ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide
Dejan Kosutic
Risk management is probably the most complex part of ISO 27001 implementation; but, at the same time, it is the...
Risk management is probably the most complex part of ISO 27001 implementation; but, at the same time, it is the most important step at the beginning of your information security project – it sets the...
Explanation of the most common business continuity terms
Rhand Leal
The pandemic has increased organizations’ interest in business continuity, as a way to protect themselves against disruption of their operations....
The pandemic has increased organizations’ interest in business continuity, as a way to protect themselves against disruption of their operations. However, in most cases, there is no time to wait for learning about business continuity...
How to prioritize security investment through risk quantification
Think of a circus juggler balancing dishes, bowls, and other flat objects on sticks. He needs to pay constant attention...
Think of a circus juggler balancing dishes, bowls, and other flat objects on sticks. He needs to pay constant attention so as not to let them fall, rotating them at sufficient speed and at the...
Risk appetite and its influence over ISO 27001 implementation
Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those...
Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those must include criteria for risk acceptance. Since these criteria have direct influence on how organizational...
How to maintain the ISMS after the certification
If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with...
If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun. OK, but where do you start?...
ISO 31000 and ISO 27001 – How are they related?
Last updated on March 10, 2022. Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001...
Last updated on March 10, 2022. Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, when comparing ISO 27001 vs. ISO 31000, the latter...
A first look at the new ISO 27001
Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September...
Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September 25, 2013. When I heard the news that the DIS (draft) version of ISO 27001:2013...
The documentation myth – Why the templates are not enough?
I noticed that many people running ISO 27001 projects who have downloaded documentation templates think “I have the templates now...
I noticed that many people running ISO 27001 projects who have downloaded documentation templates think “I have the templates now – the rest is easy. I’ll write a few documents, show them to auditor, and...
Lessons learned from ISO 27001 implementation
Many readers of this blog asked me to present a real-life experience of ISO 27001 implementation in a company. Since...
Many readers of this blog asked me to present a real-life experience of ISO 27001 implementation in a company. Since I would be too subjective if I started writing my own impressions, I decided to...
What is cybersecurity and how can ISO 27001 help?
Every time I speak to someone about cybersecurity I hear rather different definitions about what it actually is – but...
Every time I speak to someone about cybersecurity I hear rather different definitions about what it actually is – but at least the general idea is pretty much the same. However, when it comes to...
How to deal with insider threats?
“Your ISO 27001 is nice in theory, but if our system administrator goes crazy, we’re dead.” – I hear this...
“Your ISO 27001 is nice in theory, but if our system administrator goes crazy, we’re dead.” – I hear this quite often when speaking to my clients about which security controls they should apply. And...
Is it possible to calculate the Return on Security Investment (ROSI)?
If you are an information security or business continuity professional, then you’re probably aware of the most difficult part of...
If you are an information security or business continuity professional, then you’re probably aware of the most difficult part of your job: to convince your management that investment in information security/business continuity makes sense. Traditionally,...
BS 25999-2 implementation checklist
Your management has given you the task to implement business continuity, but you’re not really sure how to do it?...
Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to...
Information security or IT security?
Update 2014-08-11: The number of controls was updated according to 2013 revision of ISO 27001. One would think that these...
Update 2014-08-11: The number of controls was updated according to 2013 revision of ISO 27001. One would think that these two terms are synonyms – after all, isn’t information security all about computers? Not really....
