About the Forum
Since its launch back in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of about 4,000 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their queries, experience and expertise freely with others.
Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards (information security managers, CISOs, analysts, auditors, consultants, MSc and PhD students, members of ISO/IEC JTC1/SC 27 and others), particularly those who have practical implementation experience and knowledge they are willing to share with the community, and those who are taking their first baby steps towards adopting the standards.
The Forum and this website demonstrate our support for the liberal social principles on which the Web was founded - our way to give a little back to the world that gives us so much.
The Forum’s purpose
This is a practitioners’ group with a practical focus, where (almost!) every contribution is treasured and every member valued. We mostly discuss matters of interest and concern to those interpreting and applying the ISO27k standards in real world situations (see the list of typical threads below).
ISO27k Forum members:
- Are generally interested in information security standards;
- Usually have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM, CISA, CRISC, GIAC and similar;
- Would like more information about applying the standards in real life, beyond that available on this website and elsewhere;
- Are planning to implement, actively implementing, fully compliant with or simply using the ISO27k standards, or are auditing organizations against the standards, or are experienced consultants advising clients about the standards;
- Often work for organizations that have been certified compliant with ISO/IEC 27001 or are working towards that point;
- Would like to help promote the standards more widely;
- May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect; and
- Wish to discuss information security management standards, practices, methods etc. with their professional peers.
Sharing is important to us or, as one of our members put it, “we are a TEAM - Together Everyone Achieves More”. The free ISO27k Toolkit is an example of what the community can achieve through selfless collaboration - a process now known as crowdsourcing.
The ISO27k Forum is a self-help ISO27k-user community that thrives on proactive involvement of its members in a supportive, friendly, multicultural atmosphere. Members are encouraged to ask questions, raise concerns, discuss challenges, offer answers, share tips and so forth, the more the merrier provided it remains on-topic, meaning ISO27k-related.
The Forum is a low-to-medium volume high-quality discussion group. Roughly one new topic or thread is started every working day, prompting a few responses:
We discuss anything and everything ISO27k-related, such as:
- Audit practices in relation to ISO27k - ISMS internal auditing and certification, surveillance audits and re-certification;
- Building the business case for information security and gaining executive support;
- Business continuity management including resilience, recovery and contingency planning;
- Classification of information - purposes and processes, types of information asset, labeling;
- Content, structure, purpose and value of information security policies, procedures And All That;
- Definitions and interpretations of terms such as “information asset”;
- Governance of information;
- How to implement the standards - pragmatic advice from those who have done it;
- Information asset inventory - what it is, how much detail is needed, how to structure it;
- Information risk management including identification, analysis and treatment, plus methods and tools, plus business impact analysis;
- Information security aspects of the software development and acquisition processes;
- Information security controls in various contexts e.g. electronic signatures, digital
- ISO/IEC 27002 implementation plans;
- Mandatory documentation needed for ISO/IEC 27001 certification;
- Meaning of Preventive Action and Corrective Action in the ISO27k/ISMS/ISO9k contexts;
- Metrics for information security incidents etc.;
- Need for document control procedures within the ISMS;
- New information security standards, not just ISO27k;
- Organization structures and other governance aspects for information security;
- Proper, secure disposal of confidential information;
- Protecting those information assets that walk in every weekday morning and go home every evening;
- Revision of existing standards;
- Risk and opportunity - what is that all about?;
- Risk analysis tips e.g. common information security threats to consider, methods and tools, ‘where to start’ advice;
- Risk management e.g. what are residual risks? What is risk appetite?;
- Scope definition, Statement of Applicability SOA and Risk Treatment Plans RTP - what they are, how they differ, what they are supposed to contain ...;
- Security awareness - why it’s needed, how to do it, how to make it effective;
- Standards status updates and news from ISO/IEC JTC1/SC 27;
- Support for Forum members facing awkward problems and making key decisions in their ISO27k implementation projects (e.g. scoping, estimating, gaining management support, inventorying assets, assessing risks, mitigating risks ...);
- Tangible and intangible elements of an ISO27k ISMS;
- Tools and resources supporting ISO27k implementers and users, particularly free/open source ones;
- Value of ISO/IEC 27001 certificates awarded to business partners.
This is just a potted selection to give you a flavour of the discussion. As well as the FAQ, we have accumulated a huge amount of worthwhile content in the group’s archive, so get to know Google’s search syntax to get the most out of it. If your question has not been adequately addressed already, by all means raise it on the Forum.
ISO27k Forum Projects (crowdsourcing)
From time to time, ISO27k Forum members collaborate as virtual teams to work on topical issues, including new materials for the ISO27k Toolkit. We have also contributed to the promotion and further development of the ISO27k standards, for instance collaborating in an online group project to develop an ISMS Auditing Guideline that was contributed to the ISO/IEC group developing ISO/IEC 27007.
OK, sign me up!
If you have a keen interest in the ISO27k standards and are willing to participate actively in the discussions, by all means apply to join the Forum. The Forum is a Google Groups mailing list a.k.a. email reflector: emails sent by Forum members to the Forum’s email address are reflected back to all Forum members.
Google determines how the group works. You can blame Google for insisting that you join and login to Google before it even gives you the option to apply to join the group. On the upside, you can manage your group subscriptions yourself through groups.google.com, and messages don’t suffer the extended delays that are so common on Yahoo!
Membership of the ISO27k Forum is FREE but please make your case briefly when you apply to join: in just a few short words, persuade us that you are suitably qualified and have some experience that you are willing to share with the community. If you say nothing at all, don’t be surprised if your application is rejected just as rudely. If you wish to appeal following a rejected application, please contact us directly. We’re reasonable people. Don’t take things personally. We’re simply trying to block the spammers.
Spammers are less welcome than walls dividing nations
If you post messages to the Forum, other members may occasionally email responses directly to you rather than to the entire group. We actively discourage anyone from overtly advertising on the Forum or pestering members but if you are clearly seeking services or information, vendors may contact you directly/off-list. Feel free to create a unique email address solely for the Forum and please let us know straight away if you receive spam on it, indicating a control lapse somewhere. We utterly detest and actively fight spam. Any Forum members who spam other members will be fed limb-by-limb, organ-by-organ to the ravenous bugblattered beast of Traal or, under our environmental policy, may be gently composted back into mother Earth.
Please note that although only members may post to the Forum, it is world-readable so be careful what you say. We can’t guarantee you the right to be forgotten.
Forum tips and etiquette
The following guidelines are meant to keep the ISO27k Forum on the right track, and benefit the whole community. Thank you for your understanding, patience and compliance:
- Please be professional and respectful at all times. Some of our members are new to this game and occasionally make naive or misguided statements. Be gentle with them - we all had to start somewhere. Some of us are old hands. and with experience and age comes a tendency to arrogance and crankiness. Try to see beyond the words to tease out the underlying wisdom which we’re sure is there, somewhere.
- Please add your name to your postings, indicating how you prefer to be addressed. Members from cultures that normally put the family name first take note: it helps to give us a clue about your “first name” or “given name”, the name that your friends call you. We are pretty informal so there’s no need for titles or qualifications here. If you don’t give your name, we might make one up for you.
- Before asking a question on the Forum, please explain your context. Why are you asking the question? Why does it matter? What have you already done in an attempt to find an answer (e.g. have you Googled it and searched the ISO27k FAQ and ISO27k Toolkit on this website)? What kind and size of organization do you represent? How mature is its ISMS? Forum members can provide more meaningful and helpful answers if you make the effort to clarify your question. Ultra-brief context-free questions such as “How many people should we have to implement our ISMS?” tend to go nowhere fast and often stir up somewhat sarcastic and cynical responses. For further advice on asking questions intelligently, see here, here and here. Help us help you.
- The Forum is non-commercial. We actively discourage members from overtly advertising or promoting their organizations and products, making commercial offers, advertising vacancies etc. on the Forum, although conventional email signatures that discreetly mention your employer or whatever are perfectly acceptable. Please help us keep this a professional self-help forum. To discuss commercial matters (for example if a Forum member explicitly requests information on goods or services that your company just happens to supply), please contact them directly/off-line and NOT via the Forum. Forum members who break this rule will probably find future postings censored and, if they continue flaunting the rules, they will be mysteriously removed from the group one day without further ado.
- The Forum’s primary language is English, meaning plain English, not TXT-speak. However this is a truly international community, hence English is not the first language of many members. Please turn a blind ear to the occasional speling grammatical and errors: those who are brave enough to express themselves on such a technical subject in a foreign language as arcane as English deserve medals not moans. Please take non-English discussions off-line or find (or set up!) a similar forum for your languages of choice, but of course we would welcome an English summary if you have something relevant to contribute.
- When you first join any online forum, it is considered polite to scan the archives (using the Google Groups Web interface and search function) before posting a question to see whether it is on-topic and perhaps has already been answered. We don’t expect you to read every post back to 2006 but please glance back a few weeks at least to see where current threads came from and where we are headed. You might also like to read the ISO27k FAQ.
- When responding to a post, please don’t change the subject line unless you are deliberately going off at a tangent. Google Groups uses the subjects to thread related messages together - with one exception: if you are replying to a Forum message received as part of a digest, please use the original poster’s subject line and trim out irrelevant messages.
- Stay on-topic please! There are plenty of other mailing lists and resources out there for other aspects of information security management. This Forum is exclusively about the ISO/IEC 27000-series standards and closely related matters. Anything else (such as technical queries about information or IT security controls, or general stuff such as vacancy notices, job-hunting, advertisements, press releases and jokes) is basically just noise. Help us keep the signal-to-noise ratio right up there in the green zone.
- Through the web interface, Google Groups gives you the option of receiving each message individually or as a daily digest. You can also suspend the delivery of Forum messages (e.g. while you are on holiday), change email addresses or unsubscribe from the Forum (the same as sending an email to the unsubscribe address at the bottom of every Forum message). As a last resort if you are having trouble with the Google Groups settings, please email the Forum Admin for help.
- You may like to file incoming messages automatically into their own folder if your email client has this functionality. To make this easy, all Forum messages contain the text “[ISO 27001 security]” in the subject line. Simply set up a rule to pop emails with that string in the subject into their own folder as they arrive.
- Respect copyright law in accordance with section 15 of ISO/IEC 27002. Do not circulate copyright materials (including ISO/IEC standards!) unless you are the copyright owner or have the copyright owner’s express permission. Instead of pirating materials that do not belong to you, by all means share URLs for materials legitimately published on the Web. Likewise, please respect the copyright of Forum members: do not republish, forward or circulate Forum postings outside the Forum without the authors’ agreement (it is polite to ask them - most of us are flattered to be asked). Forum members who willfully break this rule will be - and indeed have been - summarily booted-off the Forum without further warning. If we are really annoyed, we might subject you to a Vogon poetry recital as well.
- If you are going to be away from the office, please don’t set an Out-Of-Office message that automatically responds to Forum messages, thereby generating another Forum message ... The Forum member who actually did this, generating an OOO storm of approximately 700 messages in a few hours, has been despatched beyond the stratosphere without a space suit to contemplate the meaning of life, the universe and everything.
- Finally, if you are unclear about the rules and wary of posting something potentially inappropriate, please email the Forum Admin about it first. I’m a reasonable person so go ahead, reason with me, persuade me that posting it is in the best interests of the forum. It may be fine as-is or with a slight change of wording, or there may be an even better way of achieving what you want. You are much less likely to find yourself kicked-out, cast adrift and spinning in a vacuum anyway.
Genuine feedback from Forum members
- “Thank you for the fantastically useful website. I use the documents and tools to extend my knowledge and competence.” You’re welcome, Todd, my pleasure.
- “Glad you have chosen to continue the forum. I think you do a sterling job, appreciated by us all.” Cheers Harry! We appreciate your involvement too.
- “I am a new-comer to this forum. I have been reading your emails and response to questions now for couple of months. I work in a small IT company with a new data centre and have been charged as Best Practice coordinator with implementing an ISMS and striving towards certification under ISO 27K. Although I have a legal background and have worked with other standards and auditing, IT is very new to me. I came across your forum as I searched for 'inspiration' and knowledge and as I said have been reading it ever since. What a God send. I am still learning the basics but I just wanted to thank you all for your time and knowledge that you are prepared to share with us even though some like myself are not as experienced or learned as many of you.” You’re very welcome Louise. Best wishes for your ISMS implementation and certification. Do let us know how you get on - we like to celebrate whenever 'one of us' gets certified.
- “I owe a big thank you for giving every professional a chance to interact in this forum. I know it is not a simple task to take time for this kind of initiative.” That’s kind of you Bala. It’s my pleasure - really, I enjoy the discussions and the breadth of opinions expressed. So long as I keep learning and enjoying the FOrum, I will carry on running it.
- “An excellent place to share and discuss the achievements, doubts, concerns regard ISMS with serious mods and much experienced people makes this forum a unique one among many others.” Glad to hear it Nitin!
- “Firstly, I should thank you for giving this great platform to ISMS community. There are a lot of people in this forum like me who gain a lot of understanding about ISMS via this forum. Being a consultant whenever I feel like I am stuck I go through the discussions in the forum and most of the times get all the desired solutions. Undoubtedly the participation is there from very few of the members. There are many members who get all their answers from discussions held earlier. I strongly feel that we all should contribute in this forum. May be due to some time constraints all members are not able to contribute.” I agree Preetinder. Members are actively encouraged - but not absolutely required - to post messages. Some are probably just shy but hopefully their confidence will increase as they gain experience and see how the community supports its members.
- “Thanks first and foremost of having successfully envisioned & ensured such a useful forum which has a varied amount of experience levels for the last so many years. I personally try and follow most of the discussion and never stop amazing at the commonality of issues across geographic boundaries.” Thanks for your inputs too, Ajai. We do indeed have a wide spectrum of members cultures represented here.
- “This forum is truly an active knowledge base with authentic ideas coming in not only from members who are dealing with the ISO 27001 standard in their respective environments but also some other experienced members who share their knowledge and seek advice from the group. I personally use this forum for brainstorming and to get expert ideas from different people with various experiences.” Glad to hear that, Faiz.
- “From my point of view this forum is all I need to implement the ISMS standard and share my knowledge. You are doing a great job in here and trust me the world needs it.” Cheers Anca. I think perhaps you are using rather more than literally just the Forum but I appreciate the sentiment!
- “Excellent forum. Personally I have found this forum to be a critical source of advice and information and also the assurance that the advice is coming from highly qualified members.” Good point Mark. The membership criteria may be restrictive but you are right that the value of the group depends on the quality of its inputs, which in turn related to the experience and qualifications of participants.
- “Greetings all, I also appreciate this forum and have gained much from it since I joined a few months ago. Since joining I responded once to an enquiry once. There are times when I agree with the responses given by others and do not add my two cents for fear of "piling on" when responses are on target or nearly so. There may also be a large number of learners who are engaged members of the forum who gain from the exchanges without responding. If the forum is for sharing information and raising awareness among people of varying expertise and experiences, I think the forum works effectively. I suspect that some of the 1700 may share this view also. Thanks for the opportunity to share and to learn.” You are welcome LDyson.
- “This is one of the very few serious forums available in the net which does not have any spam, and all the postings are professional ... Thank you for conceiving and managing such an excellent forum.“ Thank you Surendro, and all Forum members for making it what it is.
- “I am one of those who contribute little but receive/read a lot on this group and benefit in great deal. Most of the time the ideas that i have on a situation are shared/voiced by another member of the group so I don't repeat the words. I must say that this is one the best groups I am a member of and I have access to best professional opinions. I suggest lets open up a bit and let more professionals join the group, 1700 is a very small number, lets have some fresh blood and lets have fresh ideas. However we should have the policy defined for entry. I also suggest lets not remove people from the group because people like me are actually accumulating the data base and knowledge that may be useful in a future situation, they might come back and access the relevant topics and get the details and use that in their job. I think some of us may pick up all the ideas discussed so far on this group, review these and improve these and put that in the form of a reference manual on the website for everyone to have an access. This may be charged by the administrator / owner / group and may become bible for ISMS. Should have searchable facility on topics / discussion. Just one idea.” OK Tariq, thanks. Rest assured we have not totally discarded the entry criteria but have relaxed them a bit. We won’t remove members simply because they are quiet or shy! The accumulated discussions are already searchable using the Google Groups web interface and we do try to save the most frequent or useful discussions and contributions in the ISO27k FAQ and/or the ISO27k Toolkit. The Forum has grown to nearly 4,000 members as I write this note so I guess we’re doing something right.
- “This has been an excellent forum and been very efficient since the day I joined. Thank you so much for your effort. I agree with the other members that the entry criteria should stay, it is our control mechanism to mitigate potential risks : )” I like it Nor!
- “I for one did all my research on this forum and went on to achieve ISO 27001 for my company so for someone looking for real world answers this is the place...” Well done Franklin. Forum members gaining their their certification are cause for celebration. Cheers!
- “Thanks for the great work all of you guys are doing in this forum. Its by far the most informative I have found on ISMS, ISO 27k etc.” Thank you too Vicand. It’s our pleasure.
- “I just wanted to get in touch with some praise as I am very impressed with everything that goes on in this forum. Since joining I have bought the standards as per your recommendation online and I have opened my eyes to all that is possible from a commercial and more importantly practical point of view. My company has been developing a Risk Assessment plan for SME's and although I have a guy that has a masters in IT Security working on the plan, we're finding so much good points from the forum that it is helping us a great deal.” Cheers Dave!
- “I have used iso27001security.com material extensively and I am very grateful to you and its contributors. I am pleased that I am now able to give something back ...” Thank you for the feedback and contributions, Julian. That’s the spirit! Although we don’t charge for Forum membership, contributions of intellectual property that benefit our members and donations to offset our costs are very welcome.