Sep 12 2022

The challenges of achieving ISO 27001

Category: ISO 27kDISC @ 8:31 am

ISO 27001 is a widely-known international standard on how to manage information security.

In this Help Net Security video, Nicky Whiting, Director of Consultancy,, talks about the challenges of achieving ISO 27001, a widely-known international standard.

ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.


What is ISO 27001 Information Classification?


ITG is offering bestselling implementation guides free with each toolkit purchase

What are the differences between the 2013 and 2022 editions of ISO/IEC 27002?

How to Maintain ISO 27001 Certification: 7 Top Tips

Enroll for free in ISO 27001 online courses

Tags: iso 27001, iso 27002, ISO/IEC 27001

Oct 19 2015

New York Stock Exchange cybersecurity guide recommends ISO 27001

Category: ISO 27kDISC @ 11:11 am

by Neil Ford

The New York Stock Exchange (NYSE) has released a 355-page guide to cybersecurity (Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers), written by more than 80 individual contributors representing organizations including Booz Allen Hamilton, Dell SecureWorks, Georgia Institute of Technology, the Internet Security Alliance, Rackspace Inc., the US Department of Justice Cybersecurity Unit, Visa, Wells Fargo, and the World Economic Forum.

This ‘definitive guide’ collects “the expertise and experience of CEOs, CIOs, lawyers, forensic experts, consultants, academia, and current and former government officials”, and “contains practical and expert advice on a range of cybersecurity issues including compliance and breach avoidance, prevention and response.”

“No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.”

Tom Farley, President, New York Stock Exchange

Among the report’s many opinions is one that we at IT Governance have maintained for a long time: the recommendation that organizations align their cybersecurity program with “at least one standard… so progress and maturity can be measured. In determining which standard to use as a corporate guidepost, organizations should consider the comprehensiveness of the standard. […] ISO/IEC 27001… is a comprehensive standard and a good choice for any size of organization because it is respected globally and is the one most commonly mapped against other standards.”

All NYSE-listed company board members will receive a copy of the guide; if you are yet to receive your copy, it can be downloaded here >>

For more information on ISO 27001 and how it can help your organization with a best-practice cybersecurity posture, click here >>

“This is not simply an IT issue. It is a business problem of the highest level.”

Charles W. Scharf, CEO, Visa Inc.

ISO 27001 information security management

An information security management system (ISMS), as described by ISO 27001, provides a risk-based approach to information security that enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organization actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures, out-of-date software solutions, and more.

Priced from only $659, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organizations, whatever their size, budget, or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organizations to implement an ISMS with the minimum of disruption and difficulty.

Tags: Information Security Management System, ISO/IEC 27001, NYSE

Aug 21 2015

Five ISO 27001 books you should read

Category: ISO 27kDISC @ 9:14 am

Take a plunge into the world of ISO 27001 with these recommended reads


As a professional embarking on your first journey implementing ISO 27001, you are probably hungry for knowledge and eager to make progress. While starting a new project may be exciting, it can also be daunting if you lack relevant experience and cannot rely on internal support and guidance.

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own – a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Here are five books from IT Governance’s own ISO 27001 library that we believe can help ISO 27001 practitioners prepare for ISO 27001 implementation.

The Case for ISO 27001

As the title says, this book explains the business case for implementing ISO 27001 within an organisation. It highlights the importance and outlines the many benefits of the Standard, making it an ideal supporting document for developing an ISO 27001 project proposal.

The Case for ISO 27001 can be ordered from the IT Governance website.

IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the perfect manual for designing, documenting and implementing an ISO 27001-compliant ISMS, and seeking certification. Selected as the textbook for the Open University’s postgraduate information security course, this comprehensive book offers a systematic process and covers the main topics in depth.

Jointly written by renowned ISO 27001 experts Alan Calder and Steve Watkins, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, sixth edition is due to be released 3 September 2015, and is now available for pre-order.

Nine Steps to Success

If you are looking for a concise, practical guide to implementing an ISMS and achieving ISO 27001 certification, consider obtaining a copy of Nine Steps to Success. Written from first-hand experience, it guides you through an ISO 27001 implementation project step-by-step, covering the most essentials aspects including gaining management support, scoping, planning, communication, risk assessment and documentation.

ISO 27001 Assessments Without Tears

With ISO 27001 certification being the final goal for most organisations implementing the Standard, the pressure is usually on the ISO 27001 practitioners to ensure that staff are prepared to answer tricky auditor questions. ISO 27001 Assessments Without Tears is a succinctly written pocket guide that explains what an ISO 27001 assessment is, why it matters for the organisation, and what individual staff should and should not do if an auditor chooses to question them.

ISO 27001 in a Windows Environment

Most ISO 27001 implementations will involve a Windows® environment at some level. Unfortunately, there is often a knowledge gap between those trying to implement ISO 27001 and the IT specialists trying to put the necessary best-practice controls in place using Microsoft®’s technical controls. Written by information security expert Brian Honan, ISO27001 in a Windows Environment bridges that gap and gives essential guidance to everyone involved in a Windows-based ISO27001 project.

Tags: Chief Information Security Officer, Computer security, Data center, Information Security Management System, ISO/IEC 27001

Nov 09 2014

When to use tools for ISO 27001/ISO 22301 and when to avoid them

Category: ISO 27kDISC @ 8:54 pm

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Tags: Acceptable use policy, Access Control, BCMS, isms, ISO/IEC 27001, ISO22301, Risk Assessment

Aug 22 2014

Do it yourself solution for ISO27001 implementation

Category: ISO 27kDISC @ 3:16 pm


ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.


This package does not include certification fees which are paid directly to the certification body.


The ISO 27001 do-it-yourself package contains:

  • The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
  • The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
  • The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
  • IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
  • Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Tags: Corporate governance of information technology, data security, Information Security, Information Security Management System, International Organization for Standardization, isms, ISO/IEC 27001, Risk Assessment

Jun 20 2014

ISO27001 2013 ISMS Gap Analysis Tool

Category: ISO 27kDISC @ 12:09 pm

Gap Assessment Tool

To transition from ISO27001:2005 to ISO27001:2013 you may need a Gap Assessment Tool to prioritize your implementation plan.

ISO27001 2013 ISMS Gap Analysis Tool, which quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

Available for immediate dispatch/download from IT Governance, this tool will further your understanding of ISO27001 and identify where you are and why you are not meeting the requirements of ISO27001.

ISO27001 2013 high level review for making the transition

Tags: Gap assessment tool, Information Security Management System, ISO/IEC 27001, Risk Assessment

May 15 2014

Cyber Resilience Implementation Suite

Category: BCP,Information Security,ISO 27kDISC @ 11:15 am


Cyber security is not enough – you need to become cyber resilient


The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Whether you know it or not, your organization is under cyber attack. Sooner or later, a hacker or cyber criminal will get through, so you need to ensure that you have the systems in place to resist such breaches and minimize the damage caused to your organization’s infrastructure, and reputation.

You need to develop a system that is cyber resilient – combining the best practice from the international cyber security and business continuity standards ISO22301 and ISO27001.

This specially-priced bundle of eBooks and documentation toolkits gives you all the tools you need to develop a cyber-resilient system that will both fend off cyber attacks, and minimize the damage of any that get through your cyber defenses.

The books in this suite will provide you with the knowledge to plan and start your project, identify your organization’s own requirements and help you to apply these international standards.

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Download your copy today

This suite includes:

Tags: business continuity, Computer security, Cyber Resilience, cyberwarfare, ISO/IEC 27001

May 10 2014

Information Security and ISO 27001-2013

Category: ISO 27kDISC @ 9:38 pm


The perfect introduction to the principles of information security management and ISO27001:2013

Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.

Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.

This pocket guide will help you to:

Make informed decisions

    By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.

Ensure everyone is up to speed

    Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.

Raise awareness among staff

    An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.

Enhance your competitiveness

    Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.

Download this pocket guide and learn how you can keep your information assets secure.



Tags: Information Security, Information Security Management System, isms, ISO/IEC 27001, Policy

Feb 18 2014

Comprehensive Cyber Security Risk Management Toolkit

Category: cyber security,Security Risk AssessmentDISC @ 11:30 am

Cyber Security Toolkit


Govern and manage Cyber Security risk with this unique comprehensive toolkit suite


Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Tags: Cloud Security Alliance, ISO/IEC 27001, National Institute of Standards and Technology, Risk management

Nov 05 2013

When can we become certified to ISO/IEC 27001:2013?

Category: ISO 27kDISC @ 8:39 pm

ISO 27001


 ISO27001: 2013 – order your copy today >>>

When can we become certified to ISO/IEC 27001:2013?

by Lewis Morgan @ ITG

At this moment in time, we can only provide an estimate which is based on the insight provided by Chair of the UK ISO/IEC 27001 User Group and Director of consultancy at IT Governance Ltd, Steve Watkins. Considering Steve’s position, we believe his estimates to be the best guidelines an organization can follow.

The following is directly taken from the ISO27001:2013 Transition Webinar by Steve Watkins

“It’s likely that as of 1st January 2014, certification bodies will be able to start the transition to the 2013 version of ISO27001 standard. If that is indeed the case, it’s likely to be that as of 30th September, no new ISO27001:2005 certificates can be issued. This means that by the end of September 2016 all ISO27001:2005 certificates should have transitioned to the 2013 version of the standard”

The image below further illustrates what Steve discussed on the webinar, including his suggestions in terms of what organizations should do next.

ISO27k timeline

Tags: Information Security Management System, ISO, ISO/IEC 27001

Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool


It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>


Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards

May 20 2013

A Guide to Data Security and ISO27001/ISO27002

Category: ISO 27kDISC @ 1:39 pm


IT Governance 5: An International Guide to Data Security and ISO27001/ISO27002

This manual provides clear, unique guidance for both technical and non-technical managers. It details how to design, implement and deliver an ISMS that complies with ISO 27001.

Now in its fifth edition, this title has been fully updated to take account of the latest regulatory and technological developments, and the International Board for IT Governance Qualifications


Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO, ISO/IEC 27001, Risk Assessment

Mar 06 2013

Your Cyber Security Project

Category: cyber securityDISC @ 12:04 pm

by James Warren

Internet technologies have revolutionised the way that business is conducted but these innovations expose your business to various cyber security risks.

Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company’s survival.

Cyber Security Risks for Business Professionals: A Management Guide Cyber Risks for Business Professionals: A Management Guide 

A general guide to the origins of cyber security risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks. As the leading provider of cyber security products and services, ITG can help you with any aspect of your project:

Cyber Security Risks for Business Professionals: A Management Guide  >> ITG | eBay | Amazon

Tags: Computer security, cyber security, Information Security, ISO/IEC 27001, Risk management

Feb 25 2013


Category: ISO 27k,Pen TestDISC @ 10:38 pm

penetration testing

Penetration testing (often called “pen testing” or “security testing”) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly. It is an essential component of most ISO27001 and UK public sector contracts.

Why would my company need penetration testing services?

In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective penetration testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS – from initial development through to on-going maintenance and continual improvement.

How does penetration testing fit into my ISO27001 ISMS project?

There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:

1. As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.

2. As part of the Risk Treatment Plan ensuring controls that are implemented do actually work as designed.

3. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes; ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

The Basics of Hacking and Penetration Testing
This guide will show you how to undertake a penetration test or as it is sometimes known an ethical hack. This book focuses on how to hack one particular target, this allows you to see how the tools and phases of the pen test relate. to get your copy of The Basics of Hacking and Penetration Testing
ITG | eBay | Amazon

Penetration Testing – Protecting Networks and Systems
An essential guide to penetration testing and vulnerability assessment, which can be used as a Certified Penetration Testing Engineer Exam Prep Guide. to get your copy of your Penetration Testing – Protecting Networks and Systems
ITG | eBay | Amazon

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Penetration test

Feb 12 2013

Why ISO 27001 certification should be a priority

Category: ISO 27kDISC @ 10:34 pm

ISO 27001

Why ISO 27001 certification is unavoidable

Now a days, the ISO27001 standard has become an almost unavoidable factor in the field of information security. Compliance is unavoidable because most industries are heavily regulated. Seems like more legislations are on our way to redefine our actions on the internet. Because ISO 27001 requirements are largely a superset of other major standars and regulations, achieving ISO 27001 certification positions most organizations to be well on their way to meeting the requirements of PCI, SOX, HIPAA and GLBA.

Six main benefits of Information Security Management System based on ISO 27001 specifications

1. Business managers of the organizations will make informed decisions regarding potential risk and should be able demonstrate compliance with standards and regulations such as SOX, GLBA, HIPAA, DPA to their critical information on regular basis.

2. An ISMS is a defensive mechanism to any APT (advanced persistent threat) to minimize the impact from these external threats of various cybercrime.

3. Informed information security decisions will be made based on risk assessment to implement technical, management, administrative and operational controls, which is the most cost effective way of reducing risk. Highest priority risks are tackled first to attain best ROI in information security.

4. Information security is not an IT responsibility; In general everybody in an organization is responsible for protecting information assets and more specifically business manager. The business manager may delegate their responsibility.

5. Organization will improve credibility and trust among internal stakeholder and external vendors. The credibility and trust are the key factors to win a business.

6. ISMS raises awareness throughout the business for information security risks, involve all employees throughout an organization and therefore lower the overall risk to the organization.

Related Books, Standards and Tools you may need to achieve ISO 27001 certification

Nine Steps to Success: an ISO 27001 Implementation Overview“It’s like having a $300/hr consultant at your elbow as you consider the aspects of gaining management support, planning, scoping, communication, etc…” Thomas F. Witwicki ( review)

IT Governance: An International Guide to Data Security and ISO27001/ISO27002
Covers simply everything you need to know about information security and ISO27001. It is also the UK’s Open University’s post-graduate information security textbook. All aspects of data protection / information security are covered including viruses, hackers, online fraud, privacy regulations, computer misuse, investigatory powers etc.

ISO27000 Standards
Official standards available in hardcopy and downloadable formats.

Standalone ISO 27001 ISMS Documentation Toolkit
This toolkit contains all the documents, procedures and templates you need to massively simplify your progress to certification. It will save you months of work, help you avoid costly trial-and-error dead-ends and ensure everything is covered to the current ISO 27001 standard.

Tags: Corporate governance of information technology, Information Security, Information Security Management System, ISO/IEC 27001, Risk Assessment

Jan 31 2013

New Draft ISO27001 and ISO27002 Standards

Category: ISO 27kDISC @ 2:26 pm

Check out the ITG site for details

Industry Update

New Draft ISO27001 and ISO27002 Standards

It has been announced that new Drafts of the two international information security standards ISO27001 (ISMS Requirements) and ISO27002 (Code of Practice) have been published.

These Drafts have been published for the purpose of public consultation. As these are international standards, the consultation process operates internationally, via national standards bodies.

Anyone can comment on the proposed standard and all the comments will then be assembled and reviewed by the committee. The public consultation period closes on 23 March 2013.

To help you understand the proposed changes and implications of these new draft standards we have created an information page.

Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards

You can also purchase your own copies of the draft standards here:

We will keep you updated with the progress of these standards. Once the new standards are officially published, the existing standards will be withdrawn, however there will be a transition timetable that enables organisations to move from the existing standard to the new one.

Click here to read in full about the ISO27001/ISO27002: 2013 Draft Standards

Tags: Information Security Management System, International standard, ISO, ISO/IEC 27001, ISO/IEC 27002

Jan 29 2013

Impact of an Effective Risk Assessment to ISO 27001

Category: Security Risk AssessmentDISC @ 11:08 pm


First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.

The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.

To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:

1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance

Risk Assessment Basic Steps for ISO 27001:

o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods

Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store


Related articles

Tags: Corporate governance of information technology, Information Security Management System, ISO/IEC 27001, Risk Assessment, Risk management

Jan 17 2013

Project Planning outline for (ISO 27001) ISMS

Category: ISO 27kDISC @ 11:55 am

The project planning process includes steps to estimate the size of the project, estimate the scope of the effort and resources, assess project risks, and produce an acceptable schedule after negotiating with control owner.

Steps below provide a bullet list of project plan outline phases and action items of ISMS (ISO 27001). This is not the project plan, but rather a description of the project plan, so the detail is high level. However, this document defines the project and requires formal sign-off; therefore, be accurate as possible, any variations may require a formal project change, which adds to schedule and cost.

A generic ISO 27001 project outline includes the following:
Project Initiation, Scope of the Project,Risk Assessment Methodology, Asset Register, Risk Assessment, Risk Treatment Plan, Statement of Applicability relevant to risk, Management approval for the Project outline. These steps are outlined in the figure above.

When an individual is assigned as project manager for a project, their success is determined by the complexity of a given project. Due to lack of necessary skills, sometime project manager are changed during the middle of the project. So what are those necessary skills which will determine the success of the project manager? Below are some of the necessary skills to run a successful ISO 27001 project.

• To posse’s an outstanding communication skills for all the stakeholders involved
• Be highly organized and an effective team leader
• Know how to negotiate between cross functional teams
• Resource oriented, problem solver and understand the relevant infrastructure

Must Read Project Management Books
1. A guide to the Project Management body of Knowledge 5th edition

2. The Concise Prince2

3. 50 Top IT Project Management Challenges

4. Prince 2 2009 manual

Tags: Information Security Management System, ISO/IEC 27001, Project Management, Project manager, Project plan, Project planning, Risk Assessment, Scope (project management)

Dec 11 2012

Monitoring and reviewing third party InfoSec services

Category: ISO 27k,Vendor AssessmentDISC @ 12:25 pm

Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to fullfil the information security and compliance requirements of an organization.

Contract with service provider should require the need of standard reports on regular basis which should be reviewed at least monthly and attended by staff and management responsible for services. In these meetings, management should ensure that contractual requirements have been met by the service provider

Key management responsibilities should include but not limited to the followings:

    Outsourcing organization should decide which key metrics will be created to monitor the performance of service provider which will ensure that contractual clauses are met consistanly.
    For information security related services, reviewing all incidents for sepcified period (at least once a month) to make sure thay have been included in an organization treatment plan for appropriate corrective actions based on an organization risk priorty.

Related Articles and Info.

ISO 27001 is the litmus test for information security
Live Webinars feed for Governance, Risk and Compliance

Tags: Contract, Information Security, ISO/IEC 27001, Operational-level agreement, Service-level agreement, SLA

Nov 27 2012

New ISO27013 Standard helps integrate ISO27001 with ISO20000

Category: ISO 27kDISC @ 2:27 pm

IT Governance Ltd, the global leader in IT governance, risk management and compliance, has announced that the highly anticipated ISO27013:2012 Standard has been published and is now available to buy from the company’s online shop at ITG

ISO27013:2012 focuses exclusively on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 – two of the world’s leading and highly regarded standards. ISO/IEC 27001 deals with information security management systems (ISMS) and practically provides organisations with provides a powerful framework for sharing best practice and guidance on protection form cybercrime. ISO/IEC 20000-1:2011 is the international IT Service Management standard which enables organisations to ensure that their IT service management processes are aligned with the needs of the business.

The ISO27013:2012 Standard has been designed to help organisations implement both standards together, or implement one when one is already within the organisation. By doing this organisations can achieve increased customer satisfaction, competitive advantage, improved business operations and considerable cost-savings over time.

Organisations can purchase the ISO/IEC 20000-2:2012  and ISO 27013 from IT Governance .

Tags: Information Security Management System, International Organization for Standardization, isms, ISO 27013, ISO/IEC 20000, ISO/IEC 27001

Next Page »