The ISO27k Forum
ISO27k-aligned security awareness service

Copyright © 2014 IsecT Ltd.

Please visit our sponsor:

Creative security awareness materials

the creative information security awareness subscription service

About the Forum

Since its launch in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of more than 2,800 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their queries, experience and expertise freely with others.

Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards (information security managers, CISOs, analysts, auditors, consultants, MSc students and others),  particularly those who have practical implementation experiences they are willing to share and contributions they wish to make.

The Forum’s purpose

This is a practitioners’ group with a practical rather than theoretical focus, where (almost!) every contribution is treasured and every member valued.  We mostly discuss practical matters of interest to those interpreting and applying the ISO27k standards in real world situations (see the list of typical threads below). 

ISO27k Forum members:

  • Are generally interested in information security standards;
  • Usually have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM, CISA, GIAC and similar;
  • Would like more information about using the standards in real life, beyond that available on this website and elsewhere;
  • Are planning to implement, actively implementing, fully compliant with or simply using the ISO27k standards, or are auditing organizations against the standards,  or are experienced consultants advising clients about the standards;
  • Often work for organizations that have been certified compliant with ISO/IEC 27001 or are working towards that point;
  • Would like to help promote the standards more widely;
  • May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect; and
  • Wish to discuss information security management standards, practices, methods etc. with their professional peers.

Sharing is important to us or, as one of our members put it, “we are a TEAM - Together Everyone Achieves More”.  The free ISO27k Toolkit is an example of what the community can achieve through selfless collaboration. 

Forum members are encouraged both to ask questions and to offer answers, tips, suggestions, case studies, example materials and so forth.  This is a self-help user community that thrives on proactive involvement in a supportive atmosphere.

Typical discussions

The Forum is a low to medium-volume discussion group (email reflector) using Google Groups.  We normally see about one new topic every day with about four emails per topic:

ISO27k Forum message volume

We discuss anything and everything ISO27k-related, such as:

  • Audit practices in relation to ISO27k and ISMS auditing;
  • Building the business case for information security and gaining executive support;
  • Business continuity management including resilience, recovery and contingency planning;
  • Certification, surveillance audits, re-certification;
  • Classification of information - purposes and processes, types of information asset;
  • Content, structure, purpose and value of information security policies, procedures And All That;
  • Definitions and interpretations of ISO27k terms such as “information asset”;
  • How to implement the standards - pragmatic advice from those who have done it;
  • Information asset inventory - what it is, how much detail is needed;
  • Information security aspects of the software development and acquisition processes;
  • Information security risks and controls in various contexts e.g. electronic signatures, digital redaction;
  • Information security risk assessment/analysis methods and tools, plus those for business impact analysis;
  • ISO27k status updates and news from ISO/IEC JTC1/SC 27;
  • ISO/IEC 27002 implementation plans;
  • Mandatory documentation needed for ISO/IEC 27001 certification;
  • Meaning of Preventive Action and Corrective Action in the ISO27k/ISMS/ISO9k contexts;
  • Metrics for information security incidents etc.;
  • Need for document control procedures within the ISMS;
  • New information security standards, not just ISO27k;
  • Organization structures and other governance aspects for information security;
  • Proper, secure disposal of confidential information;
  • Revision of existing standards;
  • Risk analysis tips e.g. common information security threats to consider, methods and tools, ‘where to start’ advice;
  • Risk management e.g. what are residual risks?  What is risk appetite?;
  • Scope definition, Statement of Applicability and Risk Treatment Plans - what they are, how they differ, what they are meant to contain ...;
  • Security awareness - why it’s needed, how to do it;
  • Support for Forum members facing awkward problems and making key decisions in their ISO27k implementation projects (e.g. scoping, estimating, gaining management support, inventorying assets, assessing risks, mitigating risks ...);
  • Tangible and intangible elements of an ISO27k ISMS;
  • Value of ISO/IEC 27001 certificates awarded to business partners.

This is just a potted selection to give you a flavour of the discussion.  As well as the FAQ, we have already accumulated a huge amount of worthwhile content in the group’s archive, so get to know Google’s search syntax to get the most out of it, and if your question has not been adequately addressed, by all means raise it on the Forum.

ISO27k Forum Projects

From time to time, ISO27k Forum members collaborate as virtual teams to work on topical issues.  We have also contributed to the promotion and further development of the ISO27k standards, for instance collaborating in an online group project to develop an ISMS Auditing Guideline that was contributed to the ISO/IEC group developing ISO/IEC 27007.  Members of the Forum have provided materials for the free ISO27k Toolkit, the white papers, the questions and answers in the FAQ and the links to other ISO27k-related resources.

OK, sign me up!

If you have a keen interest in the ISO27k standards and are willing to participate actively in the discussions, by all means apply to join the ForumPlease make your case briefly when you apply: persuade us that you are suitably qualified and ideally have the expertise or qualifications if not the experience that you are willing to share with the community.  If you say nothing at all or are not sufficiently persuasive, your application will simply be rejected at this time.  Feel free to try again later, once you meet the requirements.

We extend an especially warm welcome to those who have actually implemented ISO/IEC 27002 and/or whose organizations have been certified compliant with ISO/IEC 27001, and to members of ISO/IEC JTC1/SC 27.  We also gladly accept applications from qualified information security professionals who are genuinely interested in the standards but don’t (yet!) have ISO27k implementation experience, and from IT auditors including ISO/IEC 27001 certification auditors and ISMS internal auditors. 

Spammers are less welcome than a privacy breach at a major retailer

The Forum is a Google Groups emailing list or reflector.  Emails sent by Forum members to the Forum’s email address are reflected straight back to all Forum members.  Google Groups gives us the bare minimum of tools for user administration, and unfortunately lacks the capability for us to give applicants feedback if they fail to qualify (usually because they provide no information to persuade us) or indeed if they succeed (we’d like to welcome you all individually but the tools are missing and life’s too short to mess around - sorry).  If you wish to appeal following a rejected application, please contact us directly.  We’re reasonable people.  Please don’t take things personally.

Privacy

If you join the ISO27k Forum, you will obviously receive ISO27k-related emails from other Forum members via Google Groups but that’s about it.  Rest assured that we will not exploit, sell or give away your email address or other personal information: after all, privacy is one of the key reasons for implementing ISO27k!  Our privacy policy has more on this.

If you post messages to the Forum, members may occasionally email responses directly to you rather than to the entire group.  We discourage anyone from advertising on the Forum or pestering members but if you are clearly seeking services or information, vendors may contact you directly/off-list.  Feel free to create a unique email address solely for the Forum and please let us know straight away if you receive any spam on it, indicating a control lapse somewhere.  We utterly detest and actively fight spam.  Any Forum members who spam other members will be fed limb-by-limb, organ-by-organ to the ravenous bugblattered beast of Traal or, under our environmental policy, may be slowly composted back into mother Earth alongside good old Auntie Doris.

Please note: by popular request, we are now permitting read access to the Forum by anyone, not just members.  However write access is still restricted to those who are eligible to join the Forum.

Forum tips and etiquette

The following guidelines are meant to keep the ISO27k Forum on the right track, and benefit the whole community.  Thank you for your understanding, patience and compliance:

  • Please be professional and respectful at all times.  Some of our members are new to this game and occasionally make naive or misguided statements.  Be gentle with them - we all had to start somewhere.  Some of us are old hands and with experience and age comes a tendency to arrogance and crankiness.  Try to see beyond the words to tease out the underlying wisdom.
  • Please add your name to your postings, indicating how you prefer to be addressed.  Members from cultures that normally put the family name first take note: it helps to give us a clue about your “first name” or “given name”, the name that your friends call you.  We are pretty informal so there’s no need for titles or qualifications here.
  • If you want to pose a question on the Forum, take a moment to explain your context.  Why are you asking the question?  What have you already done in an attempt to find an answer (e.g. have you Googled it and searched the ISO27k FAQ and ISO27k Toolkit on this website)?  What kind and size of organization do you represent?  How mature is its ISMS?  Forum members can provide more meaningful and helpful answers if you make the effort to clarify your question.  Ultra-brief context-free question such as “How many people should we have to implement our ISMS?” tend to go nowhere fast and often stir up somewhat sarcastic and cynical responses.  For further  advice on asking questions intelligently, see here, here and here.  Help us help you.
  • The Forum is non-commercial.  We actively discourage members from overtly advertising or promoting their organizations and products, making commercial offers etc. on the Forum, although conventional email signatures that discreetly mention your employer or whatever are perfectly acceptable.  Please help us keep this a professional self-help forum.  To discuss commercial matters (for example if a Forum member explicitly requests information on goods or services that your company just happens to supply), please contact them directly/off-line and NOT via the Forum.  Forum members who break this rule will probably find future postings censored and, if they continue flaunting the rules, they will be mysteriously removed from the group one day without further ado.
  • The Forum’s primary language is English, meaning plain English, not TXT-speak.  However this is a truly international community, hence English is not the first language of many members.  Please turn a blind ear to the occasional spelling grammatical and errors: those who are brave enough to express themselves on such a technical subject in a foreign language as arcane as English deserve medals not moans.  Please take non-English discussions off-line or find (or set up!) a similar  forum for your languages of choice, but of course we would welcome an English summary if you have something relevant to contribute.
  • When you first join any online forum, it is considered polite to scan the archives (using the Google Groups Web interface and search function) before posting a question to see whether it has already been answered.  You might also like to read the ISO27k FAQ.
  • Please reply sensibly.  Trim down the original content to its essentials and insert your comments in context.  We are all busy people and don’t appreciate having to wade right through old messages just to get to a new point.  Don’t change the subject line unless you are deliberately going off at a tangent as Google Groups uses the subjects to thread related messages together - with one exception: if you are replying to a Forum message received as a digest, please use the original poster’s subject line.
  • Stay on topic please!  There are plenty of other mailing lists and resources out there for other aspects of information security management.  This Forum is exclusively about the ISO/IEC 27000-series standards and closely related matters.  Anything else (such as technical queries about information or IT security controls, or general stuff such as vacancy notices, job-hunting, advertisements, press releases and jokes) is basically just noise.  Help us keep the signal-to-noise ratio right up there in the green zone.
  • Google Groups gives you the option of receiving each message individually or as a daily digest.  This is a low to medium-volume list with a handful of messages per day so it doesn’t make a lot of difference either way.  You may like to file incoming messages automatically into their own mailbox if your email client has this functionality.  To make this easy, all Forum messages have the text “[ISO 27001 security]” in the subject line.  Google Groups also allows you to suspend the delivery of Forum messages (e.g. while you are on holiday) or unsubscribe from the Forum (this works even if for some reason you cannot simply send an email to the unsubscribe address at the bottom of every Forum message).  As a last resort if the Google Groups functions don’t work for you, please email the Forum Admin for help.
  • Respect copyright law in accordance with section 15 of ISO/IEC 27002Do not circulate copyright materials (including ISO/IEC standards!) unless you are the copyright owner or have the copyright owner’s express permission.  Instead of pirating materials that do not belong to you, by all means share URLs for materials legitimately published on the Web.  Likewise, please respect the copyright of Forum members: do not republish, forward or circulate Forum postings outside the Forum without the authors’ agreement (it is polite to ask them - most of us are flattered to be asked).  Forum members who willfully break this rule will be - and indeed have been - summarily booted-off the Forum without further warning.  If we are really annoyed, we might subject you to a Vogon poetry recital as well.
  • If you are going to be away from the office, please don’t set an Out-Of-Office message that automatically responds to Forum messages, thereby generating another Forum message ...  The Forum member who actually did this, generating an OOO storm of approximately 700 messages in a few hours, has been despatched to the outer reaches of the galaxy without a space suit to contemplate the meaning of life, the universe and everything.

Genuine feedback from Forum members

  • “Thank you for the fantastically useful website.  I use the documents and tools to extend my knowledge and competence.”  You’re welcome, Todd, my pleasure.
  • “Glad you have chosen to continue the forum.  I think you do a sterling job, appreciated by us all.”  Cheers Harry!  We appreciate your involvement too.
  • “I am a new-comer to this forum.  I have been reading your emails and response to questions now for  couple of months.  I work in a small IT company with a new data centre and have been charged as Best Practice coordinator with implementing an ISMS and striving towards certification under ISO 27K.  Although I have a legal background and have worked with other standards and auditing, IT is very new to me.  I came across your forum as I searched for 'inspiration' and knowledge and as I said have been reading it ever since.  What a God send.  I am still learning the basics but I just wanted to thank you all for your time and knowledge that you are prepared to share with us even though some like myself are not as experienced or learned as many of you.”  You’re very welcome Louise.  Best wishes for your ISMS implementation and certification.  Do let us know  how you get on - we like to celebrate whenever 'one of us' gets certified.
  • “I owe a big thank you for giving every professional a chance to interact in this forum.  I know it is not a simple task to take time for this kind of initiative.”  That’s kind of you Bala.  It’s my pleasure - really, I enjoy the discussions and the breadth of opinions expressed.  So long as I keep learning and enjoying the FOrum, I will carry on running it.
  • “An excellent place to share and discuss the achievements, doubts, concerns regard ISMS with serious mods and much experienced people makes this forum a unique one among many others.”  Glad to hear it Nitin!
  • “Firstly, I should thank you for giving this great platform to ISMS community.  There are a lot of people in this forum like me who gain a lot of understanding about ISMS via this forum.  Being a consultant whenever I feel like I am stuck I go through the discussions in the forum and most of the times get all the desired solutions.  Undoubtedly the participation is there from very few of the members. There are many members who get all their answers from discussions held earlier.  I strongly feel that we all should contribute in this forum.  May be due to some time constraints all members are not able to contribute.”  I agree Preetinder.  Members are actively encouraged - but not absolutely required - to post messages.  Some are probably just shy but hopefully their confidence will increase as they gain experience and see how the community supports its members.
  • “Thanks first and foremost of having successfully envisioned & ensured such a useful forum which has a varied amount of experience levels for the last so many years.  I personally try and follow most of the discussion and never stop amazing at the commonality of issues across geographic boundaries.”  Thanks for your inputs too, Ajai.  We do indeed have a wide spectrum of members cultures represented here.
  • “This forum is truly an active knowledge base with authentic ideas coming in not only from members who are dealing with the ISO 27001 standard in their respective environments but also some other experienced members who share their knowledge and seek advice from the group.  I personally use this forum for brainstorming and to get expert ideas from different people with various experiences.” Glad to hear that, Faiz.
  • “From my point of view this forum is all I need to implement the ISMS standard and share my knowledge. You are doing a great job in here and trust me the world needs it.”  Cheers Anca.  I think perhaps you are using rather more than literally just the Forum but I appreciate the sentiment!
  • “Excellent forum.  Personally I have found this forum to be a critical source of advice and information and also the assurance that the advice is coming from highly qualified members.”  Good point Mark.  The membership criteria may be restrictive but you are right that the value of the group depends on the quality of its inputs, which in turn related to the experience and qualifications of participants.
  • “Greetings all, I also appreciate this forum and have gained much from it since I joined a few months ago.  Since joining I responded once to an enquiry once. There are times when I agree with the responses given by others and do not add my two cents for fear of "piling on" when responses are on target or nearly so. There may also be a large number of learners who are engaged members of the forum who gain from the exchanges without responding.  If the forum is for sharing information and raising awareness among people of varying expertise and experiences, I think the forum works effectively.  I suspect that some of the 1700 may share this view also.  Thanks for the opportunity to share and to learn.”  You are welcome LDyson.
  • “This is one of the very few serious forums available in the net which does not have any spam, and all the postings are professional ... Thank you for conceiving and managing such an excellent forum.“  Thank you Surendro, and all Forum members for making it what it is.
  • “I am one of those who contribute little but receive/read a lot on this group and benefit in great deal.  Most of the time the ideas that i have on a situation are shared/voiced by another member of the group so I don't repeat the words.  I must say that this is one the best groups I am a member of and I have access to best professional opinions.  I suggest lets open up a bit and let more professionals join the group, 1700 is a very small number, lets have some fresh blood and lets have fresh ideas.  However we should have the policy defined for entry.  I also suggest lets not remove people from the group because people like me are actually accumulating the data base and knowledge that may be useful in a future situation, they might come back and access the relevant topics and get the details and use that in their job.  I think some of us may pick up all the ideas discussed so far on this group, review these and improve these and put that in the form of a reference manual on the website for everyone to have an access.  This may be charged by the administrator / owner / group and may become bible for ISMS.  Should have searchable facility on topics / discussion. Just one idea.” OK Tariq, thanks.  Rest assured we have not totally discarded the entry criteria but have relaxed them a bit.  We won’t remove members simply because they are quiet or shy!  The accumulated discussions are already searchable using the Google Groups web interface and we do try to save the most frequent or useful discussions and contributions in the FAQ and/or the Toolkit.
  • “This has been an excellent forum and been very efficient since the day I joined.  Thank you so much for your effort.  I agree with the other members that the entry criteria should stay, it is our control mechanism to mitigate potential risks : )”  I like it Nor!
  • “I for one did all my research on this forum and went on to achieve ISO 27001 for my company so for someone looking for real world answers this is the place...”  Well done Franklin.  Forum members gaining their their certification is definitely cause for celebration.  Cheers!
  • “Thanks for the great work all of you guys are doing in this forum. Its by far the most informative I have found on ISMS, ISO 27k etc.”  Thank you too Vicand.
  • “I just wanted to get in touch with some praise as I am very impressed with everything that goes on in this forum.  Since joining I have bought the standards as per your recommendation online and I have opened my eyes to all that is possible from a commercial and more importantly practical point of view.  My company has been developing a Risk Assessment plan for SME's and although I have a guy that has a masters in IT Security working on the plan, we're finding so much good points from the forum that it is helping us a great deal.”  Cheers Dave!
  • “I have used iso27001security.com material extensively and I am very grateful to you and its contributors.  I am pleased that I am now able to give something back ...”  Thank you for the feedback and contributions, Julian.  That’s exactly the community spirit we seek.
Individually we are one drop