ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.

Recent Posts




ISO 22301: An overview of BCM implementation process


September 10, 2014


8 criteria to decide which ISO 27001 policies and procedures to write

By Dejan Kosutic on July 28, 2014

If you’re just starting to implement ISO 27001 in your company, you’re probably in a dilemma as to how many documents you need to have, and whether to write certain policies and procedures or not.

Criteria for deciding what to document

Well, the first step is easy – you need to check whether a document is required by ISO 27001. For that purpose, see this article: List of mandatory documents required by ISO 27001 (2013 revision). If the document is mandatory, you have nothing to think about – you must write it if you want to be compliant with this standard. (See also: Seven steps for implementing policies and procedures.)

However, if the document is not mandatory, you may find yourself puzzled over whether you need to write it or not – for example, would you need a Backup Policy? Or perhaps a Classification Policy? Or a BYOD Policy?

Here are a couple of criteria that will help you:

Risks. You have to start by assessing the risks to see if there is a need for such a control at all (see also: The basic logic of ISO 27001: How does information security work?). If there is no risk, then certainly you won’t need a document for it; if there is a risk, this still doesn’t mean you have to write a document, but at least you have resolved the dilemma of whether the control is needed or not.

Compliance. Sometimes you may have a regulation or a contractual requirement to write a certain document – e.g., a regulation may require you to write the Classification Policy, or your client may require you to sign NDAs with your employees.

Size of your company. Smaller companies will tend to have fewer documents, so in such a case you should try to avoid writing a procedure for every small process – for example, if you have 20 employees you don’t need 50 documents for your ISMS. Of course, if you are a multinational organization with 10,000 employees, writing policies where each would have a couple of related procedures, and then for every procedure a couple of working instructions – this approach does make sense.

Importance. The more important a process or activity is, the more likely you will want to write a policy or a procedure to describe it – this is because you’ll want to make sure everyone understands how to perform such a process or activity in order to avoid breakdowns in your operations.

Number of people involved. The more people perform a process or an activity, the more likely you will want to document it; for example, if you have 100 people involved, it will be very difficult to explain verbally to all these people how to perform certain process – it is much easier to write a procedure that would explain everything in detail. On the other hand, if you have five people involved, you can probably explain how the whole process works in a single meeting, so there is no need for a written procedure. There is one exception, though: if you have only one person working on a process, you might want to document it because no one else knows how to do it – so if this person becomes unavailable, you’ll be able to continue your operations.

Complexity. The more complex the process, the more likely it is that you’ll need a written document for it (at least in the form of a checklist) – it is simply impossible to remember by heart, e.g., 100 steps that need to be performed in the exact sequence.

Maturity. If a process or an activity is clearly established, if it has been running for years and everyone knows exactly how to perform it, if it is finely tuned, then there is probably no need to document it.

Frequency. If you perform some activities rather rarely, you might want to write them down because you might forget how they are done.

Find the right balance

The more documents you have and the more detailed they are, the more difficult it will be to maintain them and to make your employees observe them. On the other hand, a smaller number of documents that are also quite short might not describe exactly what you need to do.

In most cases, I recommend my clients not to become too ambitious – if there is no absolute need to create some new document, don’t do it; if there is no need to describe some process in great detail, make it shorter.

And remember – unnecessary documents will bring you nothing but trouble.

See here an example of  Procedure for document control.

How to become an ISO 27001 / ISO 22301 consultant

By Dejan Kosutic on July 21, 2014

If you are thinking about a career change, becoming an independent consultant for ISO 27001 and/or ISO 22301 certainly sounds like an attractive option. But what do you need to know, and what do you need to have to start your own consultancy?

Focus on ISO 27001 or ISO 22301?

In my view, it should be and instead of or – these standards are very similar and very compatible, so it makes sense that you help your clients with both of them. Once you grasp one standard, it will be only a small step further to fully understand the other one. See also this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together?

What qualifications do you need?

It’s a funny thing, but there are no formal qualifications needed, at least not in most countries. This basically means anyone can become a consultant, with no qualifications whatsoever.

However, if you want to become a consultant respected by potential clients, you should have at least the following:

ISO 27001/ISO 22301 certificates – you should at least get the Lead Auditor or Lead Implementer certificate, but it would be better if you had both. See also Lead Auditor Course vs. Lead Implementer Course – Which one to go for?

Project management certificate – since your work will be nothing but delivering projects, you should learn how to run them. For instance, you should get PMP, or some other similar certificate.

Experience – theoretical knowledge won’t be enough, so you should get experience through at least one of the following:

  • Work as a certification auditor – performing certification audits will give you an excellent insight into the do’s and don’ts of ISO 27001 and ISO 22301 implementation, or
  • Work for another consultant – this is the best way to learn about the implementation methods and how to get new clients, or
  • Work as an information security or business continuity practitioner – working in a company is an excellent way to learn the client side of the story: What are the usual pains? What is the expert help needed for?

What else do you need?

Besides getting the knowledge already mentioned above, you will also need some other tools and sources of knowledge:

  • Books – there are many books available on ISO 27001 and ISO 22301 (this author is proud to have published one – Becoming Resilient: The Definitive Guide to ISO 22301 Implementation)
  • Documentation templates – when starting to work with your clients you will need templates of ISO 27001/ISO 22301 policies and procedures to speed up your work.
  • Templates for proposals and presentations – what you show to potential clients must be very comprehensive and professional.
  • Tools – besides a laptop and MS Office, you will also need some kind of customer relationship management (CRM) software or an online service, because you must track all the potential clients and in which phase you currently are with each of them.
  • Social media skills – you will have to learn how to communicate through Twitter, Facebook and LinkedIn, since these will be important channels for getting new clients.
  • Website development skills – if you decide to publish articles, you will need to know at least how to publish a blog.

How to find the clients

Believe it or not, this is by far the most difficult task – this is where most would-be consultants have failed, no matter how knowledgeable they were about ISO 27001 or ISO 22301.

There are several ways you should market your services:

  • Use your contacts from previous jobs – for example, arrange a deal with the client even before you start your consultancy in order to avoid a gap once you start your new job; this is probably the best way to start your career, but you must be careful to stay within the ethical limits – you should not hurt your old employer because of this.
  • Direct sales – you should spend at least 30% of your time dialing phone numbers and delivering presentations to potential clients – this is basically the best way to close the deal.
  • Speaking at conferences – this is one of the best ways to build your credibility, and to get new contacts. Just make sure to practice your presentation skills, because otherwise, you may end up with even less credibility than you had previously.
  • Writing expert articles – you should publish your articles in specialized magazines and on the Internet – this way, you will show your expertise to the whole world.
  • Delivering courses – this is an excellent way to get new contacts and prove your expertise.
  • Partnerships – perhaps you can find some vendors who are compatible (and not competing) with your service – in such cases, when they get a deal they may bring you a new client.

And remember – clients aren’t going to rush in on the first day you start your consultancy; on the contrary, in the beginning you will probably have fewer clients than you imagined – even in your worse-case scenario. This is because the sales cycle is very long – it usually takes a lot of time for a client to decide to go for a project.

I’m not saying that a good consultant must be more skilled in marketing than in ISO 27001 or ISO 22301 – I’m just saying that marketing skills and efforts should not be neglected, because without them your main expertise will never reach the clients.

Focus on what’s the best for the client

In this article I wanted to present the prerequisites for becoming a consultant – the methods for delivering the ISO 27001 or ISO 22301 project wouldn’t fit in this article. For the implementation steps you should read these articles:  ISO 27001 implementation checklist and 17 steps for implementing ISO 22301.

But in the end, remember that reputation is what will bring you new clients. Make sure that everything you do, you do it in the best interest of a client – you shouldn’t recommend some new technology to a client only because you have a partner selling it; you shouldn’t hold back some information only to have your client use your services later on. What you should do is protect your client’s interest and exceed their expectations.

Once clients realize your integrity and capability, they will start recommending you – and this is where your career will take off.

To learn more about marketing techniques, pricing, and how to deliver a project, see this webinar  How to become ISO 27001 / BS 25999 consultant.

How to maintain the ISMS after the certification

By Dejan Kosutic on July 14, 2014

If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun.

OK, but where do you start? The good news is that you already have all the directions in your documentation, but here’s an overview on what you have to focus on:

1) Operate the ISMS. First of all, you have to make sure you perform all the activities described in your policies and procedures. And I don’t mean just artificially creating some records and pretending that you are doing some activities because of the auditors – I mean really walking the talk, complying with all the requirements in all of your documents and producing the real records. If you think this makes no sense, then you have to simplify your documents or delete some documents that are not mandatory.

2) Update the documentation. Circumstances in your company will change – you’ll create some new products, you’ll purchase some new software, your organization will change, etc. This means you’ll have to update your policies or procedures or they will become useless. Best practice is to nominate an owner for each document, and that person will have to review his or her document periodically (usually once a year), and recommend possible changes.

3) Review the risk assessment. Again, because of the changed circumstances, the threats and vulnerabilities will change, meaning your risks will change; and if your risks have changed, this means your existing controls won’t be enough. This is why you should send the results of the last risk assessment to the risk owners so that they can review them and update if necessary – once this is done, you have to implement new controls based on those results. This review must be done at least once a year, or more often if some significant change has occurred.

4) Monitor and measure the ISMS. Although this one seems too abstract and probably the most difficult one to achieve, it is also one of the most important – otherwise, how would you know whether you’re doing a good job or not? When speaking about monitoring, you have to keep an eye on various security-related events like incidents, errors, exceptions, etc. Based on this information, you can learn what to do better and how to prevent future incidents from happening. But this is not all – you have to measure whether your ISMS achieves the intended results. To do this, you have to measure if you have achieved the objectives – for example, if the objective was to decrease the number of incidents by 50% in the current year, you have to take the actual number from the results of monitoring, and compare it with the number of incidents in the previous year. Read also ISO 27001 control objectives – Why are they important?

5) Perform internal audits. This might seem just like one of those “Oh no, another useless ISO 27001 job,” but the fact is – when done properly, an internal audit can reveal to you many more security weaknesses than most of the other activities together. To achieve this you have to either train some of your employees to do this job, or hire an external auditor. No matter which option you choose, you have to enable this person to do the job thoroughly and be prepared to act upon the audit results. Read also: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.

6) Perform management review. This is a crucial activity, since it actively involves your top management in your information security. You have to inform them about the key issues related to your ISMS, and ask them to make crucial decisions – for example, changes in organization, providing the budget, eliminating obstacles, etc. Learn more here: Why is management review important for ISO 27001 and ISO 22301?

7) Perform corrective actions. Again, this is not some “ISO 27001 job,” because corrective actions are something you perform regularly – most probably you do make improvements to what you are doing, only you don’t call them “corrective actions,” so the trick is to continue making those improvements in the form that is acceptable to ISO 27001. See also Practical use of corrective actions for ISO 27001 and ISO 22301.

And don’t forget that the certification body will perform surveillance visits at least once a year – they will check all the seven issues listed above, but also whether you closed all the non-conformities from their last visit, so make sure you didn’t forget about them. See also Surveillance visits vs. certification audits.

But basically, the maintenance of your ISMS comes down to this: you should do it because of yourself, in order to make your company more secure – not because of a certification auditor.

Click here to see an overview of  Internal Audit Toolkit.

What has changed in risk assessment in ISO 27001:2013

By Dejan Kosutic on July 07, 2014

Risk assessment has always been a hot topic, and especially now with the changes in the ISO 27001 2013 revision – there are many doubts as to whether the risk assessment you’ve done according to the 2005 revision needs to be changed, and if yes – how big the change is.

The myths

Let’s start with a couple of myths related to risk management that have developed around ISO 27001:2013:

  • “We have to use ISO 31000 for risk management.” False – ISO 31000 is only mentioned in ISO 27001:2013, but it is not mandatory. (See also ISO 31000 and ISO 27001 – How are they related?)
  • “We have to delete assets, threats and vulnerabilities from our risk assessment.” False again – you can keep your old methodology if you like it, because ISO 27001:2013 leaves you the freedom to identify risks any way you want.
  • “We do not have to identify asset owners anymore.” Another false statement – although ISO 27001:2013 does not require you to identify asset owners as part of the risk assessment, it does require you to do it in control A.8.1.2. (See also Risk owners vs. asset owners in ISO 27001:2013)
  • “The identification of risks based on confidentiality, integrity and availability (C-I-A) is a new concept.” False – this concept existed in ISO 27001:2005, too; actually, the whole standard is based on the concept of protecting the C-I-A from the very beginning.

What has changed in risk management in ISO 27001:2013

As you’ll see, the changes are not very significant:

  • Top-level Information security policy does not need to establish criteria against which risks will be evaluated – this was the requirement of ISO 27001:2005 4.2.1 b) 4); in ISO 27001:2013, you still need to define the risk assessment criteria, but not as part of the top-level policy.
  • As mentioned before, you do not need to use the assets-threats-vulnerabilities methodology to identify risks – for example, you can identify risks based on your processes, based on your departments, using only threats and not vulnerabilities, or any other methodology you like.
  • You need to identify risk owners for each risk.
  • ISO 27001:2005 required management to approve residual risks, as well as implementation and operation of the ISMS. On the contrary, in ISO 27001:2013 the risk owners must accept the residual risks and approve the Risk treatment plan.
  • Treatment options in the 2013 revision are not limited only to applying controls, accepting risks, avoiding risks, and transferring risks as they were in the 2005 revision – basically, you are free to consider any treatment option you find appropriate.

One indirect change that is not visible at first reading of the standard is that risk management has taken the role of preventive actions (preventive actions do not exist in the 2013 revision any more) – only when reading the clause 6.1.1 of ISO 27001:2013 more carefully does this becomes obvious. But this change makes sense – preventive actions are nothing other than concluding what negative things can happen in the future, and taking action to prevent them – and this is exactly what risk assessment and treatment is also about. Therefore, ISO 27001:2013 has only corrected what was not very logical in ISO 27001:2005, and the good thing is you do not have to change your risk assessment process because of it.

So, as you can see, the changes in risk assessment and treatment are relatively minor, and if you’ve done a good job with ISO 27001:2005, then you’ll find the transition to the 2013 revision of ISO 27001 relatively easy. All you need to do is identify risk owners for each risk, and give them the responsibility to make decisions about the risks.

Click here to download free white paper Twelve-step transition process from ISO 27001:2005 to 2013 revision.

6-step process for handling supplier security according to ISO 27001

By Dejan Kosutic on June 30, 2014

Since more and more data is being processed and stored with third parties, the protection of such data is becoming an increasingly significant issue for information security professionals – it’s no wonder that the new 2013 revision of ISO 27001 has dedicated one whole section of Annex A to this issue.

But how is it possible to protect the information that is not directly under your control? Here is what ISO 27001 requires…

Why is it not only about suppliers?

Of course, suppliers are the ones that will handle sensitive information of your company most often. For example, if you outsourced the development of your company software, chances are that the software developer will not only learn about your company processes – they will also have access to your live data, meaning they will probably know what’s most valuable in your company; the same goes if you use cloud services.

But you also may have partners – e.g., you may develop a new product with some other company, and in this process you share with them your most sensitive research & development data in which you invested lots of years and money.

Then there are customers, too. Let’s say you are participating in a tender, and your potential customer asks you to reveal lots of information about your structure, your employees, your strengths and weaknesses, your intellectual property, pricing, etc.; they may even require a visit where they will do an on-site audit. All this basically means they will access your sensitive information, even if you don’t make any deal with them.

The process of handling third parties

So, how do you protect your information? Basically, to be compliant with ISO 27001 you should follow this process:

Risk assessment (clause 6.1.2). You should assess the risks to confidentiality, integrity and availability of your information if you outsource part of your processes or allow a third party to access your information. For example, during the risk assessment you may realize that some of your information might be exposed to the public and create huge damage, or that some information may be permanently lost. Based on the results of risk assessment, you can decide whether the next steps in this process are necessary or not – for example, you may not need to perform a background check or insert security clauses for your cafeteria supplier, but you probably will need to do it for your software developer.

Screening (control A.7.1.1) / auditing. This is where you need to perform background checks on your potential suppliers or partners – the more risks that were identified in the previous step, the more thorough the check needs to be; of course, you always have to make sure you stay within the legal limits when doing this. Available techniques vary widely, and may range from checking the financial information of the company all the way to checking the criminal records of the CEO/owners of the business. You may also need to audit their existing information security controls and processes.

Selecting clauses in the agreement (control A.15.1.2). Once you know which risks exist and what is the specific situation in the company you have chosen as a supplier/partner, you can start drafting the security clauses that need to be inserted in an agreement. There may be dozens of such clauses, ranging from access control and labelling confidential information, all the way to which awareness trainings are needed and which methods of encryption are to be used.

Access control (control A.9.4.1). Having an agreement with a supplier does not mean they need to access all of your data – you have to make sure you give them the access on a “Need-to-know basis.” That is – they should access only the data that is required for them to perform their job.

Compliance monitoring (control A.15.2.1). You may hope that your supplier will comply with all the security clauses in the agreement, but this is very often not the case. This is why you have to monitor and, if necessary, audit whether they comply with all the clauses – for instance, if they agreed to give access to your data only to a smaller number of their employees, this is something you need to check.

Termination of the agreement. No matter whether your agreement has ended under friendly or less-than-friendly circumstances, you need to make sure all your assets are returned (control A.8.1.4), and all access rights are removed (A.9.2.6).

Focus on what’s important

So, if you are purchasing stationery or your printer toners, you are probably going to skip most of this process because your risk assessment will allow you to do so; but when hiring a security consultant, or for that matter, a cleaning service (because they have access to all your facilities in the off-working hours), you should carefully perform each of the six steps.

As you probably noticed from the above process, it is quite difficult to develop a one-size-fits-all checklist for checking the security of a supplier – rather, you should use this process to figure out for yourself what is the most appropriate approach to protect your most valuable information.

Click here to see an example of  Supplier Security Policy.