How to create a Communication Plan according to ISO 27001
Jean-Luc Allard
Communicating is a key activity for any human being. This is also the case for an organization. It helps through...
Communicating is a key activity for any human being. This is also the case for an organization. It helps through exchanging the most correct information to the best audience and at the best moment. It...
How personal certificates can help your company’s ISMS
Rhand Leal
One of the greatest challenges in managing information security is assuring that people can handle information and execute security activities...
One of the greatest challenges in managing information security is assuring that people can handle information and execute security activities in a proper manner. Unprepared and untrained people can pose a risk to information, and...
List of free ISO 27001 and ISO 22301 resources
Dejan Kosutic
As you probably noticed, we recently launched the redesigned 27001Academy website; what you may not have noticed are all the...
As you probably noticed, we recently launched the redesigned 27001Academy website; what you may not have noticed are all the free resources we offer on the website. Here they are: Basic explanation of ISO 27001 and...
How detailed should the ISO 27001 documents be?
When starting to write a policy or a procedure, you’re probably puzzled as to how lengthy it should be. And...
When starting to write a policy or a procedure, you’re probably puzzled as to how lengthy it should be. And the truth is, ISO 27001 (as well as other ISO standards like ISO 20000, ISO 9001, ISO...
Risk appetite and its influence over ISO 27001 implementation
Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those...
Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those must include criteria for risk acceptance. Since these criteria have direct influence on how organizational...
8 criteria to decide which ISO 27001 policies and procedures to write
If you’re just starting to implement ISO 27001 in your company, you’re probably in a dilemma as to how many documents you...
If you’re just starting to implement ISO 27001 in your company, you’re probably in a dilemma as to how many documents you need to have, and whether to write certain policies and procedures or not. Criteria for...
How to become an ISO 27001 / ISO 22301 consultant
If you are thinking about a career change, becoming an independent consultant for ISO 27001 and/or ISO 22301 certainly sounds like an...
If you are thinking about a career change, becoming an independent consultant for ISO 27001 and/or ISO 22301 certainly sounds like an attractive option. But what do you need to know, and what do you need to...
How to maintain the ISMS after the certification
If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with...
If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun. OK, but where do you start?...
6-step process for handling supplier security according to ISO 27001
Updated: March 22, 2023, according to the ISO 27001 2022 revision. Since more and more data is being processed and...
Updated: March 22, 2023, according to the ISO 27001 2022 revision. Since more and more data is being processed and stored with third parties, the protection of such data is becoming an increasingly significant issue...
Lead Auditor Course vs. Lead Implementer Course – Which one to go for?
If you are just entering the world of ISO 27001 or ISO 22301, you’re probably considering going for some training....
If you are just entering the world of ISO 27001 or ISO 22301, you’re probably considering going for some training. This is certainly a good idea; however, which course is better for you – Lead...
Roles and responsibilities of top management in ISO 27001 and ISO 22301
Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the...
Did you know that, in most cases, failure to implement ISO 27001 or ISO 22301 was directly related to the fact that top management did not want to assume their responsibilities for information security /...
Major vs. minor nonconformities in the certification audit
If your company is considering going for the certification, it is always a good thing to know what to expect....
If your company is considering going for the certification, it is always a good thing to know what to expect. Since nonconformities are one of the most important outcomes of the certification audit (and the...
How to perform training & awareness for ISO 27001 and ISO 22301
Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t...
Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t take them seriously – not only the top managers, but also their peers. This is...
How to classify information according to ISO 27001 in four steps
Updated: November 14, 2022., according to ISO 27001:2022 revision. Classification of information is certainly one of the most attractive parts of...
Updated: November 14, 2022., according to ISO 27001:2022 revision. Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is...
Has the PDCA Cycle been removed from the new ISO standards?
Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA...
Lately I’ve been receiving (too) many questions asking, “Why did the new revision of ISO 27001 cut out the PDCA cycle?” And, on first sight, you might be misled because the standard really doesn’t mention...
ISO 31000 and ISO 27001 – How are they related?
Last updated on March 10, 2022. Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001...
Last updated on March 10, 2022. Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, when comparing ISO 27001 vs. ISO 31000, the latter...
The most popular ISO 27001 & ISO 22301 blog posts
This is my 100th blog post! When I started this blog four years ago, I never dreamed I would have...
This is my 100th blog post! When I started this blog four years ago, I never dreamed I would have that many things to write about… And yet, the more I write, the more ideas...
Why is management review important for ISO 27001 and ISO 22301?
Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one...
Like some other clauses in ISO 27001 and ISO 22301, clause 9.3, which defines requirements for management review, is one of the most misunderstood and most underappreciated elements of these standards. In practice, this review...
NIST Cybersecurity Framework or ISO 27001 – Which is the better choice for your company?
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly...
On February 12, 2014, the National Institute of Standards and Technology (NIST) published Framework for Improving Critical Infrastructure Cybersecurity, commonly known as Cybersecurity Framework. If you already came across ISO 27001, you’re probably wondering: What...
Setting the business continuity objectives in ISO 22301
Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301...
Business continuity objectives are, along with the business impact analysis, probably one of the most difficult elements of ISO 22301 implementation. Most of the business continuity implementers have problems like these: Which types of objectives...
