ISO 27001 Implementation Guidance: ISMS Structure

One misnomer that I most often hear is that ISO 27001 implementation will need the creation of hundreds of information security policies and procedures. There are many toolkits available, and they contain a fairly large number of documents which reinforces this idea. It is simply not the case. The list of documents required is actually fairly small. The following diagram shows a complete set of documentation that could support ISO 27001 certification. The simpler your Informa

ISO 27001 Implementation Guidance: Classification vs Labelling

A fundamental building block of most Information Security Management Systems is an information classification, labelling and handling scheme. A classification scheme is a means of differentiating between information of differing sensitivity, and these will have labels applied to them, common examples are 'confidential', 'sensitive', 'internal', and 'public'. This should then be supplemented by guidance on how information of these differing classifications are to be handled (

ISO 27001 Implementation Guidance: Using Objectives

While it seems obvious to state that your Information Security Management System (ISMS) should be in a good state before any certification visit, this desire for 'perfection' can be a major cause of unnecessary delay. While it's true that auditors don't like to see too much 'work in progress', there is a mechanism within the standard that allows you to formally capture those unfinished controls within a formal programme. Formalising work-in-progress using Information Securi