Thursday 28 March 2024

An evolutionary revolution?

"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."

That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.

Wednesday 27 March 2024

Pragmatic ISMS implementation guide (free!)

Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.

Overall, the meeting was very productive in that we got through a long list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points.

In summary:
  • 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:

    • These changes are mostly minor aside from the new section 6.3 on ISMS changes.

Saturday 23 March 2024

Knit your own security metrics

This morning on the ISO27k forum, Vurendar told us: 

"I saw your pragmatic book but I was confused on the way criteria and no’s were assigned. If you could guide will really help.  I’m doing a RBI Based compliance assessment where regulator has asked for such metrics. Help would be really appreciated."  

Here's my reply. 

For guidance on choosing which metrics to take a look at and maybe score, I recommend Lance Hayden's book "IT Security Metrics" which describes the Goal-Question-Metric approach.  Essentially, the idea is to figure out the main Goals/objectives (such as "We must protect the most valuable information strongly"), then explore the objectives by posing related rhetorical Questions (such as "How do we know what information is the most valuable?" and "How strongly are we protecting it?"), and from there figure out what Metrics might help you answer those questions.   GQM resonates with me.  See what you think.

Doug Hubbard's book "How to Measure Anything" is a popular textbook on measurement techniques.

It's easy to come up with a bunch (dozens, hundreds, even thousands!) of possible metrics and variants.  The GQM method, or crude brainstorming, or various books and websites and methods that list metrics, or ISO/IEC 27004, or Googling, or 'asking around to find out what metrics people use or recommend', all have the same problem: how do you decide which of all the possible metrics, if any, are actually worth using?  That's the challenge we addressed in PRAGMATIC Security Metrics.    

For guidance on the PRAGMATIC method for scoring, comparing, selecting and improving metrics, please take a look at   It's a systematic way to score and evaluate individual metrics according to the P.R.A.G.M.A.T.I.C. parameters outlined on the website and described in detail (with ~100 worked examples!) in the book. 

I work with consulting clients to:
  • Review their existing metrics and approach to measurement; 
  • Develop business-focused measurement strategies; 
  • Design measurement systems and metrics suites with a selection of worthwhile metrics; 
  • Integrate the metrics into their management information flows and governance processes; 
  • Use them systematically to drive performance.  
It's an advanced topic though, something worth doing as an ISMS matures.  The process is quite involved and tricky in parts ... but clients learn a lot about their organizations' information risk and security-related objectives, figure out what information their managers actually need, and have a much better grip on things.

Tuesday 12 March 2024

A nightmare on DR street

A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.

Oh boy.

Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.

Wednesday 28 February 2024

ISMS implementation project guidance checklist

This checklist will be appended to a new SecAware guideline on implementing an ISMS, elaborating clause-by-clause on ISO/IEC 27001 - essentially, our version of ISO/IEC 27003.  It offers pragmatic guidance for information security managers and CISOs - nothing too obscure or complex.


Project definition, justification, scoping and planning

⬚  Study the standards, in depth: complete lead implementer training if possible.

  Study the business, in depth, to understand its objectives, strategies, culture, governance arrangements, existing information risk and security management etc.

  If the organisation has a defined, structured approach for this phase, use it!

  Build a business case that identifies and promotes the business benefits of the ISMS.

  Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.

Tuesday 27 February 2024

Mil-spec management lessons


"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."

That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning. 

The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.

Monday 26 February 2024

27001 & climate change

Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:

  • “The organization shall determine whether climate change is a relevant issue” (clause 4.1);

  • “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).

So, it is fair to ask what has climate change got to do with information risk and security? Is it even relevant? Having been been mulling that over for quite some while now, I've come up with a dozen points of relevance:

For more on those twelve, read "Secure the Planet".

The clock in that image is a reminder that time is pressing, so here are half-a-dozen things information risk and security professionals can do to help.

Friday 23 February 2024

ISMS internal audit priorities

A thread on the ISO27k Forum sparked my imagination over coffee this morning.

Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan. 

Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements.

ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the standard, and is effectively implemented and maintained. There is no "ALL" in the standard's main body clauses. Spreadsheets are not mentioned at all, not even once.

Sunday 18 February 2024

Mandatory documentation in ISO27001

ISO/IEC 27001 formally requires just 14 types of "documented information" of every organisation competently certified conformant with the standard, as a minimum:

1.       ISMS scope (Clause 4.3);

2.       Information security policy (Clause 5.2);

3.       Information security risk assessment procedure (Clause 6.1.2);

4.       Statement of applicability (Clause 6.1.3 d);

5.       Information security risk treatment procedure (Clause 6.1.3);

6.       Information security objectives (Clause 6.2);

7.       Personnel records (Clause 7.2);

8.       ISMS operational information (Clause 8.1);

9.       Risk assessment reports (Clause 8.2);

10.   Risk treatment plan (Clause 8.3);

11.   Security measurements (Clause 9.1);

12.   ISMS internal audit programme and audit reports (Clause 9.2.2);

13.   ISMS management review reports (Clause 9.3.3);

14.   Records of nonconformities and corrective actions (Clause 10.1).

However, in the course of writing an ISMS implementation guideline, I have realised that #8 on the list is, strictly speaking, discretionary, not mandatory.

Sunday 11 February 2024

Innovative approaches to ISO/IEC 27001 implementation

This week I've read an interesting, inspiring piece by Robin Long exploring the costs, benefits, approaches and strategic options for implementing ISO27k.  

I like Robin's idea of trying things out and banking some 'security wins' before committing to a full implementation. A full-scope ISMS is a major commitment requiring strong understanding and support from management, requiring a high degree of trust in the team and CISO/ISM/project leader as well as the [planned] ISMS. Demonstrating and celebrating security wins is a good way to build trust and sustain it, once the ISMS is running.

I'm also intrigued by the possibilities of unconventional, creative, less boring approaches to implementation project planning - for example, instead of plodding sequentially through ISO/IEC 27001, clause-by-clause, think about:

Sunday 17 December 2023

Categorised plans

Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog.


This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.

Saturday 16 December 2023

Assessing upstream supply chain information risks

Yesterday, someone sought guidance from the ISO27k Forum on categorising vendors by risk. Here's my coffee-fueled early-morning response, lightly edited for this blog.

Risk assessment criteria

In the context of an ISO 27001 Information Security Management System, information risk in the upstream supply chain/network, viewed from the customer organisation's business perspective, is the primary concern in relation to vendors. 

Breaking that down, the kinds of factors that may affect the information risk levels include:

Friday 15 September 2023

Checklust security

Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscapeis an ISACA 'industry news' article by Patrick Barnett. 

Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists.

Patrick says:

"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."
Hmmm. OK. Despite the definitive initial statement, I take that introduction as an implicit acknowledgement that there may be more than 70 questions ... and indeed many of the 70 are in fact compound/complex questions, such as "35. Do you prevent the disclosure of internal IP address and routing information on the Internet?" Most of us would instinctively answer "Yes" to that ... but look more closely: the question concerns "IP address" and "routing information", meaning both not either part. What qualifies as "routing information" anyway? And what about other network traffic apart from IP? What is 'disclosure'? What does Patrick mean by 'prevent'? And are we only concerned about 'the Internet'? If you are serious about addressing the information risks relating to NAT and all that (all that), you surely appreciate the naivete of question 35. If this is all Greek to you, maybe not. 

Thursday 10 August 2023

Hyperglossary published!

Having declared it officially 'done', the SecAware information security hyperglossary is finally self-published as an eBook in PDF format. More than three thousand terms-of-art are defined in the areas of:
  • Information risk 
  • Information security 
  • Cybersecurity (IT/Internet security)
  • ICS/SCADA/OT security
  • Artificial Intelligence
  • Privacy, data protection, personal information
  • Governance
  • Conformity and compliance
  • Incidents 
  • Business continuity
  • and more. 
It has taken me three decades so far to compile the glossary, initially just as a reference for my personal use, then for our security awareness clients, and now for anyone with a little cash to spare and an interest in the field.

Friday 28 July 2023

Using security enquiries by customers as a security metric

On CISSPforum, Walt Williams suggested a novel security metric:
"If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report.

You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization.

My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer.

It doesn’t get much better than that."
So, inspired by Walt's intriguing idea, I prepared a conventional metric specification using a combination of the Goal-Question-Metric approach (as ably described by Lance Hayden - a method as useful in information security as in other fields) followed by a PRAGMATIC evaluation (as ineptly described by yours truly plus Krag Brotby - a subjective assessment of the value of the metric in the presumed context of a mid-to-large commercial organisation):

Thursday 27 July 2023

Hyper-glossary nearing completion (?)

My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined.

Here's an example of a definition originally added a couple of years ago and most recently amended today:

There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.

Monday 17 July 2023

The biology of bias

'Bias' is generally considered a negative human trait with both practical and ethical implications. Paradoxically, however, that negativism can itself be considered a form of bias. Bias can - sometimes - be positive, beneficial, even necessary, and is to some extent an inevitable consequence of our biology.

In Darwinian terms, 'cognitive bias' comprises a fairly diverse set of behavioural traits that have evolved over the millennia, such as:

  • Confirmation bias: a tendency to seek out and place greater emphasis on information that appears to confirm what we already believe, while avoiding, ignoring or downplaying contradictory information;

  • Anchoring bias: initial information (no matter how accurate) provides a basis for comparing and evaluating further information;

  • Observation bias: the mere fact that something is being observed, investigated, discussed, measured, focused-on etc. increases its apparent importance or value;

  • Balance bias: humans are curiously obsessed with achieving balance, equilibrium, parity, fairness, moderation, neutrality, centrism etc. in all manner of situations, despite 'balance' generally being a costly, fragile, often temporary and potentially risky state - in other words, imbalance (a.k.a. bias) is natural whereas balance is unnatural and takes effort, but for some strange reason we seek, strive for and value it anyway. 

The fact that these traits exist today strongly suggests that they confer evolutionary advantages. Biases evidently have their biological utility and value, helping biased individuals survive, prosper and procreate somewhat more efficiently than the unbiased. 

I repeat, bias (imbalance) is natural.

Pro services under attack

Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense, this nugget of threat intelligence poked me in the eye:

I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

Sunday 16 July 2023

Internet security guidance

The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published.

The introduction to the new edition commences:

"The focus of this document is to address Internet security issues and provide guidance for addressing common Internet security threats, such as:
— social engineering attacks;
— zero-day attacks;
— privacy attacks;
— hacking; and
— the proliferation of malicious software (malware), spyware and other potentially unwanted software."

Notice the standard is focused on "Internet security issues" which, in practice, means it covers active attacks perpetrated via the Internet. However:

Wednesday 12 July 2023

A pragmatic alternative to the SuperCISO [L O N G]

Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons. We have been chatting lately about what is expected of the Chief Information Security Officer role - namely an exceptional mixture of knowledge, skills and competences possessed by the 'SuperCISO'. 

Today, Nigel Landman referred us to an interesting article by JC Gaillard at 

JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical. 

For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.    


As to whether we need CISOs at Exec Committee or Board level, I agree with JC.