How to address the main concerns with ISO 27001 implementation
by Dejan Kosutic - Monday, 4 November 2013.
Recently I delivered two webinars on the topic of ISO 27001, and I have asked the attendees to send me their top concerns regarding ISO 27001 implementation before those webinars. Iíve summarized most common concerns into the following five areas and here's a detailed explanation on how I feel they should be addressed.

1. The effort required to transition from the 2005 revision to 27001:2013

It is true that every company certified against the ISO 27001:2005 will have to transition to the 2013 revision within two years, and it is true that the 2013 revision has some new requirements, while some are gone. It is also true that this process wonít be finished in a couple of hours, but it certainly doesnít have to be anything close to the effort of the initial implementation of the standard. The key is in careful planning Ė if you know exactly which steps you need to take, you will reduce this transition effort to a minimum. With this in mind, read my article How to make a transition from ISO 27001 2005 revision to 2013 revision.

2. Successfully communicating a beneficial reason why a company should implement ISO 27001

The key is to determine benefits for the business side of the organization Ė benefits that are easily understandable and that bring clear value to the business, not to IT. Because, after all, the decision about ISO 27001 is not going to be made by the head of the IT department, but by your senior management. In my view, there are four potential benefits that may be applicable to companies: (1) compliance, (2) marketing advantage, (3) decreasing costs, and (4) optimizing processes. Read the details: Four key benefits of ISO 27001 implementation.

3. Setting up an appropriate and pragmatic risk assessment & treatment process

First of all, risk assessment and treatment cannot be performed by downloading some template youíve found somewhere on the Internet, or by using the first tool you come across. Risk management needs to be done based on a risk assessment and treatment methodology that is adapted to the size of your company, various requirements, and the sensitivity of the information you have. Too many times Iíve seen small companies using a risk assessment tool that is made for large corporations, only to realize they have spent six months performing work they could have finished in one month, and with questionable results. Therefore, before starting your risk management process, you need to find an appropriate methodology that will define how to identify the main elements of your risks (assets, threats and vulnerabilities) and which scales you will use to evaluate the consequence and the likelihood. Register for this free webinar for more information: The basics of risk assessment and treatment according to ISO 27001.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th