Risky Business: Thoughts on ISO 27001 and Risk Management

by Joseph Kirkpatrick / March 30th, 2016

Welcome to the inaugural Risky Business blog! The goal here is to provide education about the ISO 27001 standard and provide useful advice on how this framework can be used to solve many of your compliance and information security problems.

I have been using ISO 27001 for over a decade as the foundation for information security programs that I’ve developed and directed, both for myself and for my clients, and have seen the efficacy of the standard firsthand. ISO 27001 is unique in that it gives a clear framework that is risk-based, business-focused, and allows its users to build an information security program that meets their specific information security needs. It’s not a one-size-fits-all approach, but rather it tailors itself to your organization’s security needs based on your particular risk.

ISO 27001 is the successor to ISO 17799, BS 7799 before that, and is part of the ISO 27000 series’ information security standards. BS 7799 was published in 1995 by the government of the United Kingdom, so the core content behind this standard has been around for over 20 years. It was labelled as a “Code of practice for information security management.” In short, it tells you how to design and operate your information security management system (ISMS), or information security program.

Since you are reading an information security blog, you might be somewhat familiar with some other commonly used information security standards such as PCI DSS or HIPAA. Now, ISO 27001 has a very different approach to information security than standards such as these. Whereas, for example, PCI DSS tells you specifically what controls you have to use (the prescriptive approach), ISO 27001, instead, lets you decide on what controls best suit your particular information security needs (the risk-based approach). It’s a very different way of looking at things and requires a different mindset for those of you who are simply used to going “down the list” of controls, requirements, etc. The real magic in ISO 27001 is that, in following it, you essentially create an information security standard that is customized for your organization. It’s like making a tailor-fitted version of the PCI DSS just for you. This tailored version not only specifically addresses your particular information security needs and environment, but also allows you to not waste effort and resources on applying controls of no or little value to your organization. Again, it’s tailor-made for you.

ISO 27001 really is somewhat magic! I’ve consulted for hundreds of clients over the last few decades, and have noticed that those that use ISO 27001 as the basis of their information security programs are always heads and shoulders above those that don’t. Not only are their programs more mature and effective, but they also spend their budget far more effectively since ISO 27001 targets their real and actual risks instead of some theoretical risk on a piece of paper. We want you to be able to enjoy the same advantages that those organizations enjoy.

In upcoming posts, we will break down the standard into bit-sized pieces that are easy to understand and put into practice. In the meantime, we’d love to hear from you. What experiences have you had with ISO 27001? What questions or concerns do you have about the standard? Email me at b.penn@ Contact us to learn more, and we look forward to hearing from you!