Business & Technology Risk Partners
- Chris Hall Linkedin articles
1. Articles and some toolkit items about implementing
ISO27001
2. Articles mainly aimed
at auditors
3. Articles about
certification and preparing for certification
4. Articles about the
2022 version of ISO27001
5. General articles about
ISO27001
7. Articles not
specifically about ISO27001
1. Articles and some toolkit items about implementing ISO27001
Listed by clause of ISO27001:2022.
4.1 External and Internal Issues.
https://www.linkedin.com/pulse/templateexample-internal-external-issues-iso27001-clause-chris-hall/
4.2 Interested Parties
https://www.linkedin.com/pulse/template-how-do-interested-parties-iso27001-clause-42-chris-hall/
4.3 Scope.
https://www.linkedin.com/pulse/understanding-defining-scope-iso27001-chris-hall/
See also:
How to do ISO27001 for a part of a company. https://www.linkedin.com/pulse/how-do-iso27001-only-part-company-chris-hall/
4.4 Information security management system
https://www.linkedin.com/pulse/how-do-clause-44-iso27001-chris-hall/
5.1 Leadership and commitment
https://www.linkedin.com/pulse/how-do-iso27001-leadership-commitment-clause-51-chris-hall/
5.2 Information security Policy
https://www.linkedin.com/pulse/example-information-security-policy-iso27001-clause-52-chris-hall/
5.3 Organizational roles, responsibilities and authorities
https://www.linkedin.com/pulse/how-do-organizational-roles-responsibilities-authorities-chris-hall/
6.1 Actions to address risks and opportunities
https://www.linkedin.com/pulse/why-you-need-2-risk-assessments-iso27001-chris-hall/
6.1.1 Risks and Opportunities.
https://www.linkedin.com/pulse/template-example-iso27001-risk-opportunities-isms-clause-chris-hall/
6.1.2 Information Security risk assessment.
https://www.linkedin.com/pulse/how-do-information-security-risk-assessment-iso27001-clauses-hall/
See also:
How to use Annex A.
https://www.linkedin.com/pulse/how-use-annex-iso27001-chris-hall/
How to ignore Annex A. https://www.linkedin.com/pulse/how-ignore-annex-iso27001-chris-hall/
How it identify information security risks: https://www.linkedin.com/pulse/practical-guidance-help-identify-information-security-chris-hall-pzvze/
What a risk assessment should contain. https://www.linkedin.com/pulse/iso27001-risk-management-what-register-could-contain-chris-hall/
How to assess if your risk assessment is any good. https://www.linkedin.com/pulse/your-iso27001-risk-assessment-any-good-chris-hall/
6.1.3 Information security risk treatment.
See:
How to use Annex A. https://www.linkedin.com/pulse/how-use-annex-iso27001-chris-hall/
How to ignore Annex
A. https://www.linkedin.com/pulse/how-ignore-annex-iso27001-chris-hall/
6.1.3 b) determine all necessary controls.
https://www.linkedin.com/pulse/iso27001-how-you-should-choose-controls-needed-manage-chris-hall/
See also:
What is an information security control. https://www.linkedin.com/pulse/what-information-security-control-chris-hall/
How to use “other” control frameworks – e.g. NIST, SOC 2. https://www.linkedin.com/pulse/how-use-other-control-listsframeworks-eg-soc-2-nist-iso27017-hall/
How to write a control description. https://www.linkedin.com/pulse/how-write-control-description-eg-soc-2-iso27001-chris-hall/
How to decide the level of controls. https://www.linkedin.com/pulse/how-decide-level-controls-chris-hall/
Why you should ignore Annex A. https://www.linkedin.com/pulse/why-you-should-ignore-annex-when-doing-iso27001-chris-hall/
6.1.3 c) compare the controls with those in Annex A.
https://www.linkedin.com/pulse/how-do-iso27001-comparison-annex-clause-613-c-chris-hall/
See also:
The controls “missing” from Annex A. https://www.linkedin.com/pulse/controls-missing-from-iso270022022-chris-hall/
6.1.3 d) Statement of Applicability (SOA);
https://www.linkedin.com/pulse/how-create-iso27001-statement-applicability-clause-613-chris-hall/
See also:
What a minimal SOA could look like: https://www.linkedin.com/pulse/iso27001-what-purpose-statement-applicability-soa-should-chris-hall/
Why you should ignore the SOA. https://www.linkedin.com/pulse/why-you-should-ignore-statement-applicability-iso27001-chris-hall/
How to audit the SOA. https://www.linkedin.com/pulse/how-audit-iso27001-statement-applicability-chris-hall/
6.1.3 e) Create an information security risk treatment plan;
https://www.linkedin.com/pulse/how-create-iso27001-risk-treatment-plan-clause-613-e-chris-hall/
6.2 Information security objectives.
https://www.linkedin.com/pulse/how-define-objectives-iso27001-clause-62-chris-hall/ .
6.3 Planning of changes.
https://www.linkedin.com/pulse/how-do-new-iso27001-planning-changes-clause-63-chris-hall/
7.1 Resources
No article on this as yet.
7.2 Competence
https://www.linkedin.com/pulse/how-do-iso27001-competence-clause-72-chris-hall-k77ye/
7.3 Awareness
No article planned for this.
7.4 Communication
No article on this as yet.
7.5 Documented information
No full article on this as yet.
See also:
An overview of the documentation needed for ISO27001. https://www.linkedin.com/pulse/iso27001-without-documentation-chris-hall/
How many pages of documentation should you need. https://www.linkedin.com/pulse/how-much-documentation-do-you-need-iso27001-chris-hall/
8.1 Operational planning and control.
No full article on this as yet.
See also:
How to define criteria. https://www.linkedin.com/pulse/how-define-criteria-processes-iso270012022-clause-81-chris-hall/
8.2 Maintain the Information security risk assessment.
No article on this as yet.
8.3 Information security risk treatment.
No article on this as yet.
9.1 Monitoring, measurement, analysis and evaluation
https://www.linkedin.com/pulse/how-do-performance-management-iso27001-clause-91-chris-hall/
See also:
ISO27001 without metrics. https://www.linkedin.com/pulse/iso27001-without-metrics-kpis-chris-hall/
9.2 Internal audit
https://www.linkedin.com/pulse/how-do-iso27001-internal-audit-requirement-clause-92-chris-hall/
See also.
Why you should not use your internal audit department to do your internal audit. https://www.linkedin.com/pulse/why-you-should-use-your-internal-audit-department-do-iso27001-hall/
9.3 Management review
https://www.linkedin.com/pulse/how-do-management-review-iso27001-chris-hall/
10.1 Continual Improvement.
https://www.linkedin.com/pulse/how-do-iso27001-continual-improvement-clause-101-chris-hall/
10.2 Nonconformity and corrective action.
https://www.linkedin.com/pulse/how-should-you-deal-non-conformities-according-iso27001-chris-hall/
2. Articles mainly aimed at auditors
Although any of the above articles about the clauses may also be of interest.
R2.1 The different types of “audit” associated with ISO27001
https://www.linkedin.com/pulse/what-different-types-audit-associated-iso27001-chris-hall/
R2.2 What should an ISO27001 certification audit plan/agenda contain?
https://www.linkedin.com/pulse/what-should-iso27001-audit-planagenda-contain-chris-hall/
R2.3 How to do an ISO27001 audit
https://www.linkedin.com/pulse/how-do-iso27001-audit-chris-hall/
R2.4 The Evidence Fallacy
https://www.linkedin.com/pulse/evidence-fallacy-chris-hall/
R2.5 How to audit an ISO27001 risk assessment
https://www.linkedin.com/pulse/how-audit-iso27001-risk-assessment-chris-hall/
R2.6 How to audit the ISO27001 Statement of Applicability
https://www.linkedin.com/pulse/how-audit-iso27001-statement-applicability-chris-hall/
R2.7 An ISO27001 auditor should never say “A control in the Statement of Applicability is not marked as justified and it should be”
R2.8 Why you should never get a major (or minor) non conformity against a control in ISO27001
https://www.linkedin.com/pulse/why-you-should-never-get-major-minor-non-conformity-against-hall/
R2.9 An ISO27001 auditor should not raise a non conformity for something that you already know about.
https://www.linkedin.com/pulse/iso27001-auditor-should-raise-non-conformity-something-chris-hall/
R2.10 A guide to raising and documenting an ISO27001 non conformity.
https://www.linkedin.com/pulse/guide-raising-documenting-iso27001-non-conformity-chris-hall/
R2.11 Why do ISO27001 auditors audit the controls?
https://www.linkedin.com/pulse/why-do-iso27001-auditors-audit-controls-chris-hall/
R2.12 ISO27001 auditors cannot raise non conformities based on their judgment, view, opinion, experience, best practice or common practice.
R2.13 Guidelines on words and phrases a certification auditor should/should not use
https://www.linkedin.com/pulse/guidelines-words-phrases-certification-auditor-use-chris-hall-hyase/
3. Articles about certification and preparing for certification
R3.1 An overview of the ISO27001 certification process.
https://www.linkedin.com/pulse/overview-iso27001-certification-process-chris-hall/
R3.2 How to choose an ISO27001 certification body/registrar
https://www.linkedin.com/pulse/how-choose-iso27001-certification-bodyregistrar-chris-hall/
R3.3 What is “mandatory” in ISO27001
https://www.linkedin.com/pulse/what-mandatory-iso27001-chris-hall/
R3.4 Does ISO27001 require you to identify and manage legal, regulatory and contractual requirements in your ISMS?
R3.4 When using ISO27001 the controls do not need to be 100% effective
https://www.linkedin.com/pulse/when-using-iso27001-controls-do-need-100-effective-chris-hall/
R3.4 For ISO27001 do all the controls have to be implemented before I can get certified?
https://www.linkedin.com/pulse/iso27001-do-all-controls-have-implemented-before-i-can-chris-hall/
R3.4 With ISO27001, perfection is not needed to get certified
https://www.linkedin.com/pulse/why-iso27001-everything-has-perfect-get-certified-chris-hall/
R3.4 What does ISO27001 mean to your staff?
https://www.linkedin.com/pulse/what-does-iso27001-mean-your-staff-chris-hall/
R3.9 What should you tell all your staff just before the ISO27001 auditor comes on site?
https://www.linkedin.com/pulse/what-should-you-tell-all-your-staff-just-before-iso27001-chris-hall/
R3.10 Guidance to people being audited
https://www.linkedin.com/pulse/guidance-people-being-audited-chris-hall/
R3.11 How certification bodies do consultancy and give advice.
https://www.linkedin.com/pulse/iso27001-certification-bodies-do-consultancy-give-advice-chris-hall/
R3.12 How long must an ISO27001 ISMS be operating before it can be certified?
R3.12 What are major and minor non conformities?
R3.13 What should you do when an ISO27001 certification auditor wants to raise a nonconformity
https://www.linkedin.com/pulse/what-should-you-do-when-iso27001-certification-auditor-chris-hall/
R3.14 Your controls have to be perfect for SOC 2 (sort of) but not for ISO27001 (sort of)
https://www.linkedin.com/pulse/your-controls-have-perfect-soc-2-sort-iso27001-chris-hall-q267e/
4. Articles about the 2022 version of ISO27001
R4.1 New versions of ISO27001 and ISO27002
https://www.linkedin.com/pulse/new-versions-iso27001-iso27002-chris-hall/
R4.2 The changes in the 2022 version of ISO27001
https://www.linkedin.com/pulse/changes-2022-version-iso27001-chris-hall/
R4.3 The 11 "new" controls in the new versions of ISO27002 and ISO27001
https://www.linkedin.com/pulse/11-new-controls-iso27002-iso27001-chris-hall/
R4.4 The controls "missing" from ISO27002:2022 and Annex A of ISO27001:2022
https://www.linkedin.com/pulse/controls-missing-from-iso270022022-chris-hall/
R4.5 How to quickly transition to the Annex A version of ISO27001:2022
https://www.linkedin.com/pulse/how-quickly-transition-annex-version-iso270012022-chris-hall/
R4.6 The slow approach to transitioning to the new Annex A in ISO27001:2022
https://www.linkedin.com/pulse/slow-approach-transitioning-new-annex-iso270012022-chris-hall/
R4.7 How to transition to the new version of ISO27001
https://www.linkedin.com/pulse/how-transition-2022-version-iso27001-chris-hall/
R4.8 A case study of a transition to the new version of ISO27001
https://www.linkedin.com/pulse/iso270012022-transition-case-study-chris-hall/
R4.9 What you should do about the 11 new controls in ISO27001:2022
https://www.linkedin.com/pulse/what-you-should-do-11-new-controls-iso270012022-chris-hall/
R4.9 What is this new “process” approach in ISO27001:2022?
https://www.linkedin.com/pulse/what-process-approach-iso27001-chris-hall-52nwe/
5. General articles about ISO27001
R5.1 Introduction to ISO27001
https://www.linkedin.com/pulse/what-iso27001-all-why-should-i-do-without-jargon-chris-hall-1e/
R5.2 Plain English guide to meeting ISO27001 requirements
https://www.linkedin.com/pulse/plain-english-guide-meeting-iso27001-requirements-chris-hall/
R5.3 How to use “other” control frameworks – e.g. NIST, SOC 2.
https://www.linkedin.com/pulse/how-use-other-control-listsframeworks-eg-soc-2-nist-iso27017-hall/
R5.4 What are the benefits of ISO27001?
https://www.linkedin.com/pulse/what-benefits-iso27001-chris-hall/
R5.5 The two tribes of ISO27001. Which tribe are you? A quiz.
https://www.linkedin.com/pulse/two-tribes-iso27001-which-tribe-you-quiz-chris-hall/
R565 What about “Compliance Management Systems” and ISO27001?
https://www.linkedin.com/pulse/what-compliance-management-systems-iso27001-chris-hall/
R5.7 ISO27001 and its unrealistic requirements about selecting controls
https://www.linkedin.com/pulse/iso27001-its-unrealistic-requirements-selecting-controls-chris-hall/
R5.8 You do not need an Information Asset Register for ISO27001
https://www.linkedin.com/pulse/do-i-need-information-asset-register-iso27001-chris-hall/
R5.9 Does an ISO27001 certificate mean anything?
https://www.linkedin.com/pulse/does-iso27001-certificate-mean-anything-chris-hall/
R5.10 Why do people make their ISO27001 implementations so complicated?
R5.11 The different types of “audit” associated with ISO27001
https://www.linkedin.com/pulse/what-different-types-audit-associated-iso27001-chris-hall/
R5.12 You now have your ISO27001 certificate. What now?
https://www.linkedin.com/pulse/congratulations-you-now-have-your-iso27001-certificate-chris-hall/
R5.13 What does it mean when someone says they are an “ISO27001 Lead auditor”
https://www.linkedin.com/pulse/what-does-mean-when-someone-says-iso27001-lead-auditor-chris-hall/
R5.14 What you can ignore in ISO27001.
https://www.linkedin.com/pulse/what-you-may-able-ignore-iso27001-chris-hall/
R5.15 How to choose an ISO27001 training course
https://www.linkedin.com/pulse/how-choose-iso27001-training-course-chris-hall
R5.16 The many different versions of ISO27001.
https://www.linkedin.com/pulse/many-tailored-different-versions-iso27001-chris-hall/
R5.17 How to do ISO27001 for a part of a company
https://www.linkedin.com/pulse/how-do-iso27001-only-part-company-chris-hall/
R5.18 Some thoughts on where to store your ISO27001 documentation
https://www.linkedin.com/pulse/some-thoughts-storing-your-iso27001-documentation-chris-hall/
R5.19 A suggested folder/page structure for ISO27001 documentation..
https://www.linkedin.com/pulse/suggested-folderpage-structure-iso27001-documentation-chris-hall/
R5.20 Some terms and concepts in ISO27001 that I don’t use.
https://www.linkedin.com/pulse/iso27001information-security-terms-concepts-i-dont-use-chris-hall/
R5.21 Why and how to use custom controls.
https://www.linkedin.com/pulse/why-how-you-can-use-custom-controls-iso27001-chris-hall-dhx4e/
R5.22 What is “inherent” risk and how to use it for information security risks.
R5.23 How to maintain your ISMS.
https://www.linkedin.com/pulse/what-do-maintain-your-iso27001-isms-chris-hall-fcezf/
R5.24 There is a new version of ISO27001. You should probably do something now
R5.25 There is a new version of ISO27006. ""Requirements for bodies providing audit and certification of information security management systems"
https://www.linkedin.com/pulse/new-version-iso270061-requirements-bodies-providing-chris-hall-giddf/
R5.26 9 practical tips for getting started with ISO27001.
https://www.linkedin.com/pulse/9-practical-tips-getting-started-iso27001-chris-hall-xmmde/
R5.27 ISO27001. Time for a change. Part 1.
https://www.linkedin.com/pulse/iso27001-time-change-part-1-chris-hall-aklse/
R5.28 ISO27001 Myths: 21: “You can have controls marked as applicable in the Statement of Applicability that are not referred to in the risk assessment
R5.29 SO27001 suggested change 1: ISO27001 should be built on the use of an information security methodology
6. Articles about ISO27005
R6.1 The new version of ISO27005 – “Information Security Risk Management”
https://www.linkedin.com/pulse/new-version-iso27005-information-security-risk-management-chris-hall/
R6.2 How does ISO27005 answer questions about ISO27001 risk management?
https://www.linkedin.com/pulse/how-does-iso27005-answer-questions-iso27001-risk-management-hall/
7. Articles not specifically about ISO27001
R7.1 What is an “information asset”?
https://www.linkedin.com/pulse/what-information-asset-chris-hall/
R7.2 How to do policies, procedures, etc
https://www.linkedin.com/pulse/how-do-policies-procedures-etc-chris-hall/