This list linked below is awesome. It doesn’t seem to be common knowledge on what it covers and how much (i.e., A LOT). Loving the clarity here.
Fun fact: ISO tells you *what* to do but not *how* to do it for most items and that’s intentional. You define that for your business/use case. It’s meant to fit a wide variety of industries.
I mention/soapbox this because I’ve heard some in security community claim they “do” ISO because they use some NIST principles.
No. No you don’t. Please don’t say that. If you’re not certified you’re not doing ISO.
When you see this list , if you’ve been saying that, you’ll be surprised at how little you knew. It’s a lot to learn but I’m loving being involved in it.
I love that it’s truly international.
If you visit any kind of ISO 27001 forum there are literally people from all over the world. I never really got that global feeling with other frameworks.