Welcome to the SecAware blog

I spy with my beady eye ...

17 Apr 2007

ISO 27001/2 implementation process

Today I've published a generic flowchart showing a typical process for implementing ISO 27002 (formerly ISO 17799 and before that BS7799 Part 1) and gaining certification against ISO 27001 (formerly BS 7799 Part 2), within the FAQ at ISO27001security.com The website is purely an information source - no advertising, nothing to sell - but judging by the number of hits we are getting, this is definitely a hot area. Anyone reading this who is actively using the ISO 27000-series standards is invited to join their peers in the free ISO 27000 implementers' discussion forum - a self-help community for information security practitioners. I've uploaded the Visio version of the flowchart to the forum's files area as a benefit for members: further contributions are very welcome.

More links on information security standards and laws


  1. Excellent flow chart on the IS27002 certification process.

    I would warmly recommend a tool for ISO 27001 automation that uses PTA - Practical Threat Analysis. What these folks have done is to write a generic library for performing an ISO 27001 assessment using the PTA Professional freeware. The framework is all there and you can build a real life threat model in about 15 minutes by adding your own
    threats and assets. The part I like about PTA is the optimized risk mitigation plan that recommends the most effective controls.
    There is an article here
    telling the story of the PTA ISO27001 library

  2. Excellent job on the ISO 27002 flow chart.

    I recently ran into an intriguing application for PTA - Practical Threat Analysis tool - called PTA ISO 27001 automation. Basically what these folks have done is to write a PTA library for ISO 27001 which a) automates the assessment process like lightning and b) enables you to build a threat model and mitigation plan ala ISO in a few minutes.

    Read more here