticleHow to organize initial risk assessment according to ISO 27001 and ISO 22301
Usually, the biggest headache companies have when starting to implementing ISO 22301, and especially ISO 27001, is the risk assessment. And, interestingly enough, such a headache happens only when...
View ArticleThe basic logic of ISO 27001: How does information security work?
When speaking with someone new to ISO 27001, very often I encounter the same problem: this person thinks the standard will describe in detail everything they need to do – for example, how often they...
View ArticleInformation classification according to ISO 27001
Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is probably due to the fact...
View ArticleHow to perform training & awareness for ISO 27001 and ISO 22301
Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t take them seriously – not only the top managers, but also...
View ArticleHow to handle Asset register (Asset inventory) according to ISO 27001
Unfortunately, if you already developed a fixed asset register, it is not going to be enough to be compliant with ISO 27001 – the concept of asset inventory (sometimes called the asset register) in...
View ArticleMajor vs. minor nonconformities in the certification audit
If your company is considering going for the certification, it is always a good thing to know what to expect. Since nonconformities are one of the most important outcomes of the certification audit...
View ArticleRoles and responsibilities of top management in ISO 27001 and ISO 22301
Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the fact that top management did not want to assume their responsibilities for information security...
View ArticleLead Auditor Course vs. Lead Implementer Course – Which one to go for?
If you are just entering the world of ISO 27001 or ISO 22301, you’re probably considering going for some training. This is certainly a good idea; however, which course is better for you – Lead Auditor...
View ArticleWhat is the job of Chief Information Security Officer (CISO) in ISO 27001?
It may sound rather funny, but ISO 27001 does not require a company to nominate a Chief Information Security Officer, or any other person who would coordinate information security (e.g., Information...
View Article6-step process for handling supplier security according to ISO 27001
Since more and more data is being processed and stored with third parties, the protection of such data is becoming an increasingly significant issue for information security professionals – it’s no...
View ArticleWhat has changed in risk assessment in ISO 27001:2013
Risk assessment has always been a hot topic, and especially now with the changes in the ISO 27001 2013 revision – there are many doubts as to whether the risk assessment you’ve done according to the...
View ArticleHow to maintain the ISMS after the certification
If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun. OK, but where do you start?...
View ArticleHow to become an ISO 27001 / ISO 22301 consultant
If you are thinking about a career change, becoming an independent consultant for ISO 27001 and/or ISO 22301 certainly sounds like an attractive option. But what do you need to know, and what do you...
View Article8 criteria to decide which ISO 27001 policies and procedures to write
If you’re just starting to implement ISO 27001 in your company, you’re probably in a dilemma as to how many documents you need to have, and whether to write certain policies and procedures or not....
View ArticleExplanation of ISO 27001:2013 clause 4.1 (Understanding the organization)
Clause 4.1 is a completely new requirement in the 2013 revision of ISO 27001, and it has caused quite some confusion because it is rather vague. (By the way, there is very similar confusion with ISO...
View ArticleRisk appetite and its influence over ISO 27001 implementation
Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those must include criteria for risk acceptance. Since these...
View ArticleHow to write ISO 27001 risk assessment methodology
Without a doubt, risk assessment is the most complex step in the ISO 27001 implementation; however, many companies make this step even more difficult by defining the wrong methodology (or by not...
View ArticleHow detailed should the ISO 27001 documents be?
When starting to write a policy or a procedure, you’re probably puzzled as to how lengthy it should be. And the truth is, ISO 27001 (as well as other ISO standards like ISO 20000, ISO 9001, ISO 14001...
View ArticleList of free ISO 27001 and ISO 22301 resources
As you probably noticed, we recently launched the redesigned 27001Academy website; what you may not have noticed are all the free resources we offer on the website. Here they are: Basic explanation of...
View ArticleHow personal certificates can help your company’s ISMS
One of the greatest challenges in managing information security is assuring that people can handle information and execute security activities in a proper manner. Unprepared and untrained people can...
View ArticleHow to define the ISMS scope
ISMS scope is probably one of the hottest topics since the 2013 revision of ISO 27001 was published, because it introduces some new concepts like interfaces and dependencies. But, when thinking about...
View Article
More Pages to Explore .....