[In response to a LinkeDin query about finding an information security consultant for a 'security compliance project' (whatever that means!), I developed a slightly shorter version of the following advice, extending something I wrote much earlier in relation to finding a contractor/consultant IT auditor . I think the basic principles are quite general and deserve a wider airing, so I'm repeating them here for now. I may yet turn this into a paper for one of the websites or journals if the feedback is positive, provided I ever find the time and energy to continue.] In preparing to contract with a consultant, there are maybe three or four distinct aspects to consider and document. Some issues blur across the aspects shown, and there may well be other factors you need to consider. Furthermore, answering the rhetorical questions below may involve reviewing other answers, plans etc . - this is an iterative process of Consider - Document - Review - Reconsider ...  Define the wor...

Suggested text for a new control on cloud computing Back in February 2011, I proposed to incorporate a new information security control on cloud computing into ISO/IEC 27002 which was being revised by the committee at the time. See what you make of the donor text I provided in New Zealand's submission to  ISO/IEC JTC1/SC27  ... ---------------------------------- Control objective To identify and mitigate the information security risks associated with cloud computing. Implementation guidance The organization should analyze the information security risks associated with its intended use of cloud computing and specify appropriate risk treatments, normally including specific information security controls such as those outlined below, as part of the process of determining its requirements for cloud services. The following information security controls are not meant to be comprehensive, but suggest typical information security aspects to be taken into account when implementing clo...

Krag and I have discussed this question from time to time and, although we are broadly aligned in our thinking, we haven't yet totally resolved our differences ... which makes the exchanges fun. With that in mind, I always wonder what someone really means when they talk about KPIs. To some, Key Performance Indicator has a very specific and particular meaning, although I suspect if we assembled a dozen such people in a room to discuss it, we'd soon end up realizing that we have more than a dozen different interpretations!  To others (including me, as it happens), KPI is a generic, blanket term for a class or type of metric that satisfies the criteria implied by the term:  Key implies that the metric itself is especially important, crucial or vital even, given that there are many many different ways to measure and assess things but most of them are of limited value. Picking out the few things that truly matter is a core issue in metrics. 'Spam volume' is an example of a...