PaulDotCom mailing list archives
Re: [Security Weekly] ISO 27001
From: Arch Angel <arch3angel () gmail com>
Date: Thu, 20 Feb 2014 21:40:27 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I would like to second Chris's statements about how ISO 27001 is more than documents, it is a living breathing process. I would like to suggest a few additional items as well. Find yourself a good consultant, please don't go with the cheapest! Request sample reports, sample statements of applicability, etc. because I've heard horrible horror stories of these low budget consultants who lead companies down a path and in the end they have to essentially redo the entire program years later. Send me a private email and I will explain in more details and show you examples of good and bad consultants. The key is with this consultant, is to do a GAP and see where your organization would stand if you went today to become certified. Then work with that same consultant to build the program around the scope. The scope is the most important part in my opinion, it defines your program. A weak scope statement can permit an auditor privileges to look into things you really don't want them, and on the otherside it can prevent them from poking around in those same areas. If you are in the USA, you will be getting certified through BSI America, I can provide you contacts who will tell you exactly what needs done from an administrative point of view. Again send me a private email for details. Last but not least, training! If all you want to do is learn to manage an ISO 27001 program then one of the intro course will be fine. If you want to learn how the auditor thinks, and more importantly how they are to conduct the audit then take the Lead Auditor course. I learned a ton about the boundaries of what an auditor can and can't do, and in the process found that our auditor was reaching into areas they shouldn't have, but a strong scope can prevent this for you. It's very useful to not only understand the program but also the auditor. Here is the list of courses offered by BSI, I recommend taking their courses since they are the ones who will come in and certify you: http://www.bsigroup.com/en-US/ISO-IEC-27001-Information-Security/Training-courses-for-ISO-27001/ Hope this helps, and like I said if you want detailed suggestions as well as points of contact shoot me over a private email. I'll give you all the contacts I have which have been awesome in helping me! - -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 2/19/14, 7:45 PM, Chris Clymer wrote:
27001 is about a lot more than just document templates. If youre looking to implement, and especially
if youre looking to certify, one of the best things you can do is go take the Lead Auditor course for 27001 from BSI. Its not that expensive, and it will explain how an ISMS is actually meant to function far better than simply reading 27001 will.
That said, ill second the toolkit as an excellent resource for
examples once youve got a good understanding of how those docs fit into a living, breathing functional security program aligned with 27001.
Sent from my iPad On Feb 19, 2014, at 12:26 PM, Ryker Exum
<Ryker.Exum () pathmaker-group com <mailto:Ryker.Exum () pathmaker-group com>> wrote:
It might be a bit dated, but take a look.
http://www.iso27001security.com/html/iso27k_toolkit.html
*From:*securityweekly-bounces () mail securityweekly com
<mailto:securityweekly-bounces () mail securityweekly com> [mailto:securityweekly-bounces () mail securityweekly com] *On Behalf Of *Jeff h
*Sent:* Wednesday, February 19, 2014 11:03 AM *To:* Security Weekly Mailing List *Subject:* Re: [Security Weekly] ISO 27001 Yes, I am looking for guidance on the policy/procedures -Jeff On Wed, Feb 19, 2014 at 7:33 AM, Ryker Exum
<Ryker.Exum () pathmaker-group com <mailto:Ryker.Exum () pathmaker-group com>> wrote:
Are you looking for templates to help guide you through the
standard or policy/procedure templates?
*From:*securityweekly-bounces () mail securityweekly com
<mailto:securityweekly-bounces () mail securityweekly com> [mailto:securityweekly-bounces () mail securityweekly com <mailto:securityweekly-bounces () mail securityweekly com>] *On Behalf Of *Jeff h
*Sent:* Tuesday, February 18, 2014 5:09 PM *To:* PaulDotCom Security Weekly Mailing List *Subject:* [Security Weekly] ISO 27001 I am being the steps to implement ISO 27001. Does anyone have
any suggestions for good templates? There are a number of sites that offer them, but there is no way to know their quality without purchasing them.
Thanks, Jeff _______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com
<mailto:securityweekly () mail securityweekly com>
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com _______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com
<mailto:securityweekly () mail securityweekly com>
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTBrybAAoJEP4M+IFshueHs2QP/0iD1vNbW9Db7RywayA0KfQ3 h+8BDrsPOkdtmepVZ6cd01HZY7uQAYvE3jF5wCbSTHM2mRHoyVVW7nqz9ydKUNku ugYRQWeBGo7NSS19Dd5yOMiORrH8yy7ME6ETq0XeQMEiH2Alpl37uGG25tXZP2qk zl0PTnIQLoC0niFclWB+Kn6RG1ZD4r/TW/xTsApzXVCatK0hBciDuKjV+bhQcWei 6inaXXFxuUadtqcvlpsp3yvXmKWEdgfRJnv5hU4NNqfr9aQuC0tROKc0SChkcYQu RvR7d/zHmbJ/xFFyZolFmQiJrhzTR1RKVCDCkh5rzMaVAmXTqxmQZHGXy7RGr6aQ 4h0cnoDSyszCMwvVwxKlzQo4R5VaF5bG4GT7w3/SxmXl0iyyl1jNS7ZZEdVb9PCo yWMsFG9kHN1wMP7QKk36XDB5/6Hj9YMdMgmmLxWcAo5VxpGhiiv2u/mX64GGJF2R 9u/zzaoHFQYCBlBMq8/RQv1L6CRDS/WFezs/8dIfp8WiyYLqXqwHM74BPbLkR/lo YKaQb0nE6XnoxfQCEx2MScod232LvPZs5CJHeQzmjPxnBmepp9vcEBZpf1BkdwKR R/i9/UfTKtBgZpRoMGgxAd6wY6SX0axveXBg4/l58EwBLn0O11eTJaA35W9+yzmQ OY5KL52eQDy6HYxiCkZ/ =lhzg -----END PGP SIGNATURE-----
_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] ISO 27001 Jeff h (Feb 19)
- Re: [Security Weekly] ISO 27001 Ryker Exum (Feb 19)
- Re: [Security Weekly] ISO 27001 Jeff h (Feb 19)
- Re: [Security Weekly] ISO 27001 Pete Herzog (Feb 19)
- Re: [Security Weekly] ISO 27001 Michael Kaishar (Feb 20)
- Re: [Security Weekly] ISO 27001 Ryker Exum (Feb 19)
- Re: [Security Weekly] ISO 27001 Chris Clymer (Feb 19)
- Re: [Security Weekly] ISO 27001 Arch Angel (Feb 21)
- Re: [Security Weekly] ISO 27001 Jeff h (Feb 19)
- Re: [Security Weekly] ISO 27001 Ryker Exum (Feb 19)