Collaborate Disseminate
ISO 27005 describes the risk management process for information and cyber security. It’s part of the ISO 27000 series, which means its advice is part of a wider set of best practices for to protect your organisation from data breaches. As with every st… Continue reading ISO 27005 and the risk assessment process
Thousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organizations’ premises to conduct essential re-certification audits during… Continue reading Thousands of ISO certifications at risk of lapsing due to halted re-certification audits
The risk treatment plan is one of the mandatory documents that must be produced as part of a certified ISO 27001 ISMS (information security management system). It provides a summary of each of the identified risks, the responses that have been designed… Continue reading How to produce a risk treatment plan
Whether you’re addressing cyber security on your own, following ISO 27001 or using the guidance outlined in the GDPR (General Data Protection Regulation), the process begins by assessing the risks you face. You might have a broad idea of what a r… Continue reading Risk terminology: Understanding assets, threats and vulnerabilities
With the spread of more robust information and communication technologies, the possibility of remote work has become viable for a larger number of companies. However, allowing access to a company’s information systems from places and means of co… Continue reading Setting Up an ISO 27001-Compliant Remote Work Process
The latest iteration of ISO 27001 introduced the concept of risk owners in addition to asset owners. This strengthened the Standard’s stance that organisations must appoint people to take accountability for specific aspects of information securit… Continue reading ISO 27001: What’s the difference between a risk owner and an asset owner?
Clause 4.2 of ISO 27001 details the needs and expectations of interested parties. An interested party is essentially a stakeholder – an individual or a group of people affected by your organisation’s information security activities. To iden… Continue reading ISO 27001: Understanding the needs and expectations of interested parties
ISO 27001 is designed to help organisations identify the right approach to take when managing risks. You can’t apply defences to every threat you face, because that would be impractical and prohibitively expensive, so you need to determine when m… Continue reading How to choose the right strategy for ISO 27001 risk management
Those who are just getting to know ISO 27001 will no doubt find the audit a daunting prospect. It’s a big, complex task that can be tricky for even experienced professionals. But, as with many challenges, you can overcome any concerns by preparin… Continue reading What to expect from Stage 1 and Stage 2 ISO 27001 audits
If you’re certifying to ISO 27001, one of the first things you need to do identify your information assets. After all, it’s only once you know what you’re dealing with that you determine the threats associated with them. Information a… Continue reading Identifying assets for conducting an asset-based risk assessment