ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.

Recent Posts




ISO 22301: An overview of BCM implementation process


September 10, 2014


How to maintain the ISMS after the certification

ByDejan Kosutic on July 14, 2014

If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun.

OK, but where do you start? The good news is that you already have all the directions in your documentation, but here’s an overview on what you have to focus on:

1) Operate the ISMS. First of all, you have to make sure you perform all the activities described in your policies and procedures. And I don’t mean just artificially creating some records and pretending that you are doing some activities because of the auditors – I mean really walking the talk, complying with all the requirements in all of your documents and producing the real records. If you think this makes no sense, then you have to simplify your documents or delete some documents that are not mandatory.

2) Update the documentation. Circumstances in your company will change – you’ll create some new products, you’ll purchase some new software, your organization will change, etc. This means you’ll have to update your policies or procedures or they will become useless. Best practice is to nominate an owner for each document, and that person will have to review his or her document periodically (usually once a year), and recommend possible changes.

3) Review the risk assessment. Again, because of the changed circumstances, the threats and vulnerabilities will change, meaning your risks will change; and if your risks have changed, this means your existing controls won’t be enough. This is why you should send the results of the last risk assessment to the risk owners so that they can review them and update if necessary – once this is done, you have to implement new controls based on those results. This review must be done at least once a year, or more often if some significant change has occurred.

4) Monitor and measure the ISMS. Although this one seems too abstract and probably the most difficult one to achieve, it is also one of the most important – otherwise, how would you know whether you’re doing a good job or not? When speaking about monitoring, you have to keep an eye on various security-related events like incidents, errors, exceptions, etc. Based on this information, you can learn what to do better and how to prevent future incidents from happening. But this is not all – you have to measure whether your ISMS achieves the intended results. To do this, you have to measure if you have achieved the objectives – for example, if the objective was to decrease the number of incidents by 50% in the current year, you have to take the actual number from the results of monitoring, and compare it with the number of incidents in the previous year. Read also ISO 27001 control objectives – Why are they important?

5) Perform internal audits. This might seem just like one of those “Oh no, another useless ISO 27001 job,” but the fact is – when done properly, an internal audit can reveal to you many more security weaknesses than most of the other activities together. To achieve this you have to either train some of your employees to do this job, or hire an external auditor. No matter which option you choose, you have to enable this person to do the job thoroughly and be prepared to act upon the audit results. Read also: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.

6) Perform management review. This is a crucial activity, since it actively involves your top management in your information security. You have to inform them about the key issues related to your ISMS, and ask them to make crucial decisions – for example, changes in organization, providing the budget, eliminating obstacles, etc. Learn more here: Why is management review important for ISO 27001 and ISO 22301?

7) Perform corrective actions. Again, this is not some “ISO 27001 job,” because corrective actions are something you perform regularly – most probably you do make improvements to what you are doing, only you don’t call them “corrective actions,” so the trick is to continue making those improvements in the form that is acceptable to ISO 27001. See also Practical use of corrective actions for ISO 27001 and ISO 22301.

And don’t forget that the certification body will perform surveillance visits at least once a year – they will check all the seven issues listed above, but also whether you closed all the non-conformities from their last visit, so make sure you didn’t forget about them. See also Surveillance visits vs. certification audits.

But basically, the maintenance of your ISMS comes down to this: you should do it because of yourself, in order to make your company more secure – not because of a certification auditor.

Click here to see an overview of  Internal Audit Toolkit.

Practical use of corrective actions for ISO 27001 and ISO 22301

ByDejan Kosutic on December 09, 2013

Is your company one of those that has no idea what the purpose of corrective actions is? Do you prepare your corrective actions only a couple of days prior to your certification audit? And do you think corrective actions are one of those requirements of ISO 27001/ISO 22301 with no real practical use?

You are wrong. Here’s why.

The purpose of corrective actions

Basically, any company that is trying to survive in the current market is making improvements on a daily basis – developing new products, resolving the problems with existing products/services, decreasing costs, etc. – otherwise, they wouldn’t be in business anymore.

And all those things are, in fact, corrective actions, although these companies probably didn’t think of them in such a way. ISO 27001, ISO 22301 and other ISO standards require nothing more than performing those corrective actions in a systematic way – so that it is known exactly where problems (nonconformities, in ISO terminology) are to be reported, who needs to review them and make a decision on how to resolve them, who is responsible for eliminating them, etc. And the best thing of all – in such a transparent system everyone can see what the problems are (nothing can be hidden), when and how those problems are to be resolved, and who is responsible for them.

Who can initiate corrective actions?

Anyone in the company can raise a corrective action, and the same goes for your partners and suppliers who have a role in your ISMS or BCMS. A corrective action may be raised because of an internal audit report or because of the results of testing and exercising, but also because someone thought of a better way to write the policies and procedures, or, e.g., decrease the costs of your alternative location. Corrective actions can also demand larger changes as well; e.g., top management might conclude that BCMS did not reach its objectives, and wants the whole Business continuity strategy redefined.

Required documents

You should have the following documents regarding your corrective actions:

  • Corrective action procedure – this procedure defines the basic rules for resolving corrective actions – how to raise one, where are they documented, who has to make which decisions, how to control their execution, etc.
  • Corrective actions – these are the records of actual nonconformities, decisions and activities made to resolve them.

Options for corrective actions

Here are a couple of options you have to decide regarding your corrective actions:

  • Where to document them. Numerous times, I’ve seen companies use specially designed paper forms for corrective actions (especially those that implemented ISO 9001) – they are usually called CARs. The result? No one uses them because it is totally impractical, and besides, no one knows where to find them. A much better solution is to use some kind of help desk (or even task management) tool, which probably already exists in your company and your employees are using on a daily basis – you just need to add another category for corrective actions, and basically, such solution will be both practical and compliant with ISO 27001/ISO 22301.
  • Merge corrective actions with other management systems. This is definitely recommended – you don’t need three separate databases (or forms) for, e.g., ISO 27001, ISO 22301 and ISO 9001. Use the same procedure, the same system, the same database – of course, the nature of nonconformities and subsequent corrective actions will be different, but that doesn’t prevent you from uniforming the system.
  • Write a procedure, or not. It is not mandatory to write the Corrective action procedure according to ISO 27001 and ISO 22301; however, it is recommended. Normally, the employees are not familiar with something they don’t do every day, so it might make sense to write those rules down – unless, of course, it is a process that works flawlessly in your company, so you won’t need such a document.

Making decisions

Each time a corrective action is raised, someone will have to make a decision whether to take corrective action or not (because sometimes it doesn’t make sense to do anything) – this decision can be left to the head of the department where the nonconformity is noticed. If the corrective action is to be carried out, then the same head of department can decide who will be responsible for the corrective action, and what the deadline is for its execution.

So, my key point is this – you already make corrective actions regularly in your company, and you probably do have the technology needed to record them in a way that is compliant with ISO standards. So, why not using such a system in your day-to-day operations if it can help your effort to create a better company?

This article is an excerpt from the book  Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. Click here to see what’s included in the book…

A first look at the new ISO 27001

ByDejan Kosutic on January 28, 2013

Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September 25, 2013.

When I heard the news that the DIS (draft) version of ISO 27001:2013 is available, I was very impatient to read it. When compared to the old ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:

The structure

As expected, the new ISO 27001 is compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed (click here to see new controls). The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.

The concept of determining the level of risk based on consequences and likelihood remains the same.

The concept of asset owner is gone – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.

Objectives, monitoring and measurement

A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.

This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.

Corrective & preventive actions

The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.

Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.


This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.

What will this mean for the implementation?

I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.

In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.

To learn how to transition to the new revision see free white paper Twelve-step transition process from ISO 27001 2005 revision to 2013 revision.

Surveillance visits vs. certification audits

ByDejan Kosutic on November 05, 2012

Surveillance visits are very often quite different from (initial) certification audits, so in this post I’ll explain why this is so and what the differences are.

It bears mention here that all the issues I’ll be talking about in this post are not only applicable to certification audits for ISO 27001 and ISO 22301, but also to all other certifiable management standards like ISO 9001, ISO 14001, ISO 20000, etc.

The certification audit and its limitations

During the first (initial) certification audit the certification auditor will check whether all the main elements of the management system are in place – all the documentation, all the required records, all the processes, etc. The auditor will also check whether the main processes are working as they are described in the documentation, but such check will be limited because at that point in time the management system will have been in place for only a few months, or even only a few weeks. (To read more about the certification process, read this blog post: How to get certified against ISO 27001?)

On the other hand, the certificate is issued for a period of three years – so, for instance, if the initial certification audit was performed in November 2012, this means that the certificate will be valid until November 2015. Since the certification body guarantees that the management system will be in place throughout the validity of the certificate, the only way for the certification body to check out whether it really works is to send the certification auditor periodically to check out how things are going. And these are called the surveillance visits – they have to be performed at least once a year, or in some cases they are performed twice a year.

In cases where they are performed once a year, and using the previous example of a certification audit in November 2012, the first surveillance visit would be in November 2013, and the second (and last) surveillance visit in November 2014. After this, in November 2015, the certificate would expire and a company could go for the recertification audit.

The purpose of surveillance visits

So the main purpose of the surveillance visits is for the certification body to find out whether your management system really works in everyday operations, or not. It will focus on things that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all the measurements are made, whether all corrective and preventive actions are properly recorded and implemented, whether the top management really supports and cares about the system, etc.

A surveillance visit will also focus on issues that were identified as weak in the certification audit or previous surveillance visit – minor nonconformities, as well as areas where the auditor has made some observations.

The point is, during the surveillance visit the certification auditor will pay far less attention to the documents themselves, and far more attention to how the key processes are performed, how they are measured, and how they are improved – in other words, whether your system really works.

So don’t relax after your certification audit is over – the certification body is highly interested in finding out whether your management system is really functioning, and this is exactly what the surveillance visits will be focused on. And this is one more reason why you shouldn’t implement the standard only for the purpose of certification – the idea should be that the procedures and policies are really used in everyday operations.

Click here to see a series of ISO 27001 and ISO 22301 video tutorials that will help you with your implementation.


5 ways to avoid overhead with ISO 27001 (and keep the costs down)

ByDejan Kosutic on June 19, 2012

There are probably two main thoughts managers have when starting ISO 27001 implementation:  (1) we’ll pay quite a lot of money for something we’re not sure is worth it; and (2) the annoyance of maintaining such a system will cost us even more.

Yes, ISO 27001 does require an investment, but I would strongly argue that such investment pays off very quickly (see Four key benefits of ISO 27001 implementation). The bigger problem here is this: how to minimize the costs of running such a system, especially the time required of employees that have to “lose time dealing with all that documentation.”

And yes, I do agree that very often large quantities of documentation or inappropriate documentation is a problem – it simply takes too much time to comply with it (and to maintain it) without any obvious benefit. Therefore, here are 5 simple principles you should bear in mind when developing your ISMS:

Don’t get too ambitious

Basically, create only the documents you really need – if you’re a company of 10 employees it is not likely you’ll need a written description of the operating procedure for a security committee.

How would you know which documents are needed? You should start from ISO 27001 clause 4.3.1 where all the mandatory documents are listed (see also Mandatory documented procedures required by ISO 27001); add to this documents required by other interested parties (legislation, agreements with clients and partners, etc.), and areas that are very complex or are very risky – they normally need policies/procedures to define operating rules.

Bottom line is – the purpose of documentation is to serve your company, to describe the processes to your employees – not to satisfy the certification auditor.

The documentation should be written by those who will be using it

Not only do you need to avoid unnecessary documents, you also need to avoid unnecessary content in required documents. Very often I see consultants or security experts pushing too much text into a document that could have been much shorter (and easier to comply with).

It would be best if the documents are written by the employees who will be using those documents in day-to-day operations – they will make sure all the unrealistic parts are removed because otherwise they would make their own lives miserable.

Get commitment in the early phase

And having miserable employees is the best way for them to start avoiding compliance with such documents, which will contribute to the general consensus regarding the “needlessness of such documents.”

To avoid such an image, besides including the employees in writing the documents, it is also important to run awareness and training programs – such programs should run parallel to the implementation of documents/controls, because once documents/controls are implemented (without proper preparation), the image could already be turned irreversibly in the wrong direction.

Maintain the documentation

Did you ever try observing an outdated procedure? Pretty much a time-wasting experience, wasn’t it? To avoid this, you need to make sure your documentation is up-to-date – to achieve that, these elements need to be in place: (1) each document should have an owner who should periodically check whether the document needs to be updated; (2) regular and thorough internal audits should find irregularities in the documents; and (3) corrective and preventive actions should be effectively implemented so that all nonconformities are continuously eliminated.

Measure if you achieved what you planned for

Measuring information security effectiveness is still considered to be something almost mystical; above all, it is thought of as THE overhead.

But I would argue differently – if you cannot prove that information security makes sense, it will always be perceived as an overall overhead, wouldn’t it? So in my opinion it does make sense to set some clear objectives (they don’t have to be numerous) and occasionally check whether you have achieved those. Such checks don’t have to take too much time, especially if you already have some kind of Balanced Scorecard in place – and it will show very vividly to your top management whether an investment in ISO 27001 did make sense. If it did, they will make an even greater effort to support it.

Here you can download free preview of ISO 27001 Documentation Toolkit.