Copyright © 2010 IsecT Ltd.

Sponsored by

About the Forum

Since its launch in July 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of over 1,800 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their experience and expertise with others.

Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards (i.e. information security managers, analysts, auditors, consultants and others),  particularly those who have practical implementation experiences they are willing to share and contributions they wish to make. 

The Forum’s purpose

This is a practitioner’s group with a pragmatic rather than theoretical focus, where every contribution is treasured and every member valued.  We mostly discuss practical matters of interest to those interpreting and applying the standards in real world situations (see the list of typical threads below). 

ISO27k Forum members:

• Are generally interested in information security standards;
• Usually have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or  ISO27k Lead Implementer training, CISSP, CISM, CISA, GIAC and similar;
• Would like more information about using the standards in real life, beyond that available on this website and elsewhere;
• Are planning to implement, actively implementing, fully compliant with or simply using the ISO27k standards, or are auditing organizations against the standards,  or are experienced consultants advising clients about the standards;
• Often work for organizations that have been certified compliant with ISO/IEC 27001 or are working towards that point;
• Would like to help promote the standards more widely;
• May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect; and
• Wish to discuss information security management standards, practices, methods etc. with their peers.

Sharing is important.  The free ISO27k Toolkit is an example of what we can achieve through selfless collaboration.  Forum members are encouraged to ask questions and provide answers, tips, suggestions, case studies, example materials and so forth.  This is a self-help user community that thrives on proactive involvement.

Typical discussion threads

• Risk assessment and risk analysis methods and tools;
• Security aspects of software development;
• Classification of various types of information asset;
• Information security incident metrics;
• Mandatory documentation needed for ISO/IEC 27001 certification;
• ISO/IEC 27002 implementation plans;
• Organization structures and other governance aspects for information security;
• Updates and news following ISO/IEC JTC1/SC27 meetings;
• “Electronic signatures” - risks and controls;
• Tangible and intangible elements of an ISO27k ISMS;
• Need for document control procedures within the ISMS;
• The value of ISO/IEC 27001 certificates awarded to business partners;
• The content, structure and value of information security policies;
• Classification of information - purposes and processes;
• Proper disposal of confidential information;
• Information asset inventory;
• Risk analysis and business impact analysis methods, techniques and tools;
• Building the business case for information security and gaining executive support;
• Scope definition, Statement of Applicability and Risk Treatment Plans - what they are, how they differ, what they are meant to contain ...

We have also contributed to the promotion and further development of the ISO27k standards, for instance collaborating in an online group project to develop an ISMS Auditing Guideline that was contributed to the ISO/IEC group developing ISO/IEC 27007.  Members of the Forum have provided materials for the free ISO27k Toolkit, the white papers, the questions and answers in the FAQ and the links to other resources.  Thank you all.

OK, sign me up!

If you have a keen interest in the ISO27k standards and are willing to participate in the discussions, by all means apply to join the Forum.  Please make your case when you apply: persuade us that you are suitably qualified and ideally have the expertise if not the experience that you are willing to share with the community.  If you say nothing at all, or if you are not persuasive, your application will simply be rejected.

We extend an especially warm welcome to those who have actually implemented ISO/IEC 27002 and/or whose organizations have been certified compliant with ISO/IEC 27001, and to members of ISO/IEC JTC1/SC27.  We gladly accept applications from qualified information security professionals who are genuinely interested in the standards but don’t (yet!) have ISO27k implementation experience, and from IT auditors including ISO/IEC 27001 certification auditors.  Spammers are less welcome than a French kiss from old Auntie Doris at a family reunion.

The Forum is simply a Google Groups mailing list.  Emails sent by Forum members to the Forum’s email address are ‘reflected’ straight back to all Forum members.  Google Groups gives us the bare minimum of tools for user administration, and lacks the capability for us to give applicants feedback if they fail to qualify (usually because they provide no information to persuade us) or indeed if they succeed (we’d like to welcome you all individually but the tools are missing and life’s too short to mess around - sorry).

Privacy

If you join the Forum, you will obviously receive ISO27k-related emails from Forum members via Google Groups but that’s about it.  Rest assured that we will not exploit, sell or give away your email address: after all, securing personal information is one of the key reasons for implementing ISO27k!  Our privacy policy has more on this.

If you post messages to the Forum, members may occasionally email responses directly to you rather than to the entire group.  We discourage anyone from advertising on the Forum or pestering members but if you are clearly seeking services or information, vendors may contact you directly.  Feel free to create a unique email address solely for the Forum and please let us know straight away if you receive any spam on it, indicating a control lapse somewhere.  We utterly detest and actively fight spam.  Any Forum members who spam other members will be fed bit-by-bit to the ravenous bugblattered beast of Traal or, under our environmental policy, may be slowly composted back into mother Earth alongside old Auntie Doris.

Forum tips and etiquette

The following bullet points are meant to keep the ISO27k Forum on the right track.  Thank you for your understanding, patience and compliance:

• Please be professional and respectful at all times.  Some of our members are new to this game and occasionally make naive or misguided statements.  Be gentle with them - we all had to start somewhere.  Some of us are old hands and with experience and age comes a tendency to arrogance and crankiness.  Try to see beyond the words to the underlying wisdom.
• Please post messages to the Forum using plain ASCII email, not HTML.  HTML adds bloat and increases security risks without improving the information content.
• Please add your name to your postings, indicating how you prefer to be addressed.  Members from cultures that normally put the family name first take note: it helps to give us a clue about your “first name” or “given name”, the name that your friends call you.  We are pretty informal so there’s no need for titles or qualifications here.
• The Forum is non-commercial and ad-free.  We actively discourage members from overtly advertising or promoting their organizations and products, making commercial offers etc. on the Forum, although conventional email signatures that discreetly mention your employer or whatever are perfectly acceptable.  Please help us keep this a professional self-help forum.  To discuss commercial matters (for example if a Forum member explicitly requests information on goods or services that your company just happens to supply), please contact them directly/off-line and NOT via the Forum.  Forum members who break this rule will probably find future postings censored and if they still cause trouble, they may be summarily removed from the group for recycling.
• The Forum’s primary language is English.  However, ours is a truly international community and hence English is not the first language of many members.  Please turn a blind ear to the occasional spelling and grammatical errors: those who are brave enough to express themselves on such a technical subject in a foreign language as arcane as English deserve medals not moans.  Please take non-English discussions off-line but of course we would welcome an English summary if they are relevant to the group.
• When you first join any online forum, it is considered polite to scan the archives (using the Google Groups Web interface and search function) before posting a question to see whether it has already been answered.  You might also like to read the ISO27k FAQ.
• Please don’t top post.  If you reply to a Forum message, don’t just add your comments to the top of the entire original message: trim down the original message to its essentials and insert your comments in context.  We are all busy people and don’t appreciate having to wade right through old messages just to get to a new point.  However, please avoid changing the subject line unless you are deliberately going off at a tangent as Google Groups uses the subject lines to thread related messages together.
• Stay on topic please!  There are plenty of other mailing lists and resources out there for other aspects of information security management.  This Forum is exclusively about the ISO/IEC 27000-series standards - anything else (including vacancy notices, job hunting, advertisements, jokes and stuff) is just noise.  Help us keep the signal-to-noise ratio right up there in the red zone.
• Google Groups gives you the option of receiving each message individually or a daily digest.  This is a fairly low-volume mailing list with generally just a few messages per day so it doesn’t make a lot of difference either way, but it’s your choice.
• Respect copyright law in accordance with section 15 of ISO/IEC 27002.  Do not circulate copyright materials (including ISO/IEC standards!) unless you are the copyright owner or have the copyright owner’s express permission.  It is better to share links to materials published on the Web than to copy and attach the actual materials.  Likewise, please do not republish, forward or circulate Forum postings outside the Forum without the authors’ explicit permission.  Forum members who willfully break this rule will and indeed have been be summarily booted-off the Forum without further warning, although we might read them some Vogon poetry first.

Genuine feedback from Forum members

• “I owe a big thank you for giving every professional a chance to interact in this forum.  I know it is not a simple task to take time for this kind of initiative.”  That’s kind of you Bala.  It’s my pleasure - really, I enjoy the discussions and the breadth of opinions expressed.  So long as I keep learning and enjoying the FOrum, I will carry on running it.
• “An excellent place to share and discuss the achievements, doubts, concerns regard ISMS with serious mods and much experienced people makes this forum a unique one among many others.”  Glad to hear it Nitin!
• “Firstly, I should thank you for giving this great platform to ISMS community ... There are a lot of people in this forum like me who gain a lot of understanding about ISMS via this forum.  Being a consultant whenever I feel like I am stuck I go through the discussions in the forum and most of the times get all the desired solutions.  There are around 1700 members in this forum and undoubtedly the participation is there from very few members.  There are many members who get all their answers from discussions held earlier.  I strongly feel that we all should contribute in this forum.  May be due to some time constraints all members are not able to contribute.”  I agree Preetinder.  Members are actively encouraged - but not absolutely required - to post messages.  Some are probably just shy but hopefully their confidence will increase as they gain experience and see how the community supports its members.
• “Thanks first and foremost of having successfully envisioned & ensured such a useful forum which has a varied amount of experience levels for the last so many years.  I personally try and follow most of the discussion and never stop amazing at the commonality of issues across geographic boundaries.”  Thanks for your inputs too, Ajai.  We do indeed have a wide spectrum of members cultures represented here.
• “This forum is truly an active knowledge base with authentic ideas coming in not only from members who are dealing with the ISO 27001 standard in their respective environments but also some other experienced members who share their knowledge and seek advice from the group.  I personally use this forum for brainstorming and to get expert ideas from different people with various experiences.” Glad to hear that, Faiz.
• “From my point of view this forum is all I need to implement the ISMS standard and share my knowledge.  You are doing a great job in here and trust me the world needs [it].”  Cheers Anca.  I think perhaps you are using rather more than literally just the Forum but I appreciate the sentiment!
• “Excellent forum.  Personally I have found this forum to be a critical source of advice and information and also the assurance that the advice is coming from highly qualified members.”  Good point Mark.  The membership criteria may be restrictive but you are right that the value of the group depends on the quality of its inputs, which in turn related to the experience and qualifications of participants.
• “Greetings all, I also appreciate this forum and have gained much from it since I joined a few months ago.  Since joining I responded once to an enquiry once. There are times when I agree with the responses given by others and do not add my two cents for fear of "piling on" when responses are on target or nearly so. There may also be a large number of learners who are engaged members of the forum who gain from the exchanges without responding.  If the forum is for sharing information and raising awareness among people of varying expertise and experiences, I think the forum works effectively.  I suspect that some of the 1700 may share this view also.  Thanks for the opportunity to share and to learn.”  You are welcome LDyson.
• “This is one of the very few serious forums available in the net which does not have any spam, and all the postings are professional ... Thank you for conceiving and managing such an excellent forum.“  Thank you Surendro, and all Forum members for making it what it is.
• “I am one of those who contribute little but receive/read a lot on this group and benefit in great deal.  Most of the time the ideas that i have on a situation are shared/voiced by another member of the group so I don't repeat the words.  I must say that this is one the best groups I am a member of and I have access to best professional opinions.  I suggest lets open up a bit and let more professionals join the group, 1700 is a very small number, lets have some fresh blood and lets have fresh ideas.  However we should have the policy defined for entry.  I also suggest lets not remove people from the group because people like me are actually accumulating the data base and knowledge that may be useful in a future situation, they might come back and access the relevant topics and get the details and use that in their job.  I think some of us may pick up all the ideas discussed so far on this group,
  review these and improve these and put that in the form of a reference manual on the website for everyone to have an access.  This may be charged by the administrator / owner / group and may become bible for ISMS.  Should have searchable facility on topics / discussion. Just one idea.” OK Tariq, thanks.  Rest assured we have not totally discarded the entry criteria but have relaxed them a bit.  We won’t remove members simply because they are quiet or shy!  The accumulated discussions are already searchable by members using the Google Groups web interface and we do try to save the most frequent or useful discussions and contributions in the FAQ and/or the Toolkit.
• “This has been an excellent forum and been very efficient since the day I joined.  Thank you so much for your effort.  I agree with the other members that the [entry] criteria should stay, it is our control mechanism to mitigate potential risks : )”  I like it Nor!
• “I for one did all my research on this forum and went on to achieve ISO 27001 for my company so for someone looking for real world answers this is the place...”  Well done Franklin.  Forum members gaining their their certification is definitely cause for celebration.  Cheers!
• “Thanks for the great work all of you guys are doing in this forum. Its by far the most informative I have found on ISMS, ISO 27k etc.”  Thank you too Vicand.
• “I just wanted to get in touch with some praise as I am very impressed with everything that goes on in this forum.  Since joining I have bought the standards as per your recommendation online and I have opened my eyes to all that is possible from a commercial and more importantly practical point of view.  My company has been developing a Risk Assessment plan for SME's and although I have a guy that has a masters in IT Security working on the plan, we're finding so much good points from the forum that it is helping us a great deal.”  Cheers Dave!
• “I am a member of the ISO 27001 Security Forum.  I have used iso27001security.com material extensively and I am very grateful to you and its contributors.  I am pleased that I am now able to give something back ...”  Thank you for the feedback and contributions, Julian.