About the ISO27k Forum
Since its launch back in 2006, the ISO27k Forum has grown steadily into a supportive and friendly global community of nearly 5,000 information security professionals, most of whom are actively using the ISO/IEC 27000-series standards and willing to share their experience, expertise and wisdom freely with others.
Membership of the Forum is free for those with a genuine professional interest in the ISO27k standards, particularly those with practical implementation experience and knowledge they are willing to share with the community. We also welcome newbies taking their first baby steps, studying and in time maybe adopting the standards.
The Forum and this website demonstrate our support for the liberal social principles on which the Web was founded - our way to give a little back to the online world that gives us so much.
The Forum’s purpose
This is a practitioners’ group with a practical focus, where (almost!) every contribution is treasured and every member valued. We mostly discuss matters of interest and concern to those interpreting and applying the ISO27k standards in genuine real-world situations (see the typical topics).
ISO27k Forum members:
- Are generally interested in information security standards;
- May have relevant professional qualifications, having completed ISO/IEC 27001 Lead Auditor or ISO27k Lead Implementer training, CISSP, CISM, CISA, CRISC, GIAC and similar;
- May be CISOs, ISMs, CROs, Compliance Managers, Cybersecurity Managers, Infosec Consultants, IT Security Specialists or whatever (
- Would like more information about applying the standards in real life, beyond that available on this website and elsewhere;
- Are planning to implement, actively implementing, fully compliant with or simply using the ISO27k standards, or are auditing organisations against the standards, or are advising others about the standards;
- May work for organisations that have been certified compliant with ISO/IEC 27001 or are working towards that point;
- Would like to help promote the standards more widely;
- May be involved in the standards bodies and committees responsible for developing the standards, or have an interest in this aspect; and
- Wish to discuss information security management standards, practices, methods etc. with the community of professional peers.
Sharing is important to us or, as one of our members put it, “we are a TEAM - Together Everyone Achieves More”. The free ISO27k Toolkit is an example of what the community can achieve through selfless collaboration - a process now known as crowdsourcing.
The ISO27k Forum is a self-help ISO27k-user community that thrives on proactive involvement of its members in a supportive, friendly, multicultural atmosphere. Members are encouraged to ask questions, raise concerns, discuss challenges, offer answers, share tips, debate topical issues and so forth, the more the merrier provided it remains on-topic, meaning ISO27k-related.
The Forum is a low-to-medium volume high-quality discussion group. Roughly one new topic or thread is started every day, prompting about three responses each.
We discuss anything and everything ISO27k-related, such as:
- Assurance - on being able to demonstrate and gain confidence if not actually prove stuff;
- Audit practices in relation to ISO27k - ISMS internal auditing and certification, surveillance audits and re-certification, accreditation as well;
- Building the business case for information security and gaining executive support;
- Business continuity management including resilience, recovery and contingency planning;
- Business benefits - reasons to embrace the ISO27k standards in furtherance of business objectives, going beyond mere conformity;
- Classification of information - purposes and processes, types of information asset, labelling;
- Content, structure, purpose and value of information security policies, procedures And All That;
- Control attributes - using the parameters, characteristics or features to select and make the most of information security controls;
- Definitions and interpretations of terms such as “information asset”;
- Governance of information, information risk, information security etc.;
- How to implement the standards - pragmatic advice from those who have already done it to those who are doing it or planning to do it;
- Information asset inventory - what it is, how much detail is needed, how to structure it;
- Information risk management including identification, analysis and treatment, plus methods and tools, plus business impact analysis;
- Information security aspects of the software development and acquisition processes;
- Information security controls in various contexts e.g. software development, cloud, IoT, privacy ...;
- Information Security Management Systems, of course;
- ISO/IEC 27002 implementation planning - timescales, activities, priorities ...;
- Management support, involvement, direction and oversight in this area;
- Mandatory vs discretionary documentation, and what those terms actually mean;
- Meaning of Preventive Action and Corrective Action in the ISO27k/ISMS/ISO9k contexts;
- Metrics for information security management;
- Need for document control procedures within the ISMS;
- New, updated or simply interesting and useful information risk and security-related standards (ISO27k and others);
- Organisation structures and other governance aspects for information security;
- Other governance frameworks, models and structures aside from ISO27k;
- Policies, procedures, rules and guidelines;
- Privacy, data protection and compliance with legal and regulatory obligations;
- Proper, secure disposal of confidential information;
- Protecting those information assets that amble in most weekday mornings and wander home in the evening;
- Revision of existing standards;
- Risk and opportunity - what is that all about?
- Risk and security concepts e.g. threats, vulnerabilities, probabilities, impacts, exposure, incidents, CIA, preventive/detective/corrective, people/process/technology ...;
- Risk analysis tips e.g. common information security threats to consider, methods and tools, ‘where to start’ advice;
- Risk management e.g. what are inherent and residual risks? What is risk appetite?
- Scope definition, Statement Of Applicability and Risk Treatment Plans - what they are, how they differ, what they do, what they are supposed to contain ...;
- Security awareness - why it’s needed, how to do it, how to make it effective;
- Standards status updates and news from ISO/IEC JTC 1/SC 27;
- Strategies and plans, approaches, options, shortcuts, handy tips, gotchas to avoid;
- Support for Forum members facing awkward problems and making key decisions in their ISO27k implementation projects;
- “The ISO27k Way” - a systematic, information risk-driven approach that underpins all of the standards;
- Tools and resources supporting ISO27k implementers and users;
- Value and meaning of ISO/IEC 27001 certificates to business partners and prospects.
This is just a potted selection to give you a flavour of the discussion. As well as the FAQ, we have accumulated a huge amount of worthwhile content in the group’s archive, so get to know Google’s search syntax to get the most out of it. If your question has not been adequately addressed already, or if you think it deserves another kick around the park and some fresh perspectives, by all means raise it on the Forum.
ISO27k Forum Projects (crowdsourcing)
Occasionally, ISO27k Forum members collaborate as virtual teams to work on topical issues, such as drafting new/updated materials for the ISO27k Toolkit. We have also contributed to the promotion and further development of the ISO27k standards, for instance preparing an ISMS Auditing Guideline that fed into ISO/IEC 27007.
OK, sign me up!
If you have a keen interest in the ISO27k standards and are willing to participate actively in the discussions, by all means apply to join the Forum. The Forum is a Google Groups discussion forum, mailing list or reflector: emails sent by individual Forum members to the Forum’s email address are ‘reflected’ back to all Forum members.
Google determines how the group works, technically. Blame Google for insisting that you join and login to Google before it even gives you the option to apply to join the group. On the upside, once logged in to the Google empire, you can manage all your group subscriptions yourself through groups.google.com
Membership of the ISO27k Forum is FREE but please make your case briefly when you apply to join: in just a few short words, persuade us that you are suitably qualified and have some experience that you are willing to share with the community. If you write nothing at all, don’t be surprised if your application is rejected just as rudely. We are simply reducing the spam risk.
If you post a message to the Forum, your email address is shown in the message header. Other members may email you directly rather than the entire group. We actively discourage anyone from overtly advertising on the Forum or pestering members but if you are clearly seeking services or information, vendors may contact you directly/off-list. Feel free to create a unique email address solely for the Forum and please let us know if you receive spam on it, indicating a control lapse somewhere. We utterly detest and actively fight spam. Any Forum members who spam other members will be fed limb-by-limb, organ-by-organ to the ravenous bugblattered beast of Traal or, under our environmental policy, may be gently composted back into mother Earth.
Forum tips and etiquette (important!)
The following guidelines are meant to keep the ISO27k Forum on the right track, and benefit the whole community. Thank you for your understanding, patience and conformity:
- Please be professional and respectful at all times. Some of our members are new to this game and occasionally make naive or misguided statements. Be gentle with them - we all had to start somewhere. Some of us are old hands, and with experience and age comes a tendency to arrogance and crankiness. Try to see beyond the words to tease out the underlying wisdom which we’re sure is there, somewhere.
- Please add your name to your postings, indicating how you prefer to be addressed. Give us a clue about your “first name” or “given name”, the name that your friends call you. We are informal here: there’s no need for titles or qualifications. If you don’t tell us your name, someone may invent one for you.
- Before asking a question on the Forum, please explain your context. Why are you asking the question? Why does it matter? What have you already done in an attempt to find an answer (e.g. have you Googled it and searched the ISO27k FAQ and ISO27k Toolkit on this website)? What kind and size of organisation do you represent? What is your industry sector? How mature is your ISMS? ... Forum members can provide more meaningful and helpful answers if you make the effort to clarify your question. Ultra-brief context-free questions such as “How many people are needed to implement our ISMS?” go nowhere fast and often stir up somewhat sarcastic and cynical responses. Students’ homework questions and consultants’ requests for templates for their clients don’t go down well either, and raise ethical concerns. For further advice on asking questions intelligently, see here and here. Help us help you.
- The Forum is non-commercial. We actively discourage members from overtly advertising or promoting their organisations and products, making commercial offers, advertising vacancies etc. on the Forum, although conventional email signatures that discreetly mention your employer or whatever are perfectly acceptable. Please help us keep this a professional self-help forum. To discuss commercial matters (for example if a Forum member explicitly requests information on goods or services that your company just happens to supply), please contact them directly/off-line and NOT via the Forum. Forum members who break this rule will probably find future postings moderated and, if they continue flouting the rules, they will be quietly dropped from the group without further ado.
- The Forum’s primary language is English, plain English. However this is a truly international community, hence English is not the first language of many members. Please turn a blind ear to the occasional speling grammatical and errors: those who are brave enough to express themselves on such a technical subject in a foreign language as arcane as English deserve medals not moans. Please take non-English discussions off-line or find (or set up!) a more suitable forum.
- When you first join any online forum, it is polite to scan the archives (using the Google Groups Web interface and search function) before posting a question to see whether it is on-topic and perhaps has already been answered. We don’t expect you to read every post back to 2006 but please glance back a few weeks at least to see where current threads came from and where we are headed. You might also like to read the ISO27k FAQ.
- When responding to a post, please don’t change the subject line unless you are deliberately going off at a tangent. Google Groups uses the subjects to thread related messages together - with one exception: if you are replying to a Forum message received as part of a digest, please use the original poster’s subject line and trim out irrelevant messages.
- Stay on-topic please! There are plenty of mailing lists and resources out there for other aspects of information risk and security management. This Forum is exclusively about the ISO/IEC 27000-series standards and closely related matters. Anything else is just noise. Help us keep the signal-to-noise ratio right up there in the green zone.
- Through the web interface, Google Groups gives you the option of receiving each message individually or as a daily digest. You can also suspend the delivery of Forum messages (for example if you only want to participate in the group online), change email addresses or unsubscribe from the Forum (the same as sending an email to the unsubscribe address at the bottom of every Forum message). As a last resort if you are having trouble with the Google Groups settings, please email the Forum Admin for help.
- You may like to file incoming messages automatically into their own folder if your email client has this functionality. To make this easy, all Forum messages contain the text “[ISO 27001 security]” in the subject line. Simply set up a rule to pop emails with that string in the subject into their own folder as they arrive.
- Respect intellectual property rights in accordance with clause 5.32 of ISO/IEC 27002 and applicable laws. Do not circulate copyright materials (such as ISO/IEC standards!) on the ISO27k Forum unless you are the copyright owner or have the copyright owner’s express permission. Instead, by all means share URLs for materials legitimately published on the Web. Likewise, please respect the copyright of Forum members: do not republish, forward or circulate Forum postings outside the Forum without the authors’ agreement (it is polite to ask them - most of us are flattered to be asked). Forum members who disregard IPR will be - and indeed have been - summarily booted-off the Forum without further warning. If we are really annoyed, we might subject you to a Vogon poetry recital as well.
- If you are going to be away from the office, please don’t set an Out-Of-Office message that automatically responds to Forum messages, thereby generating another Forum message ... The Forum member who actually did this, generating an OOO storm of approximately 700 messages in a few hours, has been despatched beyond the stratosphere without a space suit to contemplate the meaning of life, the universe and everything.
- Finally, if you are unclear about the rules and wary of posting something potentially inappropriate, please email the Forum Admin about it first. I’m a reasonable person so go ahead, reason with me, persuade me that posting it is in the best interests of the Forum. It may be fine as-is or with a slight change of wording, or there may be an even better way of achieving what you want. You are much less likely to find yourself kicked-out, cast adrift and spinning in a vacuum anyway.
Genuine feedback from Forum members & website users
- “Thank you very much! I have spent a significant amount of time reviewing and appreciating the content you share on your website. As an IA professional, I appreciate your tone & content – it is pragmatic, informative, useful, lightweight, lighthearted, and clearly informed. I can tell that you know your stuff and that you enjoy it.” IA: is that Information Assurance, Intelligence Analyst, Independent Assessor, Internal Auditor ... or ISO27k Admirer maybe? Thanks for the ego-boost Andrew.
- “Thank you for the fantastically useful website. I use the documents and tools to extend my knowledge and competence.” You’re welcome, Todd, my pleasure.
- “Glad you have chosen to continue the Forum. I think you do a sterling job, appreciated by us all.” Cheers Harry! We appreciate your involvement too.
- “I am a new-comer to this Forum. I have been reading your emails and response to questions now for couple of months. I work in a small IT company with a new data centre and have been charged as Best Practice coordinator with implementing an ISMS and striving towards certification under ISO 27K. Although I have a legal background and have worked with other standards and auditing, IT is very new to me. I came across your Forum as I searched for 'inspiration' and knowledge and as I said have been reading it ever since. What a God send. I am still learning the basics but I just wanted to thank you all for your time and knowledge that you are prepared to share with us even though some like myself are not as experienced or learned as many of you.” You’re very welcome Louise. Best wishes for your ISMS implementation and certification. Do let us know how you get on - we like to celebrate whenever 'one of us' gets certified.
- “I owe a big thank you for giving every professional a chance to interact in this Forum. I know it is not a simple task to take time for this kind of initiative.” That’s kind of you Bala. It’s my pleasure - really, I enjoy the discussions and the breadth of opinions expressed. So long as I keep learning and enjoying the Forum, I will carry on running it.
- “An excellent place to share and discuss the achievements, doubts, concerns regard ISMS with serious mods and much experienced people makes this Forum a unique one among many others.” Glad to hear it Nitin!
- “Firstly, I should thank you for giving this great platform to ISMS community. There are a lot of people in this Forum like me who gain a lot of understanding about ISMS via this Forum. Being a consultant whenever I feel like I am stuck I go through the discussions in the Forum and most of the times get all the desired solutions. Undoubtedly the participation is there from very few of the members. There are many members who get all their answers from discussions held earlier. I strongly feel that we all should contribute in this Forum. May be due to some time constraints all members are not able to contribute.” I agree Preetinder. Members are actively encouraged - but not absolutely required - to post messages. Some are probably just shy but hopefully their confidence will increase as they gain experience and see how the community supports its members.
- “Thanks first and foremost of having successfully envisioned & ensured such a useful Forum which has a varied amount of experience levels for the last so many years. I personally try and follow most of the discussion and never stop amazing at the commonality of issues across geographic boundaries.” Thanks for your inputs too, Ajai. We do indeed have a wide spectrum of cultures represented here. ISO27k is a global phenomenon.
- “This Forum is truly an active knowledge base with authentic ideas coming in not only from members who are dealing with the ISO 27001 standard in their respective environments but also some other experienced members who share their knowledge and seek advice from the group. I personally use this Forum for brainstorming and to get expert ideas from different people with various experiences.” Glad to hear that, Faiz.
- “From my point of view this Forum is all I need to implement the ISMS standard and share my knowledge. You are doing a great job in here and trust me the world needs it.” Cheers Anca. I think perhaps you are using rather more than literally just the Forum but I appreciate the sentiment!
- “Excellent Forum. Personally I have found this Forum to be a critical source of advice and information and also the assurance that the advice is coming from highly qualified members.” Good point Mark. The membership criteria may be restrictive but you are right that the value of the group depends on the quality of its inputs, which in turn relates to the experience and qualifications of participants.
- “Greetings all, I also appreciate this Forum and have gained much from it since I joined a few months ago. Since joining I responded once to an enquiry once. There are times when I agree with the responses given by others and do not add my two cents for fear of "piling on" when responses are on target or nearly so. There may also be a large number of learners who are engaged members of the Forum who gain from the exchanges without responding. If the Forum is for sharing information and raising awareness among people of varying expertise and experiences, I think the Forum works effectively. I suspect that some of the 1700 [now over 4,000!] may share this view also. Thanks for the opportunity to share and to learn.” You are welcome LDyson.
- “This is one of the very few serious Forums available in the net which does not have any spam, and all the postings are professional ... Thank you for conceiving and managing such an excellent Forum.“ Thank you Surendro, and all Forum members for making it what it is. I’m especially grateful for those who are tempted but refrain from spamming the community.
- “I am one of those who contribute little but receive/read a lot on this group and benefit in great deal. Most of the time the ideas that i have on a situation are shared/voiced by another member of the group so I don't repeat the words. I must say that this is one the best groups I am a member of and I have access to best professional opinions. I suggest lets open up a bit and let more professionals join the group, 1700 is a very small number, lets have some fresh blood and lets have fresh ideas. However we should have the policy defined for entry. I also suggest lets not remove people from the group because people like me are actually accumulating the data base and knowledge that may be useful in a future situation, they might come back and access the relevant topics and get the details and use that in their job. I think some of us may pick up all the ideas discussed so far on this group, review these and improve these and put that in the form of a reference manual on the website for everyone to have an access. This may be charged by the administrator / owner / group and may become bible for ISMS. Should have searchable facility on topics / discussion. Just one idea.” OK Tariq, thanks. Rest assured we have not totally discarded the entry criteria but have relaxed them a bit. We won’t remove members simply because they are quiet or shy! The accumulated discussions are already searchable using the Google Groups web interface and we try to save the most frequent or useful discussions and contributions in the ISO27k FAQ and/or the ISO27k Toolkit. The Forum has grown to more than 4,000 members as I write this note so I guess we’re doing something right.
- “This has been an excellent Forum and been very efficient since the day I joined. Thank you so much for your effort. I agree with the other members that the entry criteria should stay, it is our control mechanism to mitigate potential risks : )” I like it Nor!
- “I for one did all my research on this Forum and went on to achieve ISO 27001 for my company so for someone looking for real world answers this is the place...” Well done Franklin. Forum members gaining their their certification are cause for celebration. Cheers!
- “Thanks for the great work all of you guys are doing in this Forum. Its by far the most informative I have found on ISMS, ISO 27k etc.” Thank you too Vicand. It’s our pleasure.
- “I just wanted to get in touch with some praise as I am very impressed with everything that goes on in this Forum. Since joining I have bought the standards as per your recommendation online and I have opened my eyes to all that is possible from a commercial and more importantly practical point of view. My company has been developing a Risk Assessment plan for SME's and although I have a guy that has a masters in IT Security working on the plan, we're finding so much good points from the Forum that it is helping us a great deal.” Cheers Dave!
- “I have used iso27001security.com material extensively and I am very grateful to you and its contributors. I am pleased that I am now able to give something back ...” Thank you for the feedback and contributions, Julian. That’s the spirit! Although we don’t charge $$$ for Forum membership or for the toolkit, FAQ and ISO27k information on this website, we welcome generous contributions of intellectual property that benefit other members since the miniscule commission we earn from on-site advertising and affiliate links falls well short of covering our costs.