Individuals chosen by senior management to audit Information Security Management Systems are not necessarily well-trained, highly qualified, experienced and (to be frank) competent professionals. ISO/IEC 27001 certification auditors from accredited certification bodies definitely should be, but for various reasons, some of them are, let's say, winging it. Reports indicate that some simply do not understand or accept that Annex A is a set of DISCRETIONARY controls, for example. As to ISMS internal audits, well Internal Audit Departments are commonly only found in large, mature, heavily-regulated organisations: most either contract out their internal audits, pick whoever failed to duck at the right moment, or simply forgo the pleasure - and value - of independent examination and evaluation. This week, I've developed a succinct guideline for ISMS auditors , laying out for each of the main body clauses of the standard: (a) The types or items of evidence worth hunting down: the ...

This morning, Greg asked us on the ISO27k Forum for advice on ISO/IEC 27001:2022 security control A.5.7 Threat Intelligence. "I've read the details in ISO 27002 and understand it in theory. But what does a threat intelligence program consist of and look like when implemented? What tools would a infosec team use to collect threat intel, how would they analyze it and use it, etc? What have you seen in your own environments or those of clients?" FWIW here's my response: I agree with you Greg: the page of advice on threat intel in '27002 is all well and good, but what does this look like in practice? It's not entirely obvious. At a basic level, it starts with 'situational awareness' - someone simply watching out for potential or actual threats in the organisation's external and internal environments, spotting them, tracking them, thinking about and maybe responding to them. Threats become evident when incidents occur, of course, but also events and ne...

Whereas ISO/IEC 27001 indicates that only fourteen (14) types of ISMS documentation are strictly required, that is barely a start. Both mandatory and  discretionary documents are essential . ISO/IEC 27001 c lause 4.4   states: “The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.” Documentation (termed 'documented information' in the standard - see clause 7.5) is generally the best way for management to inform workers about their information security responsibilities  e.g. through written policies, procedures/work instructions and job/role descriptions, accompanied by awareness and training materials such as guidelines and briefings. In addition, many security-related processes generate 'records' such as completed forms, reports and authorisations. By the way, electronic rather than printed...

Abandonware - left to rot in a cul-de-sac off the information superhighway Adware - pushes products like a street dealer Alienware - arrived from another universe Aware - clues provided, boxes ticked, back to normal, things to do  Badware - should be sent to the naughty step Betaware - beta hope it works Blackware - interleaved with whiteware, forms a zebra crossing Bloatware - so fat it has its own postcode Bundleware - less bundle of joy, more bundle of old rags Cloudware - play misty for me Copware - press the wrong button and get hit with 50,000 volts Crapware - press the wrong button and evacuate your bowel Creepware - started lower-left, imperceptably heading upper-right Crimeware - reveals the secret password character-by-character on TV Crippleware - almost does what you want, but not quite Crudware - the oh so polite version of crapware Donationware - like being mugged by the tin-shakers Dribbleware - something to keep old aunt Doris amused before bingo  Everyware...

Yesterday I blogged about ISO/IEC 2382 - Information technology - vocabulary . In particular, one of the ~2,000 ISO definitions stood out enough to catch my beady eye: “ Computer-system audit : examination of the procedures used in a data processing system to evaluate their effectiveness and correctness, and to recommend improvements”. Errrr, that covers  some of the audit work I have undertaken, led/managed, been subjected to or heard about in my career* but omits rather a lot e.g. :   IT governance arrangements, strategies, information risk and security management, direction and oversight, structure, integration with other business functions, rôles and responsibilities, accountabilities, reporting lines, assurance, continuous improvement, barriers and progress; Staffing levels and competencies, recruitment and retention, succession planning, contractors and consultants; Security administration, joiners/movers/leavers, culture, awareness and training, accounts/identif...

This week, I'm thoroughly engrossed by a deep dive into ISO/IEC 2382, a suite of standards on IT terminology from the 1990's around the end of the previous millennium - ancient history as far as IT goes. "ISO 2382 was initially based mainly on the usage to be found in the Vocabulary of Information Processing which was established and published by the International Federation for Information Processing and the International Computation Centre, and in the American National Dictionary for Information Processing Systems and its earlier editions published by the American National Standards Institute (formerly known as the American Standards Association). Published and Draft International Standards relating to information technology of other international organizations (such as the International Telecommunication Union and the International Electrotechnical Commission) as well as published and draft national standards have also been considered." I say "IT" but it...

The CISO Playbook by Andres Andreu ISBN:  978-1032762074 US $48 from Amazon (softback) GH rating: 70% Summary The CISO Playbook  is a valuable resource for cybersecurity specialists seeking to build on their technical competencies and progress, or for mid-level IT professionals looking to deepen and extend their understanding of cybersecurity technologies. However, aspiring or newly promoted or appointed CISOs seeking practical advice on the leadership and management challenges of a true C-suite role are out of luck.  The book  leans towards technical details rather than leadership and management topics, core parts of the CISO role.   While the technical coverage is commendable, the book would benefit from a broader perspective that encompasses the full scope of a CISO's senior management responsibilities.  Frankly, and despite the title, t he approach described is, I feel, better suited to Cybersecurity or Information Security Managers, heads of department...