The ISO27k Forum
The Forum is a Google Group/email reflector for ISO27k practitioners,
a supportive global community of peers-helping-peers.
The back story
Since its launch back in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of more than 5,000 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their experience, expertise and wisdom freely with others.
​
Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards, particularly those with practical implementation experience and knowledge they are willing to share with the community.
We also welcome students and newbies taking their first baby steps, studying and in time maybe adopting the standards.
​
The Forum and this website demonstrate our support for the liberal social principles on which the Web was founded - our way to give a little back to the online world that gives us so much.
Purpose and vision
This is a practitioners’ group with a practical focus, where (almost!) every contribution is treasured and every member valued. We mostly discuss matters of interest and concern to those interpreting and applying the ISO27k standards in genuine real-world situations (see the typical topics).
Typical ISO27k Forum members:
-
Are generally interested in information security standards;
-
May have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM, CISA, CRISC, GIAC and similar;
-
May be CISOs, ISMs, CROs, Compliance Managers, Cybersecurity Managers, Infosec Consultants, IT Security Specialists, Security Analysts or whatever;
-
May be students, academic researchers and teachers;
-
Would like more information about applying the standards in real life, beyond that available on this website and elsewhere;
-
Are planning to implement, actively implementing, fully conformant with or simply using the ISO27k standards, or are auditing organisations against the standards, or are advising others about the standards;
-
May work for organisations that have been certified conformant with ISO/IEC 27001 or are working towards that point;
-
Would like to help promote the standards more widely;
-
May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect;
-
Wish to discuss information security management standards, practices, methods etc. with the community of professional peers;
-
Are here to give and to take, to contribute knowledge and learn new stuff.
Sharing is important to us. As a member put it, “We are a TEAM - Together Everyone Achieves More”.
Our favourite topics
The Forum is a low-volume high-quality group. We discuss anything and everything ISO27k-related, such as:
-
Assurance - ISMS internal audits, management reviews, certification, surveillance, accreditation, supplier security audits, trust centres ...;
-
Business Continuity Management including resilience, recovery and contingency planning, and ISO 22301;
-
Business cases: reasons to embrace the ISO27k standards in furtherance of business objectives, going beyond mere conformity, and gaining executive/board-level support;
-
Concepts and terms-of-art in risk and security e.g. threats, vulnerabilities, probabilities, impacts, exposure, incidents, CIA, preventive, detective, corrective controls, people, process, physical, technology controls, inherent and residual risks, risk appetite, risk tolerance, risk vs opportunity, protecting and exploiting information ...;
-
Control attributes - using the parameters, characteristics or features to select and make the most of security controls;
-
Documentation - mandatory vs discretionary, audiences, purposes, content, document controls ...;
-
Governance of information, information risk, information security etc., including organisation structures, reporting lines, direction, oversight, monitoring and conformity, management support and involvement, integrating management systems;
-
How to implement the standards - pragmatic advice from those who have been there, done that;
-
Information risk management methods such as Business Impact Analysis, threat intelligence, risk modelling;
-
Information security controls for software, system, network and service development, provision and acquisition, for cloud, privacy, safety, IT, OT, AI, IoT ...;
-
Information Security Management Systems, of course, plus viable strategies, implementation plans, resourcing, timescales, priorities, options, shortcuts, tips;
-
Metrics for measuring information risk and security, for monitoring, reporting and management;
-
News about ISO27k and related standards;
-
Policies, procedures, rules, guidelines, laws and regulations, content, structure, purpose and value, compliance, conformity, enforcement and reinforcement;
-
Preventive and corrective actions, continual improvement, maturity, post-incident reviews ... and incident management;
-
Privacy, data protection, safety, quality and other obligations;
-
​
-
Risk analysis tips e.g. common information security threats to consider, methods and tools, ‘where to start’ advice;
-
Scope, Statement of Applicability and Risk Treatment Plans - what they are, how they differ, what they do, what they are supposed to contain ...;
-
Security awareness - why it’s needed, how to do it, making it cost-effective;
-
'The ISO27k way' - a systematic, structured, information risk-driven approach underpinning all the ISO27k standards;
-
Tools and resources supporting busy CISOs, ISMs, SOCs, analysts, trainers, documenters and consultants.
​​
This is just a potted selection to give you a flavour of the discussion. As well as the FAQ, we have accumulated a huge amount of worthwhile content in the group’s archive so it's worth getting to grips with Google’s search syntax.
Projects
Occasionally, ISO27k Forum members collaborate in crowdsourcing topical issues, such as drafting new materials for the ISO27k Toolkit. We have also contributed to the promotion and further development of the ISO27k standards.
​
Privacy
If you join the ISO27k Forum, you will obviously receive ISO27k-related emails. We will not exploit, sell or give away your email address or other personal information. If you post a message to the Forum, your email address is shown in the message header. Other members may email you directly rather than the entire group.
We actively discourage anyone from overtly advertising on the Forum or pestering members but vendors may contact you directly/off-list if you express an interest in their products. Feel free to create a unique email address solely for the Forum and please let us know if you receive spam. We utterly detest and actively fight spam. Any Forum members who spam other members will be fed limb-by-limb, organ-by-organ to the ravenous bugblattered beast of Traal or, under our environmental policy, may be gently composted back into mother Earth.
Forum
tips and etiquette
(important!)
Guidelines to keep the ISO27k Forum on track, and benefit the whole community:
-
Please be professional and respectful at all times.
-
The Forum is deliberately non-commercial:
-
No advertising or promoting your organisations and products, no commercial offers, no vacancy notices etc. Definitely no spamming! Conventional email signatures are fine though. Just be discreet.
-
Take commercial matters off-line with individuals, not via the Forum..
-
-
Add your name to your postings: what should we call you?
-
The Forum’s primary language is plain English. Be considerate.
-
Browse the archives (using the Google Groups search) before posting. Glance back a few weeks at least to see where current threads arose. Read the ISO27k FAQ .
-
Stay on-topic! This Forum is exclusively about the ISO/IEC 27000-series standards and closely related matters.
-
Take a moment to explain your context:
-
Why are you writing? Why does it matter?
-
What have you already done in an attempt to find an answer?
-
What type of organisation do you represent? Industry? Size? Location?
-
How mature is your ISMS? What stage are you at?
-
-
When responding to a post, don’t change the subject line unless you are deliberately heading off at a tangent. Gmail and other mailers string related messages into threads by the subject line.
-
For further advice on asking questions intelligently, see here and here.
- Manage your subscription via the Google Groups web interface:
-
Receive each message individually or as regular digests.
-
Suspend Forum emails temporarily or permanently (access online instead).
-
Change your email address.
-
Unsubscribe and leave the Forum..
-
-
File Forum emails automatically in your email software. All emails contain “[ISO 27001 security]” in the subject line: set up a rule to move emails with that subject string into a suitable folder to browse, search and read at your leisure.
-
Respect intellectual property rights and laws:
-
Do not circulate copyright materials (such as ISO/IEC standards!) on the ISO27k Forum unless you are the copyright owner or have the copyright owner’s express permission.
-
This is a hard and fast rule, no exceptions, no second chances. Don't risk the Forum's existence as well as prosecution.
-
It is generally OK to share URLs for materials legitimately published on the Web, rather than sharing the content.
-
Respect the copyright of Forum members too. Don't share Forum postings elsewhere without first getting the authors’ agreement.
-
-
Finally, if you are unclear about the rules, bothered about recent exchanges or wary of posting something inappropriate, email the Forum Admin.
If you have a keen interest in the ISO27k standards and intend to participate actively in the community, apply to join the ISO27k Forum.
Membership is FREE but please make your case briefly when you apply to join: in just a few short words, persuade us that you are qualified and willing to share. If you ignore this request and leave the application blank, don’t be surprised if your application is rejected just as rudely. Aside from excluding spambots, we like to know what brought you here and what interests you.