ISO27k Implementers' Forum
Go home

Copyright © 2009 IsecT Ltd.

Individually we are one drop

 

About the Forum

Since its launch in July 2006, the ISO27k Implementers’ Forum has grown into a supportive global community of over 1,600 information security professionals who are actively using the ISO/IEC 27000-series standards.

Membership of the Forum is free for those with a genuine professional interest in using the ISO27k standards (i.e. information security managers, analysts, auditors, consultants and others) who have practical implementation experiences they are willing to share and contributions they wish to make. We stress the sharing aspect - lurkers are no benefit to the rest of us. All members are encouraged to ask questions and provide answers, tips, suggestions, case studies, example materials and so forth. This is a self-help community.

The Forum’s purpose

This is a practitioner’s group with a pragmatic rather than theoretical focus, where every contribution is treasured and every member valued. We mostly discuss practical matters of interest to those interpreting and applying the standards in real world situations. Forum members:

  • Are generally interested in information security standards;
  • Usually have relevant qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM and similar;
  • Would like more information about the standards, beyond that available on this website;
  • Are actively implementing the ISO27k standards, fully compliant with the standards, routinely reviewing or auditing organizations against the standards or advising clients or colleagues about the standards;
  • Often work for organizations that have been certified compliant with ISO/IEC 27001, or are working towards that point;
  • Would like to promote the standards more widely;
  • May be involved in the standards bodies and committees responsible for developing the standards; and
  • Wish to discuss and share information security management standards, practices, methods etc. with their peers.

The ISO27k Implementers’ Forum is not intended for information security students or professionals with merely a passing interest in the ISO/IEC 27000-series standards, or those barely starting out on the path to implementation. We’re not being elitist: the ISO27k FAQ plus various other discussion fora that cover the basics in simpler terms are probably more suitable for you right now but by all means apply to join up when you have gained actual hands-on implementation experience that you are willing to share with us all. Sharing is important. The free ISO27k Toolkit is an example of sharing in action.

We occasionally discuss more theoretical or abstract topics, and contribute to the ongoing development of the ISO27k standards by mulling over and proposing possible improvements.

Recent discussion threads

  • ISO/IEC 27002 implementation plans;
  • Organization structures and other governance aspects for information security;
  • Updates and news following ISO/IEC JTC1/SC27 meetings;
  • “Electronic signatures” - risks and controls;
  • Tangible and intangible elements of an ISO27k ISMS;
  • Need for document control procedures within the ISMS;
  • The value of ISO/IEC 27001 certificates awarded to business partners;
  • The content, structure and value of information security policies;
  • Classification of information - purposes and processes;
  • Proper disposal of confidential information;
  • Information asset inventory;
  • Risk analysis and business impact analysis methods, techniques and tools;
  • Building the business case for information security and gaining executive support;
  • Scope definition, Statement of Applicability and Risk Treatment Plans - what they are, how they differ, what they are meant to contain ...

We have also contributed to the promotion and further development of the ISO27k standards, for instance collaborating in an online group project to develop an ISMS Auditing Guideline that was contributed to the ISO/IEC group developing ISO/IEC 27007. Members of the Forum have provided materials for the free ISO27k Toolkit, the white papers, the questions and answers in the FAQ and the links to other resources. Thank you all.

Feedback from Forum members

“Thanks for the great work all of you guys are doing in this forum. Its by far the most informative I have found on ISMS, ISO 27k etc.” Thank you too Vicand.

“I just wanted to get in touch with some praise as I am very impressed with everything that goes on in this forum. Since joining I have bought the standards as per your recommendation online and I have opened my eyes to all that is possible from a commercial and more importantly practical point of view. My company has been developing a Risk Assessment plan for SME's and although I have a guy that has a masters in IT Security working on the plan, we're finding so much good points from the forum that it is helping us a great deal.” Cheers Dave!

“I am a member of the ISO 27001 Security Forum. I have used iso27001security.com material extensively and I am very grateful to you and its contributors. I am pleased that I am now able to give something back ...” Thank you for the feedback and contributions, Julian.

OK, sign me up!

If you are actively implementing the ISO27k standards and are willing to provide input to the discussions (not just to lurk!), please apply to join the Forum. The Forum is simply a mailing list run on Google Groups. Emails sent by Forum members to the Forum’s email address are ‘reflected’ back to all members.

We reject around half of those applying to join the group, generally because applicants provide no information or evidently have no ISO27k experience to share. We welcome those who have actually implemented ISO/IEC 27002 and/or whose organizations have been certified compliant with ISO/IEC 27001. We also welcome those of you who are just setting out on the journey to enlightenment provided you can persuade us that you are serious about it, are willing to give as well as receive, and have relevant experience to share.

If your initial application is unsuccessful, please consider joining the other ISMS-related mailing lists instead but by all means re-apply here when you have actually implemented the standards or at least started your implementation project, and have implementation experience to share with the community. To appeal your application, contact us directly.

Privacy

If you join the Forum, you will obviously receive ISO27k-related emails from Forum members via Google Groups but that’s it. Rest assured that we will not exploit, sell or give away your email address: after all, securing personal information is one of the key reasons for implementing ISO27k! Our privacy policy has more on this.

Feel free to create a unique email address solely for the Forum and please let us know straight away if you receive any spam on it, indicating a control lapse somewhere. We utterly detest and actively fight spam. Any Forum members who spam other members will be fed bit-by-bit to the ravenous bugblattered beast of Traal or, under our environmental policy, may be slowly composted and recycled into the Earth.

Forum tips and etiquette

The following bullet points are meant to keep the ISO27k Implementers’ Forum on the right track. Thank you for your understanding, patience and compliance:

  • Please be professional and respectful at all times. Some of our members are new to this game and occasionally make naive or misguided statements. Be gentle with them - we all had to start somewhere.
  • Please post messages to the Forum using plain ASCII email, not HTML. HTML adds bloat and increases security risks without improving the information content.
  • Please add your name to your postings, indicating how you prefer to be addressed. Members from cultures that normally put the family name first take note. It helps to give us a clue about your “first name” or “given name”, the name that your friends call you. We are pretty informal so there’s no real need for titles or qualifications here.
  • The Forum is non-commercial and ad-free. We actively discourage members from overtly advertising or promoting their organizations and products, making commercial offers etc. on the Forum, although conventional email signatures that discreetly mention your employer or whatever are perfectly acceptable. Please help us keep this a professional self-help forum. To discuss commercial matters (for example if a Forum member explicitly requests information on goods or services that your company just happens to supply), please contact them directly/off-line and NOT via the Forum. Forum members who break this rule will probably find future postings censored and if they still cause trouble, they may be summarily removed from the group.
  • The Forum’s primary language is English. However, ours is a truly international community, hence English is not the first language of many members. Please look beyond the occasional spelling and grammatical errors: those who are brave enough to express themselves on such a technical subject in a foreign language as arcane as English deserve medals not moans. Please take non-English discussions off-line but of course we would welcome an English summary if they are relevant to the group.
  • When you first join any online forum, it is considered polite to scan the archives (using the Google Groups Web interface and search function) before posting a question to see whether it has already been answered. You might also like to read the ISO27k FAQ. Once you have been a member for a few weeks or months, you will have absorbed the style of the Forum and are less likely to repeat old questions, at least not without adding something uniquely different (even if it is just the spelling).
  • Please don’t top post. If you reply to a Forum message, don’t just add your comments to the top of the entire original message: trim down the original message to its essentials and insert your comments in context. We are all busy people and don’t appreciate having to wade right through old messages just to get to a new point.
  • Stay on topic please! There are plenty of other mailing lists and resources out there for other aspects of information security management. This Forum is exclusively about implementing the ISO/IEC 27000-series standards - anything else (including vacancy notices and job hunting) is just unwelcome noise.
  • Google Groups gives you the option of receiving each message individually or a daily digest. This is a low-volume mailing list with generally just a few messages per day so it doesn’t make a lot of difference either way.
  • Respect copyright law in accordance with section 15 of ISO/IEC 27002Do not circulate copyright materials (including ISO/IEC standards!) unless you are the owner or have the copyright owner’s express permission. It is better to share links to materials published on the Web than to copy and attach the actual materials. Likewise, please do not republish, forward or circulate Forum postings outside the Forum without the authors’ explicit permission. Forum members who willfully break this rule will be summarily booted-off the Forum before their send buttons rebound.