Roles and responsibilities of top management in ISO 27001 and ISO 22301
Dejan Kosutic
Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the...
Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the fact that top management did not want to assume their responsibilities for information security /...
Major vs. minor nonconformities in the certification audit
If your company is considering going for the certification, it is always a good thing to know what to expect....
If your company is considering going for the certification, it is always a good thing to know what to expect. Since nonconformities are one of the most important outcomes of the certification audit (and the...
How to perform training & awareness for ISO 27001 and ISO 22301
Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t...
Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t take them seriously – not only the top managers, but also their peers. This is...
How to classify information according to ISO 27001 in four steps
Updated: November 14, 2022., according to ISO 27001:2022 revision. Classification of information is certainly one of the most attractive parts of...
Updated: November 14, 2022., according to ISO 27001:2022 revision. Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is...
Has the PDCA Cycle been removed from the new ISO standards?
Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA...
Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA cycle?” And, on first sight, you might be misled because the standard really doesn’t mention...
ISO 31000 and ISO 27001 – How are they related?
Last updated on March 10, 2022. Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001...
Last updated on March 10, 2022. Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, when comparing ISO 27001 vs. ISO 31000, the latter...
The most popular ISO 27001 & ISO 22301 blog posts
This is my 100th blog post! When I started this blog four years ago, I never dreamed I would have...
This is my 100th blog post! When I started this blog four years ago, I never dreamed I would have that many things to write about… And yet, the more I write, the more ideas...
Why is management review important for ISO 27001 and ISO 22301?
Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one...
Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one of the most misunderstood and most underappreciated elements of these standards. In practice, this review...
NIST Cybersecurity Framework or ISO 27001 – Which is the better choice for your company?
Rhand Leal
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly...
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What...
Setting the business continuity objectives in ISO 22301
Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301...
Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have problems like these: Which types of objectives...
Is the ISO 27001 Manual really necessary?
Updated: January 20, 2025, according to the ISO 27001:2022 revision. Sometimes I receive questions on whether the ISO 27001 Manual...
Updated: January 20, 2025, according to the ISO 27001:2022 revision. Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential...
What is the ISO 27000 series?
Updated: November 16, 2023. If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent...
Updated: November 16, 2023. If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent on the ISO/IEC 27000-series of standards. Since there are quite a lot of them (see...
New book – Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
As you may have heard, on December 19 I’ll publish my new book Becoming Resilient: The Definitive Guide to ISO...
As you may have heard, on December 19 I’ll publish my new book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. So, if you are a business continuity practitioner looking for some tips on...
How to define activities when implementing business continuity according to ISO 22301
In several places in ISO 22301, it is required to define the activities within the company; not only this, activities...
In several places in ISO 22301, it is required to define the activities within the company; not only this, activities are a basic unit upon which the business impact analysis is made. So what are...
NFPA 1600 vs. ISO 22301 – Similarities and differences
If you are a business continuity practitioner in the U.S., you’re probably wondering which standard to apply – NFPA 1600...
If you are a business continuity practitioner in the U.S., you’re probably wondering which standard to apply – NFPA 1600 or ISO 22301. After all, they are both business continuity standards, and they both have...
