ISO 27001 & BS 25999 Blog - Latest Comments

Re: Top 10 information security blogs

lector amigo — Wed, 09 May 2012 13:19:21 -0000

Cryptex, no?

Re: The importance of Statement of Applicability for ISO 27001

Abcdefghijk — Mon, 23 Apr 2012 05:09:36 -0000

Nice and informative post

Re: ¿Cuánto cuesta la implementación de la norma ISO 27001?

Jos Mar Mercado — Mon, 16 Apr 2012 12:32:43 -0000

It is important what you mention in the blog, since your experience directs his that newly we begin in this experience of implementation of ISO 27001. In the possible and low thing your valued time, you agradeceria support me as teacher and guide, in a safety project of the information that I come initiating for a state entity.

Regards from Lima - Peru

Re: ¿Cuánto cuesta la implementación de la norma ISO 27001?

Jose Maria Mercado Chirito — Mon, 16 Apr 2012 12:30:37 -0000

Es importante lo que mencionas en el blog, ya que tu experiencia nos encamina a los que recien empezamos en esta experiencia de implementacion de la ISO 27001. En lo posible y bajo tu preciado tiempo, te agradeceria me apoyes como maestro y guia, en un proyecto de seguridad de la informacion que vengo iniciando para una entidad estatal.

Saludos desde Lima - Peru

Re: How to become ISO 27001 Lead Auditor

Dejan Kosutic — Tue, 03 Apr 2012 05:06:35 -0000

Bilal,

There are several issues you would need to concetrate on, but I would say these are the ones that cause the most of the failures at the exam:
1) Finding the way in the standard
2) Assumptions
3) What does and what doesn’t have to be documented
4) Writing the finding statement

For more details please look at my webinar ISO 27001 Lead Auditor Course preparation training http://www.iso27001standard.co...

Re: How to become ISO 27001 Lead Auditor

Bilal Shafahat — Mon, 02 Apr 2012 12:34:57 -0000

Hi Dejan,
I am apprearing for the Lead Auditor exam. Please suggest me what part of the course should i concentrate more so that i will pass the exam. Your suggestion will be helpful
Thanks

Re: La importancia de la Declaración de aplicabilidad para la norma ISO 27001

Dejan Kosutic — Sun, 01 Apr 2012 05:16:41 -0000

Joel,

If I understood well, you are asking what would be the reasons for updating the policy and the Statement of Applicability. The reasons for changing the policy would be that the security objectives have changed, or that the security process has changed; the reasons for changing the SoA would be changed control objectives, or different way of implementing certain control.

Dejan

Re: La importancia de la Declaración de aplicabilidad para la norma ISO 27001

Joel Mercado — Fri, 30 Mar 2012 09:55:30 -0000

Hola Dejan.

Al aplicar el ciclo de Deming, la consulta sería:
Sobre un mismo proceso donde se implemento el SGSI ¿Cuáles serían las razones para actualizar las políticas y la declaración de aplicabilidad?
Gracias.

Re: How to become ISO 27001 Lead Auditor

Darshna — Sun, 25 Mar 2012 04:00:23 -0000

Dear Mr. Dejan

I'm very happy by reading this "How to become ISO 27001 Lead Auditor", it has helped me lots in order to take decision how much time it would take to be ISO 27001 lead auditor. Thank you very much for putting this information in very simple and straight manner.

Re: Lessons learned from ISO 27001 implementation

Dejan Kosutic — Tue, 13 Mar 2012 03:55:36 -0000

In my opinion, there are 2 good reasons why you need to pay for ISO 27001 documentation:

1) If you want to implement ISO 27001, you need to make an investment - if nothing else, your employees will have to spend quite a lot of time. Since you will need to invest, you have to figure out how to decrease the level of investment - good documentation templates will save you considerable amount of time.

2) Actually you can find some free documentation templates on the Internet. But the problem with those free documents is that they are not comprehensive, and they won't cover everything required by the standard. On the other hand, we have invested quite an effort in developing the Documentation Toolkit which covers everything you need - and yes, it is not free.

Re: Lessons learned from ISO 27001 implementation

Treed-iso27001standard Com — Mon, 12 Mar 2012 14:30:13 -0000

But how/where can one actually get one's hands on the ISO27000 standards documents? I've been looking all over and it appears that they are pay-only which is rather unfortunate for a security standard as that ensures a lot of people won't implement it (even partially) simply because they can't get their hands on it.

Re: Using ISO 9001 for implementing ISO 27001

Manendra Liyanage — Wed, 07 Mar 2012 11:03:22 -0000

Dear Dejan

this is really important. It's admired that most of the professional don't think about this aspect of the security

Re: Lista de verificação para implementação da ISO 27001

Paulo — Sun, 26 Feb 2012 07:33:28 -0000

Muito Bom.

Re: Mandatory documented procedures required by ISO 27001

sbobet — Fri, 24 Feb 2012 05:34:00 -0000

you have a very creative and very interesting post, i just bookmark your page.
will also tell my close friend to ready this and maybe also spread your post in the
social network. very excellent !!

Re: ISO 27001 risk assessment & treatment – 6 basic steps

Joe W — Mon, 20 Feb 2012 10:33:06 -0000

Hi - thanks for the reply. There are plenty of examples of "Best Practice" though - ISO27002, PCIDSS, CIS standards, the Grunschutz manual.

I have started a thread at the ISO27001security google group, will be interesting to see the discussion there.

Regards

Re: ISO 27001 risk assessment & treatment – 6 basic steps

Dejan Kosutic — Fri, 17 Feb 2012 07:45:28 -0000

I agree IT Grundschutz is a bit too much - when you perform the normal risk assessment according to ISO 27001, it takes somewhere between 1 and 3 months, depending on the size of the company.

To answer your question - if you followed only the "best practice" (if such thing really exists) and common sense, chances are you are going to miss something important. In my experience, the clients I've worked with are aware only of only 40 to 50% of risks, therefore initially didn't plan for controls to mitigate such risks.

Yes - risk assessment takes time. But if you do it properly, you'll discover a lot of things you weren't aware, and only then you will realize it was an investment that was worth it.

Re: ISO 27001 risk assessment & treatment – 6 basic steps

Joe W — Fri, 17 Feb 2012 07:13:51 -0000

I am struggling to understand the benefit of following a formal risk assessment methodology, relative to its cost.

If you catalog all your information assets, the vulnerabilities of each, and the threat agents which might exploit those vulnerabilities, and assess the impact and likelihood of each risk actually happening, and mapping them to security controls ... you would spend days or weeks creating an enormous document which I suspect no one (apart from the ISO27001 auditor) would ever read!

For example I had a look at the Grundschutz manual which is about 3000 pages long! It lists about 400 "threats" (doesn't seem to separate "vulnerabilities" and "threat agents").

In practice the fact that we have any particular security control (such as using anti-virus software and making sure it is up to date) is because it's common sense, best practice, everyone does it and everyone (your customers etc.) expects you to do it.

Perhaps I am missing something?

Re: How long does it take to implement ISO 27001 / BS 25999?

Fred Scholl — Tue, 07 Feb 2012 16:57:51 -0000

Good post. 27001/2 are in need of major facelift. Hopefully this facelift can enable more adoption in US.

Re: Risk assessment tips for smaller companies

Dejan Kosutic — Fri, 03 Feb 2012 10:14:23 -0000

Sean,

Here you can see our threats & vulnerabilities catalogue: http://wiki.iso27001standard.c...

Re: Risk assessment tips for smaller companies

Sean Facer — Fri, 03 Feb 2012 08:54:50 -0000

Where can i get a threats and vulnarabilites catalogue?

Re: What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

Stevelewis1 — Thu, 02 Feb 2012 08:45:13 -0000

One of the best, most concise explanations of RTO / RPO I've seen in a long time!

Re: Document management in ISO 27001 & BS 25999-2

Footinheaven — Sat, 21 Jan 2012 12:43:44 -0000

Great post

Re: How much does ISO 27001 implementation cost?

Dejan Kosutic — Sat, 21 Jan 2012 04:15:17 -0000

Rich,

Costs of the certification body for 50-employee company - the certification would take between 7 and 10 auditor man/days. The costs of the man/day vary from country to country, from US$ 500 to US$ 2000, so you would have to find out what is applicable for your country.

Other costs (consulting, training) vary even more - if the company has the employees with all the knowledge, they wouldn't have to spend much on it. If they need such services, the prices on the market are very different - if they buy it from our Information Security & Business Continuity Academy, the training (via webinars) would cost appx. US$ 1000 annually for one person, and ca US$ 5000 for documentation/mentoring/consulting services.
Dejan

[image: DISQUS] <http: disqus.com=""></http:>

Re: How much does ISO 27001 implementation cost?

Richsmi01 — Fri, 20 Jan 2012 09:22:32 -0000

Hi - I'm a graduate student working on a case study that involves ISO27001/17799 certification. I was hoping that I could ask you a favour. I know it is not possible to provide an accurate estimate of the cost of certification but I'm hoping that you can give me a ballpark, rough estimate. It would be a great help to have an estimate from someone who actually understands the process!

Our fictional company has about 50 employees and sells a secure, web-based document management system that does about 3 million dollars in business. I have already recommended the creation of an information security officer but I would like a rough cost for:
training
consulting
certification

Once again, this is a fictional company and your quote will only be used in a paper in our course and will never come back to haunt you but it will help us to get a better mark by showing that we've actually contacted experts in the field to help us to shape our plan!

Thanks for any information you can give me!
Rich.

Re: Problemas para definir el alcance de la norma ISO 27001

taniavero — Tue, 17 Jan 2012 10:58:48 -0000

Hola soy estudiante y pues estoy limitando el alcance solo para el departamento de TI, pero de hai que hago como especifico de manaera detallada....ayuda estoy confundidididsisisima