Which security clauses to use for supplier agreements?

Rhand Leal | June 19, 2017

Running a business on your own these days is practically impossible. Maintaining high levels of performance in every aspect of your business to stay competitive means draining precious resources that would be better invested in business growth and diversification. Thus, using suppliers becomes an attractive alternative. But, while suppliers are …

Using ISO 22301 business continuity practices to support mass public events

Wolfgang Mahr | June 5, 2017

Managing public events with hundreds or thousands of people is a challenge, as disruptions of these events may result in huge material losses or even loss of life. We face the classic situation where disruptions may lead to unforeseeable consequences. As such, a business continuity approach based on ISO 22301 appears …

Defining the ISMS scope if the servers are in the cloud

Rhand Leal | May 22, 2017

In the article How to define the ISMS scope we show that scope definition of an Information Security Management System (ISMS) requires clear understanding about what to protect to minimize risks of information compromise, and servers implemented in cloud environments are an extra challenge in this critical step of the …

Case study: ISO 27001 implementation in an IT system integrator company

Aleksandra Gakidova | May 8, 2017

For any major change in our lives, whether professional or personal, there are questions that come up before taking the first step. Here are just a few of the questions that you may face before making the decision to implement the ISO 27001 standard: Why do we need the certification? Where …

How ISO 27001 can help suppliers comply with U.S. DFARS 7012

Rhand Leal | April 24, 2017

DFARS 7012 is an example of how customers’ concerns about protecting their information in the custody of suppliers and outsourced services has led to the establishment of ever more complex security requirements for those who wish to work with them. And, this increase in customer compliance demands has also increased …

The 3 key challenges of ISO 27001 implementation for SMEs

Hannah Churchman | April 17, 2017

With thousands of organizations certified against ISO 27001, and hundreds of others working according to the principles, organizations recognize the benefits of implementing an Information Security Management System. From helping to maintain legal and regulatory compliance, to demonstrating credibility and trust to customers, to reducing the likelihood of a security …

How to demonstrate resource provision in ISO 27001

Rhand Leal | April 10, 2017

The availability of resources is a critical point in any endeavor. You can have the best ideas and the best intentions, but if you lack resources you are doomed to failure. So, it may seem strange that ISO 27001, the leading ISO standard for implementation of Information Security Management Systems, …

What to implement first: ISO 22301 or ISO 27001?

Wolfgang Mahr | April 3, 2017

Implementing ISO management system standards, even with the help of toolkits and consultants, may be a challenging task. In practice, sometimes it seems appropriate to enhance preparedness and protection in several areas of an organization, covering multiple processes and disciplines. While a security-oriented approach demanding an immediate protection from a …

How to use Scrum for the ISO 27001 implementation project

Antonio Segovia | March 27, 2017

Scrum is a framework, based on the Agile method, mainly used in software development. Originally, it was developed for complex product development, and there are many companies in the world that currently use this framework for various projects. Due to the three basic pillars of Scrum (i.e., transparency, inspection, and …

How to apply information security controls in teleworking according to ISO 27001

Rhand Leal | March 22, 2017

Allowing employees to work away from the office, i.e., outside of the physical premises of the organization (otherwise known as “teleworking”) is becoming a common practice in the way to do business today. The ability to work remotely is seen as both a source of incentive for an employee’s productivity …

Should information security focus on asset protection, compliance, or corporate governance?

Dejan Kosutic | March 13, 2017

Traditionally, information security has been perceived as an activity that was built around protecting sensitive information assets – after all, this is what the first (2005) revision of ISO 27001, and its predecessor BS 7799-2, also emphasized. These standards required companies to identify all the assets, and then build the …

Qualitative vs. quantitative risk assessments in information security: Differences and similarities

Rhand Leal | March 6, 2017

In the risk assessment process, one common question asked by organizations is whether to go with a quantitative or a qualitative approach. The good news is that by using both approaches you can, in fact, improve your process efficiency towards achieving desired security levels. This article will present the concepts …

Business Continuity Management vs. Information Security vs. IT Disaster Recovery

Wolfgang Mahr | February 27, 2017

For outsiders, it’s not easy to distinguish among the specific purposes of Business Continuity Management (BCM), Information Security (IS), and IT Disaster Recovery (IT DR). All three areas have something to do with “security,” “losses,” “disasters,” and “protection.” Read on to learn more about the particular roles of disciplines often …

Aligning information security with the strategic direction of a company according to ISO 27001

Dejan Kosutic | February 20, 2017

There is one requirement of ISO 27001 that is very rarely mentioned, and yet it is probably crucial for the long-term “survival” of an Information Security Management System (ISMS) in a company: this is the requirement from clause 5.1 that says that top management needs to ensure that the information security …