ISO27k & ISMS resources
ISO27k-aligned security awareness service

Copyright © 2014 IsecT Ltd.

Sources of the ISO27k standards themselves

  • There are several sources so shop around for the best deals, for example on Google.
  • Several national standards bodies release translated versions of the ISO/IEC standards in their own languages.  They all go to great lengths to ensure that the translations remain true to the original, causing some delay while the English language versions from ISO/IEC are translated, reviewed and released.

Further info on the ISO27k standards & their implementation

  • Recommended resource Incident response specialists QCC Information Security offer top-notch consultancy services and products for incident response, digital forensics, security and risk management, and GRC (governance, risk, compliance).
  • Recommended resource The State of California Office of Information Security & Privacy Protection publishes useful infosec materials including example security policies, procedures, checklists, agreements and requests for proposals.  Conveniently, the Government Online for Responsible Information Management (Go RIM) section has a wealth of materials structured in line with ISO/IEC 27002.
  • Recommended resource CLUSIF (Club de la Sécurité de l'Information Français) offers MEHARI, a risk assessment and management methodology that applies ISO/IEC 27005 guidance to ISO27k’s PDCA cycle.  Don’t be put off if your French is a poor as mine: the information and tools are also available in English.
  • Recommended resource If you are actively implementing the ISO27k standards, you are welcome to join the ISO27k Forum to discuss the practicalities with others doing the same thing.  The international community offers free ISO27k implementation advice, giving you the benefit of our collective experience in this field.  Your own thoughts and inputs are most welcome, including queries, comments, contentious points to discuss, and feedback or improvement suggestions for this website.
  • Certification bodies such as International Standards Certifications audit ISMSs in order to certify their compliance with ISO/IEC 27001.  It is recommended to contact a certification body well before you plan to get your ISMS certified as they will need to schedule their auditors, and can offer advice on the fine details of the audit process while you still have time to line up your organization.  By the way, it is worth thinking about combining certification audits for multiple management systems standards such as ISO 9001 and ISO/IEC 20000, as well as ISO27k.
  • ISO/IEC 27001: the future of infosec certification by Taiye Lambo, originally published in ISSA Journal, outlines reasons for implementing an ISMS including legal and regulatory compliance as well as reducing the costs arising from information security incidents.
  • British Standards Institute has published a number of useful little ISMS guidance booklets over the years including BSI/DISC PD005 which contained a very handy overview diagram showing the typical lifecycle of an organization’s ISMS project.  It would be good to see the parts of this older material recycled into the new. 
  • www.ISO27000.es is “el portal de ISO 27000 en Espagñol”, the Spanish language equivalent to this site, while www.ISO27000.ru is the Russian version.
  • Comunidade Portuguesa de Segurança da Informação is a Portuguese community for those interested in implementing ISO27k information security management systems (mainly in Portuguese but with some good papers also in English).
  • Open Directory Project (ODP) has a page of links to information security standards.

General information security management sources

Miscellany

  • ISO” is not actually an acronym but the official name of the Swiss organization responsible for coordinating the world’s national standards bodies. Joint Technical Committee 1 (JTC1) looks after ISO’s IT standards while JTC1 Sub Committee 27 (JTC1/SC 27) is specifically responsible for the standards covering IT security techniques.  JTC1/SC 27 is busy, judging by the number of security papers currently under consideration for encryption, privacy and identity management as well as ISO27k.
  • ISO27k traces its roots back to British Standard BS 7799 and before that a Code of Practice released by the UK Government’s DTI (Department of Trade and Industry).  The DTI is now called BIS (Business Innovation and Skills) but retains an interest in promoting information security.
  • Recommended resource IsecT Ltd. owns and operates this website, along with NoticeBored (an innovative ISO27k-aligned security awareness subscription service) and SecurityMetametrics describing PRAGMATIC security metrics.