Show me desktop version

The ISO 27001 & ISO 22301 Blog

4 mitigation options in risk treatment according to ISO 27001

Most people think risk assessment is the most difficult part of implementing ISO 27001 – true, risk assessment is probably the most complex, but risk treatment is definitely the one that is more strategic and more costly. The purpose of risk treatment seems rather simple: to control the risks identified during the risk …

Read More ...

Risk appetite and its influence over ISO 27001 implementation

Clause 6.1.2 (a) (1) of ISO 27001:2013 states that an organization must establish and maintain information security risk criteria, and those must include criteria for risk acceptance. Since these criteria have direct influence on how organizational risks are treated, defining them is critical to make ISO 27001 add value to the …

Read More ...

How to organize initial risk assessment according to ISO 27001 and ISO 22301

Usually, the biggest headache companies have when starting to implementing ISO 22301, and especially ISO 27001, is the risk assessment. And, interestingly enough, such a headache happens only when doing this for the first time – which means that risk assessment doesn’t have to be difficult once you know how …

Read More ...

ISO 31000 and ISO 27001 – How are they related?

Contrary to the popular belief that ISO 31000 is now mandatory for ISO 27001 implementation, this is not true. However, ISO 31000 could be quite useful for ISO 27001 implementation – it not only offers a couple of good guidelines, but it also gives a strategic context for managing (information …

Read More ...

Can ISO 27001 risk assessment be used for ISO 22301?

A few days ago I received the following question from one of our clients: “What is the difference between ISMS Risk Assessment and BCM Risk Assessment?” And, although the answer to this question might seem easy, in actuality it is not. Here’s the rest of his question: “… Because on …

Read More ...

How to deal with insider threats?

“Your ISO 27001 is nice in theory, but if our system administrator goes crazy, we’re dead.” – I hear this quite often when speaking to my clients about which security controls they should apply. And it’s not only system administrators, it is also the line managers, engineers, top management, etc. …

Read More ...

Is it possible to calculate the Return on Security Investment (ROSI)?

If you are an information security or business continuity professional, then you’re probably aware of the most difficult part of your job: to convince your management that investment in information security/business continuity makes sense. Traditionally, “making sense” for management means that the revenues that will result from the investment will …

Read More ...

BS 25999-2 implementation checklist

Your management has given you the task to implement business continuity, but you’re not really sure how to do it? Although it is not an easy task, you can use the BS 25999-2 methodology to make your life easier – here are the main steps necessary to implement this standard: …

Read More ...

Risk assessment tips for smaller companies

I have seen quite a lot of smaller companies (up to 50 employees) trying to apply risk assessment tools as part of their ISO 27001 implementation project. The result is that it usually takes too much time and money with too little effect. First of all, what is actually risk …

Read More ...

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
Implementing Business Impact Analysis according to ISO 22301
Wednesday - March 29, 2017
Show posts:
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933