A Pilgrim’s Progress…

So there you are … someone has mentioned ISO 27001 and that you ought to be certified or ‘have ISO 27001’, as it might be “good for business”. You have heard of ISO 27001, but have always dismissed it as being something to think about. Now, however, maybe it’s time to look into it a bit more seriously.

Quick search on the Internet – blimey there’s loads of stuff. Mostly from consultants and others trying to sell you stuff.

Resort to Wikipedia … it at least gives you an idea.

Aha – ISO 27001 is an international standard.

Next step then – get hold of the Standard.

Online order—wait a while until download completed … and … ’Open’ … and … oh! This looks so … ah! Exciting!

Read the opening bits … International Standard … Foreward … Introduction … Process Approach … Scope … Definitions … Ah! Here we are … Information Security Management System: General requirements…

…Scope … yes, Policy … ahem … ’Define a risk assessment approach’ … uh?

Our risk assessment approach is based on what I or the IT Manager thinks. What do they mean?

Read a bit more … ’identify the risks’ … ’analyse and evaluate the risk’ … ’identify and evaluate options for the treatment of risk’…

This ‘risk’ thing keeps coming up.

Then you spot a note “Risk assessment methodologies are discussed in ISO/IEC TR 13335-3”.

So a search on “ISO/IEC TR 13335-3”

This time you find that “ISO 27005:2011 supersedes ISO/IEC TR 13335-3” (can’t they ever get these standards sorted?)

Maybe purchase ISO 27005:2011?

Not sure – purchasing all these standards might get pricey. Plus what does it mean?

Perhaps a search for “ISO 27001 risk assessment”? Might that help?

That’s better. Now here’s something actually helpful. It is a page about “ISO 27001 Risk Assessments”. It’s written in plain English and it suggests that a tool might help, and there is even a free demo so I can try it out for myself.

I click on the links on this page, and it shows me a whole wealth of information telling me in a clear manner exactly what I need. Want to know where I went? Right here.

As for ISO 27005? I’ll bear it in mind, but that tool is way cool for risk assessments.