1.      Articles and some toolkit items about implementing ISO27001

2. Articles mainly aimed at auditors

3. Articles about certification and preparing for certification

4. Articles about the 2022 version of ISO27001

5. General articles about ISO27001

6. Articles about ISO27005

7. Articles not specifically about ISO27001

 

1.   Articles and some toolkit items about implementing ISO27001

Listed by clause of ISO27001:2022.

4.1 External and Internal Issues.

https://www.linkedin.com/pulse/templateexample-internal-external-issues-iso27001-clause-chris-hall/

4.2 Interested Parties

https://www.linkedin.com/pulse/template-how-do-interested-parties-iso27001-clause-42-chris-hall/

4.3 Scope.

https://www.linkedin.com/pulse/understanding-defining-scope-iso27001-chris-hall/

See also:

How to do ISO27001 for a part of a company. https://www.linkedin.com/pulse/how-do-iso27001-only-part-company-chris-hall/

4.4 Information security management system

https://www.linkedin.com/pulse/how-do-clause-44-iso27001-chris-hall/

5.1 Leadership and commitment

https://www.linkedin.com/pulse/how-do-iso27001-leadership-commitment-clause-51-chris-hall/

5.2 Information security Policy

https://www.linkedin.com/pulse/example-information-security-policy-iso27001-clause-52-chris-hall/

5.3 Organizational roles, responsibilities and authorities

https://www.linkedin.com/pulse/how-do-organizational-roles-responsibilities-authorities-chris-hall/

6.1 Actions to address risks and opportunities

https://www.linkedin.com/pulse/why-you-need-2-risk-assessments-iso27001-chris-hall/

6.1.1 Risks and Opportunities.

https://www.linkedin.com/pulse/template-example-iso27001-risk-opportunities-isms-clause-chris-hall/

6.1.2 Information Security risk assessment.

https://www.linkedin.com/pulse/how-do-information-security-risk-assessment-iso27001-clauses-hall/

See also:

How to use Annex A. https://www.linkedin.com/pulse/how-use-annex-iso27001-chris-hall/

How to ignore Annex A. https://www.linkedin.com/pulse/how-ignore-annex-iso27001-chris-hall/

How it identify information security risks: https://www.linkedin.com/pulse/practical-guidance-help-identify-information-security-chris-hall-pzvze/

What a risk assessment should contain. https://www.linkedin.com/pulse/iso27001-risk-management-what-register-could-contain-chris-hall/

How to assess if your risk assessment is any good. https://www.linkedin.com/pulse/your-iso27001-risk-assessment-any-good-chris-hall/

6.1.3 Information security risk treatment.

See:

How to use Annex A. https://www.linkedin.com/pulse/how-use-annex-iso27001-chris-hall/

How to ignore Annex A. https://www.linkedin.com/pulse/how-ignore-annex-iso27001-chris-hall/

6.1.3 b) determine all necessary controls.

https://www.linkedin.com/pulse/iso27001-how-you-should-choose-controls-needed-manage-chris-hall/

See also:

What is an information security control. https://www.linkedin.com/pulse/what-information-security-control-chris-hall/

How to use “other” control frameworks – e.g. NIST, SOC 2. https://www.linkedin.com/pulse/how-use-other-control-listsframeworks-eg-soc-2-nist-iso27017-hall/

How to write a control description. https://www.linkedin.com/pulse/how-write-control-description-eg-soc-2-iso27001-chris-hall/

How to decide the level of controls. https://www.linkedin.com/pulse/how-decide-level-controls-chris-hall/

Why you should ignore Annex A. https://www.linkedin.com/pulse/why-you-should-ignore-annex-when-doing-iso27001-chris-hall/

6.1.3 c) compare the controls with those in Annex A.

https://www.linkedin.com/pulse/how-do-iso27001-comparison-annex-clause-613-c-chris-hall/

See also:

The controls “missing” from Annex A. https://www.linkedin.com/pulse/controls-missing-from-iso270022022-chris-hall/

6.1.3 d) Statement of Applicability (SOA);

https://www.linkedin.com/pulse/how-create-iso27001-statement-applicability-clause-613-chris-hall/

See also:

What a minimal SOA could look like: https://www.linkedin.com/pulse/iso27001-what-purpose-statement-applicability-soa-should-chris-hall/

Why you should ignore the SOA. https://www.linkedin.com/pulse/why-you-should-ignore-statement-applicability-iso27001-chris-hall/

How to audit the SOA. https://www.linkedin.com/pulse/how-audit-iso27001-statement-applicability-chris-hall/

6.1.3 e) Create an information security risk treatment plan;

https://www.linkedin.com/pulse/how-create-iso27001-risk-treatment-plan-clause-613-e-chris-hall/

6.2 Information security objectives.

https://www.linkedin.com/pulse/how-define-objectives-iso27001-clause-62-chris-hall/ .

6.3 Planning of changes.

https://www.linkedin.com/pulse/how-do-new-iso27001-planning-changes-clause-63-chris-hall/

7.1 Resources

No article on this as yet.

7.2 Competence

https://www.linkedin.com/pulse/how-do-iso27001-competence-clause-72-chris-hall-k77ye/

7.3 Awareness

No article planned for this.

7.4 Communication

No article on this as yet.

7.5 Documented information

No full article on this as yet.

See also:

An overview of the documentation needed for ISO27001. https://www.linkedin.com/pulse/iso27001-without-documentation-chris-hall/

How many pages of documentation should you need. https://www.linkedin.com/pulse/how-much-documentation-do-you-need-iso27001-chris-hall/

8.1 Operational planning and control.

No full article on this as yet.

See also:

How to define criteria. https://www.linkedin.com/pulse/how-define-criteria-processes-iso270012022-clause-81-chris-hall/

8.2 Maintain the Information security risk assessment.

No article on this as yet.

8.3 Information security risk treatment.

No article on this as yet.

9.1 Monitoring, measurement, analysis and evaluation

https://www.linkedin.com/pulse/how-do-performance-management-iso27001-clause-91-chris-hall/

See also:

ISO27001 without metrics. https://www.linkedin.com/pulse/iso27001-without-metrics-kpis-chris-hall/

9.2 Internal audit

https://www.linkedin.com/pulse/how-do-iso27001-internal-audit-requirement-clause-92-chris-hall/

See also.

Why you should not use your internal audit department to do your internal audit. https://www.linkedin.com/pulse/why-you-should-use-your-internal-audit-department-do-iso27001-hall/

9.3 Management review

https://www.linkedin.com/pulse/how-do-management-review-iso27001-chris-hall/

10.1 Continual Improvement.

https://www.linkedin.com/pulse/how-do-iso27001-continual-improvement-clause-101-chris-hall/

10.2 Nonconformity and corrective action.

https://www.linkedin.com/pulse/how-should-you-deal-non-conformities-according-iso27001-chris-hall/

2. Articles mainly aimed at auditors

Although any of the above articles about the clauses may also be of interest.

R2.1 The different types of “audit” associated with ISO27001

https://www.linkedin.com/pulse/what-different-types-audit-associated-iso27001-chris-hall/

R2.2 What should an ISO27001 certification audit plan/agenda contain?

https://www.linkedin.com/pulse/what-should-iso27001-audit-planagenda-contain-chris-hall/

R2.3 How to do an ISO27001 audit

https://www.linkedin.com/pulse/how-do-iso27001-audit-chris-hall/

R2.4 The Evidence Fallacy

https://www.linkedin.com/pulse/evidence-fallacy-chris-hall/

R2.5 How to audit an ISO27001 risk assessment

https://www.linkedin.com/pulse/how-audit-iso27001-risk-assessment-chris-hall/

R2.6 How to audit the ISO27001 Statement of Applicability

https://www.linkedin.com/pulse/how-audit-iso27001-statement-applicability-chris-hall/

R2.7 An ISO27001 auditor should never say “A control in the Statement of Applicability is not marked as justified and it should be”

https://www.linkedin.com/pulse/iso27001-auditor-should-never-say-control-statement-marked-chris-hall/

R2.8 Why you should never get a major (or minor) non conformity against a control in ISO27001

https://www.linkedin.com/pulse/why-you-should-never-get-major-minor-non-conformity-against-hall/

R2.9 An ISO27001 auditor should not raise a non conformity for something that you already know about.

https://www.linkedin.com/pulse/iso27001-auditor-should-raise-non-conformity-something-chris-hall/

R2.10 A guide to raising and documenting an ISO27001 non conformity.

https://www.linkedin.com/pulse/guide-raising-documenting-iso27001-non-conformity-chris-hall/

R2.11 Why do ISO27001 auditors audit the controls?

https://www.linkedin.com/pulse/why-do-iso27001-auditors-audit-controls-chris-hall/

R2.12 ISO27001 auditors cannot raise non conformities based on their judgment, view, opinion, experience, best practice or common practice.

https://www.linkedin.com/pulse/iso27001-myths-1-auditors-can-raise-non-conformities-based-chris-hall-bqzqe/

R2.13 Guidelines on words and phrases a certification auditor should/should not use

https://www.linkedin.com/pulse/guidelines-words-phrases-certification-auditor-use-chris-hall-hyase/

3. Articles about certification and preparing for certification

R3.1 An overview of the ISO27001 certification process.

https://www.linkedin.com/pulse/overview-iso27001-certification-process-chris-hall/

R3.2 How to choose an ISO27001 certification body/registrar

https://www.linkedin.com/pulse/how-choose-iso27001-certification-bodyregistrar-chris-hall/

R3.3 What is “mandatory” in ISO27001

https://www.linkedin.com/pulse/what-mandatory-iso27001-chris-hall/

R3.4 Does ISO27001 require you to identify and manage legal, regulatory and contractual requirements in your ISMS?

https://www.linkedin.com/pulse/does-iso27001-require-you-identify-manage-legal-regulatory-chris-hall/

R3.4 When using ISO27001 the controls do not need to be 100% effective

https://www.linkedin.com/pulse/when-using-iso27001-controls-do-need-100-effective-chris-hall/

R3.4 For ISO27001 do all the controls have to be implemented before I can get certified?

https://www.linkedin.com/pulse/iso27001-do-all-controls-have-implemented-before-i-can-chris-hall/

R3.4 With ISO27001, perfection is not needed to get certified

https://www.linkedin.com/pulse/why-iso27001-everything-has-perfect-get-certified-chris-hall/

R3.4 What does ISO27001 mean to your staff?

https://www.linkedin.com/pulse/what-does-iso27001-mean-your-staff-chris-hall/

R3.9 What should you tell all your staff just before the ISO27001 auditor comes on site?

https://www.linkedin.com/pulse/what-should-you-tell-all-your-staff-just-before-iso27001-chris-hall/

R3.10 Guidance to people being audited

https://www.linkedin.com/pulse/guidance-people-being-audited-chris-hall/

R3.11 How certification bodies do consultancy and give advice.

https://www.linkedin.com/pulse/iso27001-certification-bodies-do-consultancy-give-advice-chris-hall/

R3.12 How long must an ISO27001 ISMS be operating before it can be certified?

https://www.linkedin.com/pulse/how-long-must-iso27001-isms-operating-before-can-certified-chris-hall/

R3.12 What are major and minor non conformities?

https://www.linkedin.com/pulse/what-minor-major-non-conformities-raised-iso27001-auditors-chris-hall/

R3.13 What should you do when an ISO27001 certification auditor wants to raise a nonconformity

https://www.linkedin.com/pulse/what-should-you-do-when-iso27001-certification-auditor-chris-hall/

R3.14 Your controls have to be perfect for SOC 2 (sort of) but not for ISO27001 (sort of)

https://www.linkedin.com/pulse/your-controls-have-perfect-soc-2-sort-iso27001-chris-hall-q267e/

4. Articles about the 2022 version of ISO27001

R4.1 New versions of ISO27001 and ISO27002

https://www.linkedin.com/pulse/new-versions-iso27001-iso27002-chris-hall/

R4.2 The changes in the 2022 version of ISO27001

https://www.linkedin.com/pulse/changes-2022-version-iso27001-chris-hall/

R4.3 The 11 "new" controls in the new versions of ISO27002 and ISO27001

https://www.linkedin.com/pulse/11-new-controls-iso27002-iso27001-chris-hall/

R4.4 The controls "missing" from ISO27002:2022 and Annex A of ISO27001:2022

https://www.linkedin.com/pulse/controls-missing-from-iso270022022-chris-hall/

R4.5 How to quickly transition to the Annex A version of ISO27001:2022

https://www.linkedin.com/pulse/how-quickly-transition-annex-version-iso270012022-chris-hall/

R4.6 The slow approach to transitioning to the new Annex A in ISO27001:2022

https://www.linkedin.com/pulse/slow-approach-transitioning-new-annex-iso270012022-chris-hall/

R4.7 How to transition to the new version of ISO27001

https://www.linkedin.com/pulse/how-transition-2022-version-iso27001-chris-hall/

R4.8 A case study of a transition to the new version of ISO27001

https://www.linkedin.com/pulse/iso270012022-transition-case-study-chris-hall/

R4.9 What you should do about the 11 new controls in ISO27001:2022

https://www.linkedin.com/pulse/what-you-should-do-11-new-controls-iso270012022-chris-hall/

R4.9 What is this new “process” approach in ISO27001:2022?

https://www.linkedin.com/pulse/what-process-approach-iso27001-chris-hall-52nwe/

5. General articles about ISO27001

R5.1 Introduction to ISO27001

https://www.linkedin.com/pulse/what-iso27001-all-why-should-i-do-without-jargon-chris-hall-1e/

R5.2 Plain English guide to meeting ISO27001 requirements

https://www.linkedin.com/pulse/plain-english-guide-meeting-iso27001-requirements-chris-hall/

R5.3 How to use “other” control frameworks – e.g. NIST, SOC 2.

https://www.linkedin.com/pulse/how-use-other-control-listsframeworks-eg-soc-2-nist-iso27017-hall/

R5.4 What are the benefits of ISO27001?

https://www.linkedin.com/pulse/what-benefits-iso27001-chris-hall/

R5.5 The two tribes of ISO27001. Which tribe are you? A quiz.

https://www.linkedin.com/pulse/two-tribes-iso27001-which-tribe-you-quiz-chris-hall/

R565 What about “Compliance Management Systems” and ISO27001?

https://www.linkedin.com/pulse/what-compliance-management-systems-iso27001-chris-hall/

R5.7 ISO27001 and its unrealistic requirements about selecting controls

https://www.linkedin.com/pulse/iso27001-its-unrealistic-requirements-selecting-controls-chris-hall/

R5.8 You do not need an Information Asset Register for ISO27001

https://www.linkedin.com/pulse/do-i-need-information-asset-register-iso27001-chris-hall/

R5.9 Does an ISO27001 certificate mean anything?

https://www.linkedin.com/pulse/does-iso27001-certificate-mean-anything-chris-hall/

R5.10 Why do people make their ISO27001 implementations so complicated?

https://www.linkedin.com/pulse/why-do-people-make-iso27001-implementations-so-complicated-chris-hall/

R5.11 The different types of “audit” associated with ISO27001

https://www.linkedin.com/pulse/what-different-types-audit-associated-iso27001-chris-hall/

R5.12 You now have your ISO27001 certificate. What now?

https://www.linkedin.com/pulse/congratulations-you-now-have-your-iso27001-certificate-chris-hall/

R5.13 What does it mean when someone says they are an “ISO27001 Lead auditor”

https://www.linkedin.com/pulse/what-does-mean-when-someone-says-iso27001-lead-auditor-chris-hall/

R5.14 What you can ignore in ISO27001.

https://www.linkedin.com/pulse/what-you-may-able-ignore-iso27001-chris-hall/

R5.15 How to choose an ISO27001 training course

https://www.linkedin.com/pulse/how-choose-iso27001-training-course-chris-hall

R5.16 The many different versions of ISO27001.

https://www.linkedin.com/pulse/many-tailored-different-versions-iso27001-chris-hall/

R5.17 How to do ISO27001 for a part of a company

 https://www.linkedin.com/pulse/how-do-iso27001-only-part-company-chris-hall/

R5.18 Some thoughts on where to store your ISO27001 documentation

https://www.linkedin.com/pulse/some-thoughts-storing-your-iso27001-documentation-chris-hall/

R5.19 A suggested folder/page structure for ISO27001 documentation..

https://www.linkedin.com/pulse/suggested-folderpage-structure-iso27001-documentation-chris-hall/

R5.20 Some terms and concepts in ISO27001 that I don’t use.

https://www.linkedin.com/pulse/iso27001information-security-terms-concepts-i-dont-use-chris-hall/

R5.21 Why and how to use custom controls.

https://www.linkedin.com/pulse/why-how-you-can-use-custom-controls-iso27001-chris-hall-dhx4e/

R5.22 What is “inherent” risk and how to use it for information security risks.

https://www.linkedin.com/pulse/what-inherent-risk-how-use-information-security-risks-chris-hall-67clf/

R5.23 How to maintain your ISMS.

https://www.linkedin.com/pulse/what-do-maintain-your-iso27001-isms-chris-hall-fcezf/

R5.24 There is a new version of ISO27001. You should probably do something now

https://www.linkedin.com/pulse/new-version-iso27001-you-should-probably-do-something-chris-hall-hxcke/

R5.25 There is a new version of ISO27006. ""Requirements for bodies providing audit and certification of information security management systems"

https://www.linkedin.com/pulse/new-version-iso270061-requirements-bodies-providing-chris-hall-giddf/

R5.26 9 practical tips for getting started with ISO27001.

https://www.linkedin.com/pulse/9-practical-tips-getting-started-iso27001-chris-hall-xmmde/

R5.27 ISO27001. Time for a change. Part 1.

https://www.linkedin.com/pulse/iso27001-time-change-part-1-chris-hall-aklse/  

R5.28 ISO27001 Myths: 21: “You can have controls marked as applicable in the Statement of Applicability that are not referred to in the risk assessment

https://www.linkedin.com/pulse/iso27001-myths-21-you-can-have-controls-marked-applicable-chris-hall-fptnf/

R5.29 SO27001 suggested change 1: ISO27001 should be built on the use of an information security methodology

https://www.linkedin.com/pulse/iso27001-suggested-change-1-should-built-use-information-chris-hall-5532e/

6. Articles about ISO27005

R6.1 The new version of ISO27005 – “Information Security Risk Management”

https://www.linkedin.com/pulse/new-version-iso27005-information-security-risk-management-chris-hall/

R6.2 How does ISO27005 answer questions about ISO27001 risk management?

https://www.linkedin.com/pulse/how-does-iso27005-answer-questions-iso27001-risk-management-hall/

7. Articles not specifically about ISO27001

R7.1 What is an “information asset”?

https://www.linkedin.com/pulse/what-information-asset-chris-hall/

R7.2 How to do policies, procedures, etc

https://www.linkedin.com/pulse/how-do-policies-procedures-etc-chris-hall/