Is the ISO 27001 Manual really necessary?
Dejan Kosutic
Updated: January 20, 2025, according to the ISO 27001:2022 revision. Sometimes I receive questions on whether the ISO 27001 Manual...
Updated: January 20, 2025, according to the ISO 27001:2022 revision. Sometimes I receive questions on whether the ISO 27001 Manual is required by the standard, and how to write it. I even lost some potential...
What is the ISO 27000 series?
Updated: November 16, 2023. If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent...
Updated: November 16, 2023. If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent on the ISO/IEC 27000-series of standards. Since there are quite a lot of them (see...
New book – Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
As you may have heard, on December 19 I’ll publish my new book Becoming Resilient: The Definitive Guide to ISO...
As you may have heard, on December 19 I’ll publish my new book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. So, if you are a business continuity practitioner looking for some tips on...
How to define activities when implementing business continuity according to ISO 22301
In several places in ISO 22301, it is required to define the activities within the company; not only this, activities...
In several places in ISO 22301, it is required to define the activities within the company; not only this, activities are a basic unit upon which the business impact analysis is made. So what are...
NFPA 1600 vs. ISO 22301 – Similarities and differences
If you are a business continuity practitioner in the U.S., you’re probably wondering which standard to apply – NFPA 1600...
If you are a business continuity practitioner in the U.S., you’re probably wondering which standard to apply – NFPA 1600 or ISO 22301. After all, they are both business continuity standards, and they both have...
ISO 27001 Case study for data centers: An interview with Goran Djoreski
DK: More than a year and a half has passed since you were certified by ISO 27001 – what are...
DK: More than a year and a half has passed since you were certified by ISO 27001 – what are your impressions? Was it really worth it? GD: It was definitely worth it, since it...
How to address main concerns with ISO 27001 implementation
Last week I delivered two webinars on the topic of ISO 27001, and I have asked the attendees to send...
Last week I delivered two webinars on the topic of ISO 27001, and I have asked the attendees to send me their top concerns regarding ISO 27001 implementation before those webinars. I’ve summarized most common...
Is ISO 27001 among the top ISO standards?
Do you know which ISO standards are the most popular? And whether ISO 27001 is among the most popular? There...
Do you know which ISO standards are the most popular? And whether ISO 27001 is among the most popular? There is both good and bad news for information security enthusiasts – ISO 27001 really is...
One Information Security Policy, or several policies?
Very often I see questions on various forums on how to develop an Information Security Policy. Quite frankly, I don’t...
Very often I see questions on various forums on how to develop an Information Security Policy. Quite frankly, I don’t think it is a good idea to stuff all the security rules into a single...
The purpose of Business continuity policy according to ISO 22301
Why would you need a Policy once you have Business impact analysis, Business continuity strategy and Business continuity plan? This...
Why would you need a Policy once you have Business impact analysis, Business continuity strategy and Business continuity plan? This is probably a question many experienced business continuity/disaster recovery practitioners are asking themselves, so here’s...
ISO 22301 vs. ISO 22313
I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I...
I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I was proved to be wrong. It can be quite useful as a supplement to ISO...
Backup policy – How to determine backup frequency
Did you think that the frequency of backup is based on the IT manager’s whims? Or, perhaps, based on the...
Did you think that the frequency of backup is based on the IT manager’s whims? Or, perhaps, based on the least expensive solution? Well, you are wrong. Backup policy, or to be precise – the...
5 criteria for choosing an ISO 22301 / ISO 27001 consultant
If you’re implementing ISO 27001 or ISO 22301 for the first time, you’re probably considering hiring a consultant to help...
If you’re implementing ISO 27001 or ISO 22301 for the first time, you’re probably considering hiring a consultant to help you. But, which consultant should you hire, what are the potential problems, and how much...
Cybersecurity Executive Order confirms how crucial information security is for critical infrastructure
For a long time a debate has been going on regarding whether information security/cybersecurity has something to do with critical...
For a long time a debate has been going on regarding whether information security/cybersecurity has something to do with critical infrastructure, and if yes, how important cybersecurity is for critical infrastructure. This dilemma is definitely...
A first look at the new ISO 27001
Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September...
Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September 25, 2013. When I heard the news that the DIS (draft) version of ISO 27001:2013...
ISO 27000 series – What to expect in 2013?
Believe it or not, there are more than 30 standards in the ISO 27k series. And, to make things worse,...
Believe it or not, there are more than 30 standards in the ISO 27k series. And, to make things worse, they are constantly changing because information security theory and best practice are continuously evolving. Here’s...
Top management perspective of information security implementation
I guess many information security specialists make one fatal mistake when speaking to their management: they assume their executives understand...
I guess many information security specialists make one fatal mistake when speaking to their management: they assume their executives understand the basics of information security. (Unfortunately, sometimes I’m not an exception to that rule, either.)...
4 reasons why ISO 27001 is useful for techies
Very often when I start ISO 27001 consulting job in a company I hear complaints from system administrators, IT managers,...
Very often when I start ISO 27001 consulting job in a company I hear complaints from system administrators, IT managers, and other IT staff like, “Oh no, now we’re going to get swamped with a...
Chief Information Security Officer (CISO) – where does he belong in an org chart?
Companies that start implementing an information security program, or specifically ISO 27001, very soon realize that they cannot do it...
Companies that start implementing an information security program, or specifically ISO 27001, very soon realize that they cannot do it without a person who would coordinate and manage such activities. But then they face the...
5 ways to avoid overhead with ISO 27001 (and keep the costs down)
There are probably two main thoughts managers have when starting ISO 27001 implementation: (1) we’ll pay quite a lot of...
There are probably two main thoughts managers have when starting ISO 27001 implementation: (1) we’ll pay quite a lot of money for something we’re not sure is worth it; and (2) the annoyance of maintaining...
