Roles and responsibilities of top management in ISO 27001 and ISO 22301

Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the fact that top management did not want to assume their responsibilities for information security / business continuity in their companies? OK, you probably knew that. But, what are these responsibilities, …

Read More ...

Major vs. minor nonconformities in the certification audit

If your company is considering going for the certification, it is always a good thing to know what to expect. Since nonconformities are one of the most important outcomes of the certification audit (and the most unpleasant), it is probably in your best interest to understand what they are all …

Read More ...

How to perform training & awareness for ISO 27001 and ISO 22301

Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t take them seriously – not only the top managers, but also their peers. This is due to the fact that the employees usually do not understand what information security or …

Read More ...

Information classification according to ISO 27001

Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is probably due to the fact that historically, information classification was the first element of information security that was being managed – long before …

Read More ...

How to organize initial risk assessment according to ISO 27001 and ISO 22301

Usually, the biggest headache companies have when starting to implementing ISO 22301, and especially ISO 27001, is the risk assessment. And, interestingly enough, such a headache happens only when doing this for the first time – which means that risk assessment doesn’t have to be difficult once you know how …

Read More ...

Has the PDCA Cycle been removed from the new ISO standards?

Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA cycle?” And, on first sight, you might be misled because the standard really doesn’t mention the Plan-Do-Check-Act cycle explicitly; but, you should read the standard a bit more carefully… Annex …

Read More ...

ISO 31000 and ISO 27001 – How are they related?

Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, ISO 31000 could be quite useful for ISO 27001 implementation – it not only offers a couple of good guidelines, but it also gives a strategic context for managing (information …

Read More ...

The most popular ISO 27001 & ISO 22301 blog posts

This is my 100th blog post! When I started this blog four years ago, I never dreamed I would have that many things to write about… And yet, the more I write, the more ideas I have – right now, I have at least 10 new topics in mind. But …

Read More ...

Why is management review important for ISO 27001 and ISO 22301?

Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one of the most misunderstood and most underappreciated elements of these standards. In practice, this review is usually done only to satisfy the certification auditor, but by doing so a great …

Read More ...

Which one to go with – Cybersecurity Framework or ISO 27001?

On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What does this Framework have to do with ISO 27001? Should you use one over the …

Read More ...

Setting the business continuity objectives in ISO 22301

Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have problems like these: Which types of objectives exist? What are they used for? How are they set? Let’s see… Purpose of business …

Read More ...

Is the ISO 27001 Manual really necessary?

Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential clients because I told them that we do not have such a document and that we do not recommend it. Even worse, I heard some …

Read More ...

ISO 27000 series – What to expect in 2014

If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent on the ISO27k series of standards. Since there are quite a lot of them (see the list here), it is a good idea to keep any eye on the upcoming changes. As I mentioned …

Read More ...

New book – Becoming Resilient: The Definitive Guide to ISO 22301 Implementation

As you may have heard, on December 19 I’ll publish my new book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. So, if you are a business continuity practitioner looking for some tips on how to implement this standard, here’s a brief overview of the book so that you …

Read More ...

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.