PaulDotCom mailing list archives

Re: [Security Weekly] ISO 27001

From: Arch Angel <arch3angel () gmail com>
Date: Thu, 20 Feb 2014 21:40:27 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I would like to second Chris's statements about how ISO 27001 is more
than documents, it is a living breathing process.  I would like to
suggest a few additional items as well.

Find yourself a good consultant, please don't go with the cheapest! 
Request sample reports, sample statements of applicability, etc. because
I've heard horrible horror stories of these low budget consultants who
lead companies down a path and in the end they have to essentially redo
the entire program years later.  Send me a private email and I will
explain in more details and show you examples of good and bad
consultants.  The key is with this consultant, is to do a GAP and see
where your organization would stand if you went today to become
certified.  Then work with that same consultant to build the program
around the scope.  The scope is the most important part in my opinion,
it defines your program.  A weak scope statement can permit an auditor
privileges to look into things you really don't want them, and on the
otherside it can prevent them from poking around in those same areas.

If you are in the USA, you will be getting certified through BSI
America, I can provide you contacts who will tell you exactly what needs
done from an administrative point of view.  Again send me a private
email for details.

Last but not least, training! If all you want to do is learn to manage
an ISO 27001 program then one of the intro course will be fine.  If you
want to learn how the auditor thinks, and more importantly how they are
to conduct the audit then take the Lead Auditor course.  I learned a ton
about the boundaries of what an auditor can and can't do, and in the
process found that our auditor was reaching into areas they shouldn't
have, but a strong scope can prevent this for you.  It's very useful to
not only understand the program but also the auditor.

Here is the list of courses offered by BSI, I recommend taking their
courses since they are the ones who will come in and certify you:

http://www.bsigroup.com/en-US/ISO-IEC-27001-Information-Security/Training-courses-for-ISO-27001/


Hope this helps, and like I said if you want detailed suggestions as
well as points of contact shoot me over a private email.  I'll give you
all the contacts I have which have been awesome in helping me!

- -- 

Thank you,

Robert Miller
http://www.armoredpackets.com

Twitter: @arch3angel


On 2/19/14, 7:45 PM, Chris Clymer wrote:

27001 is about a lot more than just document templates.  If youre looking to implement, and especially

if youre looking to certify, one of the best things you can do is go
take the Lead Auditor course for 27001 from BSI.  Its not that
expensive, and it will explain how an ISMS is actually meant to function
far better than simply reading 27001 will.


That said, ill second the toolkit as an excellent resource for

examples once youve got a good understanding of how those docs fit into
a living, breathing functional security program aligned with 27001.


Sent from my iPad

On Feb 19, 2014, at 12:26 PM, Ryker Exum

<Ryker.Exum () pathmaker-group com <mailto:Ryker.Exum () pathmaker-group com>>
wrote:

It might be a bit dated, but take a look.

http://www.iso27001security.com/html/iso27k_toolkit.html




*From:*securityweekly-bounces () mail securityweekly com

<mailto:securityweekly-bounces () mail securityweekly com>
[mailto:securityweekly-bounces () mail securityweekly com] *On Behalf Of
*Jeff h

*Sent:* Wednesday, February 19, 2014 11:03 AM
*To:* Security Weekly Mailing List
*Subject:* Re: [Security Weekly] ISO 27001



Yes,

I am looking for guidance on the policy/procedures

-Jeff



On Wed, Feb 19, 2014 at 7:33 AM, Ryker Exum

<Ryker.Exum () pathmaker-group com <mailto:Ryker.Exum () pathmaker-group com>>
wrote:


    Are you looking for templates to help guide you through the

standard or policy/procedure templates?


    

    *From:*securityweekly-bounces () mail securityweekly com

<mailto:securityweekly-bounces () mail securityweekly com>
[mailto:securityweekly-bounces () mail securityweekly com
<mailto:securityweekly-bounces () mail securityweekly com>] *On Behalf Of
*Jeff h

    *Sent:* Tuesday, February 18, 2014 5:09 PM
    *To:* PaulDotCom Security Weekly Mailing List
    *Subject:* [Security Weekly] ISO 27001

    

    I am being the steps to implement ISO 27001.  Does anyone have

any suggestions for good templates?  There are a number of sites that
offer them, but there is no way to know their quality without purchasing
them.


    Thanks,

    Jeff


    _______________________________________________
    securityweekly mailing list
    securityweekly () mail securityweekly com

<mailto:securityweekly () mail securityweekly com>

   

http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly

    Main Web Site: http://pauldotcom.com



_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com

<mailto:securityweekly () mail securityweekly com>

http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com



_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTBrybAAoJEP4M+IFshueHs2QP/0iD1vNbW9Db7RywayA0KfQ3
h+8BDrsPOkdtmepVZ6cd01HZY7uQAYvE3jF5wCbSTHM2mRHoyVVW7nqz9ydKUNku
ugYRQWeBGo7NSS19Dd5yOMiORrH8yy7ME6ETq0XeQMEiH2Alpl37uGG25tXZP2qk
zl0PTnIQLoC0niFclWB+Kn6RG1ZD4r/TW/xTsApzXVCatK0hBciDuKjV+bhQcWei
6inaXXFxuUadtqcvlpsp3yvXmKWEdgfRJnv5hU4NNqfr9aQuC0tROKc0SChkcYQu
RvR7d/zHmbJ/xFFyZolFmQiJrhzTR1RKVCDCkh5rzMaVAmXTqxmQZHGXy7RGr6aQ
4h0cnoDSyszCMwvVwxKlzQo4R5VaF5bG4GT7w3/SxmXl0iyyl1jNS7ZZEdVb9PCo
yWMsFG9kHN1wMP7QKk36XDB5/6Hj9YMdMgmmLxWcAo5VxpGhiiv2u/mX64GGJF2R
9u/zzaoHFQYCBlBMq8/RQv1L6CRDS/WFezs/8dIfp8WiyYLqXqwHM74BPbLkR/lo
YKaQb0nE6XnoxfQCEx2MScod232LvPZs5CJHeQzmjPxnBmepp9vcEBZpf1BkdwKR
R/i9/UfTKtBgZpRoMGgxAd6wY6SX0axveXBg4/l58EwBLn0O11eTJaA35W9+yzmQ
OY5KL52eQDy6HYxiCkZ/
=lhzg
-----END PGP SIGNATURE-----

_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com

Current thread:

[Security Weekly] ISO 27001 Jeff h (Feb 19)
- Re: [Security Weekly] ISO 27001 Ryker Exum (Feb 19)
  - Re: [Security Weekly] ISO 27001 Jeff h (Feb 19)
    - Re: [Security Weekly] ISO 27001 Pete Herzog (Feb 19)
    - Re: [Security Weekly] ISO 27001 Michael Kaishar (Feb 20)
    - Re: [Security Weekly] ISO 27001 Ryker Exum (Feb 19)
    - Re: [Security Weekly] ISO 27001 Chris Clymer (Feb 19)
    - Re: [Security Weekly] ISO 27001 Arch Angel (Feb 21)
- Re: [Security Weekly] ISO 27001 Carlos A. Lozano (Feb 19)