How to address opportunities in ISO 27001 risk management using ISO 31000

Rhand Leal | April 13, 2018

Businesses are full of risks, and organizations should do their best to identify, evaluate, and treat all of them – or at least the most relevant ones. This is called risk management, which can vary from subconscious decisions to fully aware choices based on complex methodologies and data arrangements. But, …

How to perform background checks according to ISO 27001

Rhand Leal | March 26, 2018

“The human factor is the weakest link in the security.” How many times have we already heard this sentence? How many stories have we already heard about security incidents caused by human failure or inaction? In an effort to minimize this situation, organizations all around the world have been working …

Can ISO 27001 help your organization in a DDoS attack?

Rhand Leal | December 4, 2017

In a connected world where hundreds of transactions are made every minute, every second your systems are down or inaccessible may represent a significant impact on your organizations’ business. And, while prevention of infrastructure failures is an immediate and obvious concern for decision makers, a more subtle and insidious threat …

How can ISO 27001 help you comply with SOX section 404

Rhand Leal | November 21, 2017

A number of high-profile corporate and accounting scandals collapsed several big players like Enron and WorldCom, and played havoc on global investment market. In the wake of these scandals, U.S. SOX law was introduced to restore public confidence of financial information released by public organizations. The laws required new levels …

Organizational Resilience – Positioning Against ISO 22301-Based Business Continuity

Wolfgang Mahr | November 8, 2017

Approaches and methods to successfully and sustainably run businesses are being rapidly developed. Recently, the term of Organizational Resilience was interpreted as being the new expression for the term Business Continuity. According to industry sources, based on recent ISO standardization work (ISO 22316:2017), Organizational Resilience is an all-encompassing concept that …

European 2017 Revision of ISO/IEC 27001: What has changed?

Rhand Leal | October 25, 2017

Released at the beginning of April 2017 by BSI (the British Standards Institution), the standard BS EN ISO/IEC 27001:2017 is a corrigendum over previous standard BS ISO/IEC 27001:2013. It has raised some concern among organizations with Information Security Management Systems certified against ISO 27001, the leading ISO standard for information …

How to perform an ISO 27001 second-party audit of an outsourced supplier

Rhand Leal | October 10, 2017

To focus on their core business, many organizations rely on outsourced suppliers to perform support processes. While this approach may bring benefits like costs savings, and access to expert knowledge and state-of-the-art technology, it can also involve risks related to loss of control over how these processes are performed and …

How can ISO 27001 and ISO 22301 help with critical infrastructure protection?

Antonio Jose Segovia | September 25, 2017

The European Council Directive 2008/114/EC of December 8, 2008, is a European Directive for the identification and designation of critical European infrastructures and the assessment of the need to improve their protection. It states: Critical infrastructure means an asset, system or part thereof … which is essential for the maintenance …

ISO 27001 vs. Cyber Essentials: Similarities and differences

Rhand Leal | September 11, 2017

In the Internet environment, big, medium, and small businesses all face similar risks, and many regulatory demands enforce information protection, but differences in resources and knowledge often result in data breaches because of the failure to implement basic security measures. To help handle such situations, the government in the United …

7 ways to improve the internal audits of your ISO 27001 ISMS

Hannah Churchman | August 28, 2017

ISO 27001:2013 states that the purpose of the internal audit is to check compliance against both “the organization’s own requirements … and the requirements of this International Standard.” Aside from being a necessity of the standard, internal audits are important for several other reasons: Internal audits identify and rectify any …

How to gain employee buy-in when implementing cybersecurity according to ISO 27001

Hannah Churchman | July 3, 2017

In the majority of organizations, change is embraced by senior management, but feared by employees. In the case of implementing ISO 27001, a committed senior management team (SMT) can understand clearly the benefits that an Information Security Management System (ISMS) will bring, such as decreased risk of business disruption, enhanced …

Which security clauses to use for supplier agreements?

Rhand Leal | June 19, 2017

Running a business on your own these days is practically impossible. Maintaining high levels of performance in every aspect of your business to stay competitive means draining precious resources that would be better invested in business growth and diversification. Thus, using suppliers becomes an attractive alternative. But, while suppliers are …

Using ISO 22301 business continuity practices to support mass public events

Wolfgang Mahr | June 5, 2017

Managing public events with hundreds or thousands of people is a challenge, as disruptions of these events may result in huge material losses or even loss of life. We face the classic situation where disruptions may lead to unforeseeable consequences. As such, a business continuity approach based on ISO 22301 appears …

Defining the ISMS scope if the servers are in the cloud

Rhand Leal | May 22, 2017

In the article How to define the ISMS scope we show that scope definition of an Information Security Management System (ISMS) requires clear understanding about what to protect to minimize risks of information compromise, and servers implemented in cloud environments are an extra challenge in this critical step of the …