New tool | *Advisera Assistant for Finding ISO 27001 Materials*
Advisera Assistant – a fast and efficient tool that determines what ISO tools you need in less than 30 seconds. Try it now:
Apr 05 2022
Build your career with ISO 27701 training
ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS (privacy information management system).
Compliance with ISO 27701 shows customers and stakeholders that your organization takes privacy legislation seriously. ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.
ITG Certified ISO 27701 PIMS Lead Implementer Training Course covers the key steps involved in implementing and maintaining an ISO 27701-compliant PIMS.
If you are already an ISO 27701 expert, have you considered developing your career as an auditor? ITG Certified ISO 27701 PIMS Lead Auditor Training Course teaches you how to extend an ISO 27001 audit program and conduct a PIMS audit against ISO 27701.
Enhance your privacy management with ISO 27701
ISO/IEC 27701 2019 Standard and Toolkit
Feb 15 2022
Train as an ISO 27001 auditor
| Certified ISO 27001 ISMS Lead Auditor Training Course |
ISO 27001 Lead Auditor is the qualification of choice for ISO 27001 professionals, recognized by employers worldwide.
Implementing and maintaining compliance with the Standard requires comprehensive knowledge of ISO 27001.
ITG Certified ISO 27001 ISMS Lead Auditor Training Course gives participants a solid understanding of the requirements of an ISO 27001 audit and the knowledge to ensure conformity to the Standard.
If you are already a qualified ISO 27001 auditor, enhance your career by taking ITG Certified ISO 27701 PIMS Lead Auditor Training Course, which will teach you how to conduct audits against ISO 27701, in line with international data protection regimes.
Enhance your privacy management with ISO 27701
ISO/IEC 27701 2019 Standard and Toolkit
ISO 27701 Standard
Jan 13 2022
ISO 27001 CyberSecurity Toolkit
| ISO 27001 certification requires organizations to prove their compliance with the Standard with appropriate documentation, which can run to thousands of pages for more complex businesses. But with the ISO 27001 Cybersecurity Toolkit, you have all the direction and tools at hand to streamline your project. |
 |
| ISO 27001 Cybersecurity Toolkit Accelerate your ISO 27001 cybersecurity project and benefit from ready-to-use policies and procedures. The toolkit includes: A complete set of mandatory and supporting documentation templates Helpful project tools to ensure complete coverage of the Standard Guidance documents and direction from expert ISO 27001 practitioners |
Dec 28 2021
Top 3 ITG ISO 27001 books
| Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*. |
 ISO 27001 controls – A guide to implementing and auditing |
| ISO 27001 controls – A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now |
 Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition |
| Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder. The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now |
 Information Security Risk Management for ISO 27001/ISO 27002 |
| Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits. Buy now |
Nov 12 2021
Implementing and auditing an Information Security Management System in small and medium-sized businesses
If you want to understand ISO 27001, this handbook is all you need. It not only explains in a clear way what to do, but also the reasons why.
This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.
An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ‘information security management system’ must be set up. A what?
This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented.
This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit.
ISO 27001 Certification
ISO 27001 Gap Assessment
DISC InfoSec vCISO as a Service
Aug 26 2021
What is ISMS
Implementing an ISMS
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a ‘Plan Do Check Act’ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
ISO 27001 Risk Assessment and Gap Assessment
Aug 03 2021
ISO 27001 vs. ISO 27002: What’s the difference?
Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).
However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.
Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.
What is ISO 27001?
ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.
The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.
This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.
To meet these requirements, organisations must:
- Assemble a project team and initiate the project;
- Conduct a gap analysis;
- Scope the ISMS;
- Initiate high-level policy development;
- Perform a risk assessment;
- Select and apply controls;
- Develop risk documentation;
- Conduct staff awareness training;
- Assess, review and conduct an internal audit; and
- Opt for a certification audit.
What is ISO 27002?
ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
This is because the Standard explains how each control works, what its objective is, and how you can implement it.
The differences between ISO 27001 and ISO 27002
There are three main differences between ISO 27001 and ISO 27001:
- Detail
If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.
Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.
- Certification
You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.
- Applicability
A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.
ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.
When you should use each standard
ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.
If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.
Learn the basics of information security
You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.
This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.
Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.
You’ll learn from expert information security consultants, as they explain:
- ISO 27001 management system documentation;.
- How to plan, scope and communicate throughout your ISO 27001 project; and
- The key steps involved in an ISO 27001 risk assessment.
Source: ISO 27001 vs. ISO 27002
Previous blog posts on ISO27k
Pentests are required for ISO 27001 or SOC2 audits
With ISO27001 how you should choose the controls needed to manage the risks
The importance of the Statement of Applicability in ISO 27001 – with template
Steps to implement ISMS (ISO 27001)
How FAIR & ISO 27001 Work Together
ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses
Jul 14 2021
Pentests are required for ISO 27001 or SOC2 audits
Apr 13 2021
ISO 27002 major revision
ISO is shaking up the familiar structure of the ISO 27001/27002 control framework after over 20 years of stability.
Originally published as British Standard BS 7799 Part 1 and 2 in the late 1990s, adopted as the ISO 17799 standard in 2000, and then renumbered as ISO 27001/27002, the name has changed a few times but the structure of the controls has remained intact until now.
Historically ISO has resisted major changes given that so many organizations globally have adopted ISO 27001/27002 for their security policies, security programs and certifications, and considering that numerous countries have adopted or incorporated them into their own national standards.
Publication of the final standard is expected to occur in the next year.
What is changing with the update to ISO 27002?
Apr 13 2021
With ISO27001 how you should choose the controls needed to manage the risks
Introduction and Background
As required by ISO27001 the risks identified in the risk assessment need to be ones that if they happened would result in the loss of Confidentiality Integrity and/or Availability (CIA) of information in the scope of the ISMS. As also required by ISO27001 those controls that are necessary to modify each risk need to be determined. Each risk gets a list of one or more controls.
This article gives some advice about how to choose/determine the controls for each risk and how control sets (e.g. Annex A, ISO27017, ISO27018, NIST CSF, CSA) can be used to help with this and as a quality check on the risk assessment.
What do we mean by necessary?
A good question!
“Needed to manage the risk”. Yes, I know that this just rephrases the word “necessary”….
In many cases this is a simple (or perhaps tricky!) matter of judgment but each control should be checked if it is necessary by asking questions like these:
- what effect this control has on the likelihood or impact of this risk? Only controls that have more than a negligible effect on the likelihood or impact should be designated as “necessary”.
- what would happen to this risk if this control is not in place or stops working properly? Your answer should be “the business continues to operate and deliver all its services but we have just increased the likelihood and/or impact of something going wrong that stops us delivering this service and/or gets in the way of meeting our objectives”. If this is not your answer then this control is unlikely to be “necessary” and should not be included.
Source: Main approaches to determining controls.
![Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security Practitioners by [Dejan Kosutic]](https://m.media-amazon.com/images/I/51BN2rT3+yL.jpg)
Mar 27 2021
The importance of the Statement of Applicability in ISO 27001 – with template
The importance of the Statement of Applicability in ISO 27001 – with template
Chloe Biscoe 23rd March 2021
Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability).
In this blog, we explain what an SoA is, why it’s important and how to produce one.
What is a Statement of Applicability?
An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.
Clause 6.1.3 of the Standard states an SoA must:
- Identify which controls an organisation has selected to tackle identified risks;
- Explain why these have been selected;
- State whether or not the organisation has implemented the controls; and
- Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.
Which controls do you need to implement?
Organisations are only required to implement controls that are appropriate to the risks they face. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment.
These processes help organisations identify the risks they face, which they can match to the relevant control.
Annex A provides a useful outline of each control. Still, you’ll probably need something more in-depth when it comes to the implementation process. That’s where ISO 27002 comes in. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.
ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it.
You’ll therefore benefit from having copies of both standards when creating your SoA.
Why is the Statement of Applicability important?
The SoA is a useful document for everyday operational use because it provides comprehensive coverage of your organisation’s information security measures.
You can refer to it to understand how and why your organisation is tackling certain risks and accepting others.
This is especially important when ensuring continual improvement within your organisation. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.
Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.
An SoA also has significant regulatory consequences. If you are investigated for a data breach, you can use the document to demonstrate that your defences were the result of an ISO 27001-compliant risk assessment.
Completing the Statement of Applicability
Completing the SoA can seem like a daunting task, but there are a few things you can do to simplify the process.
For a start, you should consider delegating each part of the process to the relevant person. You can ask someone in the HR department to provide information regarding the way they process personal data, and do the same for IT, marketing and so on.
Breaking it down this way saves time – as you aren’t relying on one person or a small team to understand every part of your organisation. It also makes it easier to understand specific issues that your business faces.
Another way to simplify the SoA is by consulting ISO 27002. This is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, but whereas that document simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
Finally, you should consider pooling together the documents you’ve created as part of your ISO 27001 implementation project – namely, the inventory of information assets, the risk assessment, the risk treatment plan.
Each of these documents provides a partial picture of your information security practices, but when you consider them altogether, you get a much clearer picture, which you can use to inform your SoA.
Save time writing your Statement of Applicability
Those looking for help creating their SoA should take a look at our ISO 27001 Toolkit.
The toolkit includes:
- A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
- Simple dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.
Mar 07 2021
Steps to implement ISMS (ISO 27001)
Feb 25 2021
How FAIR & ISO 27001 Work Together
We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.
The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.
The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.
Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.
Source: How FAIR & ISO 27001 Work Together
Measuring and Managing Information Risk: A FAIR Approach
Feb 24 2021
Cybersecurity Standards
Feb 11 2021
Is your business ready for the new world?
There is light at the end of the tunnel with Covid-19 and businesses will need to be ready for whatever it may bring. Perhaps not a business as usual or will it be a case of your customers may want to reduce their vendors and their services. In 2021 customers may want to do business with a vendor who secures their information and have a better chance of surviving disaster.
Embracing an ISO standard (ISO 27001/2) can help differentiate you from your competitors and show you as a business that can cope in this new world, using ISO standards as foundation will show the world what type of company you are, doing security stuff more efficiently, as well as effectively.
Working with DISC InfoSec who have 20 years’ experience in helping Businesses in the USA to successfully achieve ISO Certification by:
- Advice and Guidance throughout the implementation and certification process
- Risk assessment of existing Management System and Gap Analysis
- Design, build and assess a tailor-made compliant ISO Management System
- Write up all the Policies, Procedures and Flowcharts
- ISMS manual with all the relevant clauses
- Internal Auditor Instructions and training if required
- Registration and Certification with a certificating Body of your choice
At DISC InfoSec we use International Register of Certificating Auditors (QSA/BSI) qualified Lead Auditors to carry out your implementation to ensure successful Certification.
DISC InfoSec ISO 27001 Assessment
DISC InfoSec ISO 27001 Consultants
Contact DISC InfoSec for any question
ISO 27001 implementation Titles
Jan 27 2021
ISO Self Assessment Tools
ISO Self assessment tools list includes but not limited to Privacy, ISO 27001, ISO 9001 and ISO 14001 & ISO/IEC 27701 2019 Standard and Toolkit
Sep 27 2020
Enhance your privacy management with ISO 27701
ISO/IEC 27701:2019 provides guidance on data protection, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as the GDPR.
The Standard integrates with the international information security management standard ISO/IEC 27001 to extend an ISMS (information security management system), enabling an organization to establish, implement, maintain and continually improve a PIMS (privacy information management system).
ITG pocket guide ISO/IEC 27701:2019: An introduction to privacy information management is an ideal primer for anyone implementing a PIMS based on ISO 27701.
Improve your privacy information management regimeCo-written by Alan Shipman, an acknowledged expert in the field of privacy and personal information and the project editor of ISO/IEC 27701, this pocket guide will help you understand the basics of privacy management, including:
|
|
ISO 27701 Gap Analysis Tool
Download a Security Risk Assessment Steps paper!
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Subscribe to DISC InfoSec blog by Email
👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet
Jul 26 2020
Information security, cybersecurity and privacy protection
Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001 (DRAFT)
Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.
Source: ISO/IEC TS 27006-2 — Information security, cybersecurity and privacy protection
“Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices.”
ISO/IEC 27006 | Wikipedia audio article
httpv://www.youtube.com/watch?v=3Bd_VXgmZ_o
ISO/IEC 27701 2019 Standard and Toolkit
ISO 27001 self assessment Tools
Download a Security Risk Assessment Steps paper!
Subscribe to DISC InfoSec blog by Email
Take an awareness quiz to test your basic cybersecurity knowledge
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
« Previous Page — Next Page »
