This FAQ addresses Frequently Asked Questions concerning the ISO/IEC 27000-series (“ISO27k”) standards. It provides generic explanations and advice and comes with a liberal sprinkling of pragmatic implementation tips.
FAQ: About the ISO27k standards START HERE!
General, relatively basic questions typically posed by complete newcomers to ISO27k. If you are confused and don’t know where to start, read this.
FAQ: Get going on your ISO27k implementation
Practical advice about scoping, structuring and gaining management support for an ISMS implementation project, and the initial activities.
FAQ: Information risk management
The entire ISO27k approach is risk-aligned, so a thorough understanding of the concepts and practices involved in managing information risk is fundamental.
FAQ: ISMS documentation
Describes the mandatory documents formally required by ISO/IEC 27001, such as information security policies and procedures, plus others that are recommended or good practice.
FAQ: ISMS maturity
Addresses issues that tend to crop up later on, once an ISMS is operating normally.
FAQ: ISMS auditing and certification
Questions concerning ISMS internal audits and certified compliance of an ISMS against ISO/IEC 27001.
If you are grappling with novel issues, or have further ISO27k-related questions that you would like answered, please join and post your queries on the ISO27k Forum. We reserve the right to reproduce or plagiarise common or generally useful questions and answers here for the benefit of all our visitors, albeit anonymously and in a generic manner.
We are neither infallible nor all-knowing so please bear with us if we or other ISO27k Forum members take a while to respond, are sometimes a bit vague, and make mistakes. Occasional responses are contradictory ... and those are sometimes the most interesting. If you are experienced in this field and have better, more precise, more accurate or simply alternative answers to the questions in this FAQ, by all means bring them up on the Forum or get in touch.
Pragmatic hints and tips from those of you who have actually been right through the process of designing, implementing and using an ISO27k ISMS are particularly welcome. There are practical limits to the amount of free advice we can provide!