We have published a set of security awareness and training materials concern a topic I've been itching to cover for years , literally (the years part, not the itching ... thanks to the magic ointment). I've been a user and fan of the ISO/IEC 27000 series standards since forever, before they were even conceived, even before BS 7799 was published. From the original corporate security policy and 'code of practice' on information security (essentially a catalogue of information security controls), ISO27k has grown into a family of related standards, along the way assimilating a couple of other standards and, lately, expanding into privacy, eDiscovery, IoT, smart cities, big data and more. Making sense of the bewildering scope of today's ISO27k was a particular challenge for this awareness module ... ... and of course ISO27k is not the only source of guidance out there ... The module came together and turned out nicely ... I'm especially pleased with how the ISO27k ...

Through the P akistan S oftware E xport B oard  of the  Ministry of IT & Telecom,   the Pakistan government is subsidising 80% of the cost of consultants and auditors to advise and certify Pakistani IT companies against ISO 20000 (ITIL) and ISO/IEC 27001 (information security). With over 5,000 companies in Pakistan offering Business Process Outsourcing and IT services, this represent a substantial investment, reflecting the government's intention to raise standards in the industry. Good on them! If only other governments would follow their lead.

Did you know there are fourteen ISO M anagement S ystems S tandards*? ISO 9001 Quality management system ISO 13485 Medical devices quality management system ISO 14001 E nvironmental management system ISO 18788 Private security ops management system ISO/IEC 20000-1 IT service management system ISO 22000 Food safety management system ISO 22301 Business continuity management system ISO/IEC 27001 Information security management system ISO 28000 Supply chain security management system ISO 37001 Anti-bribery management system ISO 39001 Road traffic safety management system ISO 45001 Health and safety management system ISO 50001 E nergy management system ISO 55001 A sset management system Is this a cottage industry, ISO's sausage-machine churning out MSSs one after another? Has ISO d...

In a thread on the ISO27k Forum ,  Ed Hodgso n said: " There are many security controls we have already implemented that already manage risk to an acceptable level e.g. my building has a roof which helps ensure my papers don't get wet, soggy  and illegible.  But I don't tend to include the risk of papers getting damaged by rain in my risk assessment". Should we consider or ignore our existing information security controls when assessing information risks for an ISO27k ISMS?  That question  took me back to the origins of ISO27k, pre-BS7799 even. As I recall,  Donn Parker originally suggested a standard laying out typical or commonplace controls providing a security baseline, a generally-applicable foundation or bedrock of basic or fundamental controls. The idea was to bypass the trivial justification for baseline controls: simply get on with implementing them, saving thinking-time and brain-power to consider the need for  additional controls where the ...

Yesterday I completed the "universal KPI" metrics paper for the ISO27k awareness module.  The finished article uses the management system requirements from the main body of ISO/IEC 27001, followed by the security controls in Annex A or ISO/IEC 27002 (mostly), as the basis for measuring an organization's ISMS.  Here's a little taster (click to enlarge): I have added a few supplementary controls and scoring criteria in areas where I feel '27002 falls short of current good practice e.g.  policy management, business continuity and compliance. At some future point, I will add IoT, cloud security and perhaps other controls for the same reason. One of the advantages of this style of metric is that it's straightforward to maintain, such as updating or adding new scoring criteria, ideally in such a way that prior scores remain valid. As it is, it's already a lengthy, detailed paper - a 37-page Word document with two tables in landscape format containing ~13,000 wor...

The latest ISO Survey  gives the certification figures for 2018 on ISO's management systems standards .  Yes, evidently it takes that long to compile and publish the data.   No, I don't know why it is so slow, except that it involves gathering information from busy certification bodies dotted around the globe. By donkey, maybe. Anyway, here are some of the stats: So, by now there are probably more than 32,000 ISO/IEC 27001:2013 certified organizations globally, each cert covering two physical sites on average. A further unknown number are currently in the process of being certified, or have chosen to adopt the standards without being certified compliant. Compared to ISO9k (quality management) and ISO14k (environmental management) , ISO27k (information risk & security management) is way behind, meaning a lot of growth potential - more than 27 times the current uptake to match ISO9k. Yes, I'm an optimist.  ISO's other management system standards are: ISO22k ...

As part of January's awareness module, I'm compiling a generic business case laying out the costs and benefits of implementing the ISO27k standards and seeking an ISO/IEC 27001 certificate. Well, that was the cunning plan anyway.   So far, I have a long list of benefits and a small handful of costs - just the obvious ones to do with managing an implementation project, reviewing information risks, improving governance arrangements, writing and updating the documentation such as policies, and contracting with an accredited certification body. There may be additional costs to implement information security controls ... but not necessarily: it all depends on the information risks and decisions arising.  Patently I'm a big fan of ISO27k but I honestly didn't expect the business case to be so overwhelmingly positive. It's quite a surprise. If management is willing to accept the organization's current information risk status, there's no need to splash out on addi...

ISO/IEC JTC 1/SC 27 tied itself in knots for years trying to answer that disarmingly simple and straightforward question, failing to reach consensus and eventually admitting defeat. Back in 2014, ISO/IEC 27000 defined "Asset" very broadly as "anything that has value to the organization ... including: information; software, such as a computer program; physical, such as computer; services; people, and their qualifications, skills and experience; and intangibles, such as reputation and image." To narrow it down a bit in the context of ISO27k, "Information asset" had also been explicitly defined in ISO/IEC 27000 :2009 as "Knowledge or data that has value to the organization". That definition still works quite well for me. "Information asset" refers to the intangible content - the meaning of information - rather than the vessels, media, equipment, facilities and human beings that house, process, communicate and use it. The content is both...

For January's security awareness module on ISO27k, I'm developing a detailed checklist with which to assess, evaluate and score each of the information security controls recommended by ISO/IEC 27002 (as summarized in Annex A of ISO/IEC 27001 )*. The checklist/scoring format is one I invented years ago and have been using and refining ever since. It is a kind of maturity metric that has proven very valuable in practice, giving surprisingly consistent and useful results despite the subjective nature of the checks. I am laying out 4 'indicators' for each control from '27002, specifying the kinds of things that would typically correspond to scores of 0% (exceptionally weak or missing controls) through 33% and 67% to 100% (exceptionally strong or cutting-edge controls). The 50% centre point on the scale divides 'inadequate' from 'adequate' controls, although that only really applies in the context of a mythical generic mid-sized organization with minimal...

Yesterday I wrote about what the White Island eruption teaches us about risk management, in particular the way we decide how to deal with or "treat" identified risks.  ISO/IEC 27005 describes 4 risk treatment options: Avoid  the risk by deliberately not getting ourselves into risky situations - not getting too close to a known active volcano for example; Modify  the risk: typically we mitigate (reduce) the risk through the use of controls intended to reduce the threats or vulnerabilities and hence the probability, or to reduce the impacts; Retain the risk: this is the default - more on this below; Share the risk: previously known as "risk transfer", this involves getting the assistance of third parties to deal with our risks, through insurance for instance, or liability clauses in contracts, or consultants' advice. Risk management standards and advisories usually state or imply that these 'options' are exclusive, in other words alternatives from which w...

Yesterday's volcanic eruption on White Island is headline news around the globe , a tragedy that sadly resulted in several deaths, currently estimated at 13.   Also, yesterday in NZ there were roughly 90 other deaths (as there are every day), roughly two thirds of which were caused by cardiovascular diseases or cancer: So, yesterday, the proportion of deaths in NZ caused by "Natural disasters" spiked from 0% to 13%. Today, it is likely to fall back to 0%.  "Natural disasters" will have caused roughly 0.04% of the ~33,500 deaths in NZ during 2019 ... but judging by the news media coverage today, you'd have thought NZ was a disaster zone, a lethal place - which indeed it is for ~33,500 of us every year. Very very few, though, expire under a hail of molten rock and cloud of noxious fumes, viewable in glorious Technicolor on social media. Those 13 tourists who perished yesterday chose to see NZ's most active volcano up close, real close. You may be thinking...

Our two-hundred-and-first security awareness module concerns the ISO27k standards . ◄ The quotation from ISO/IEC 27000 is right on the button: information is worth securing because it's valuable, essential in fact. Inadequately protected organizations hit by ransomware incidents know that only too well, with hindsight ... which is of course 20/20 ... ... And that reminds me: as the monthly awareness service draws to a close, I'd like to think we'll be leaving the world in a better state in 2020, but to be honest we've made little impression.  Pundits  have long advised that security awareness is important. An increasing proportion now recommend regular awareness activities. A few even suggest a continuous or ongoing approach. Perhaps they've been listening. I've been banging that drum for 20 years. As we hand over the reins, I hope the information security management and awareness pros will finally  come to recognize the value of not treating their awareness au...

In an interview for CIO Dive , Maersk's recently-appointed CISO Andy Powell discussed aligning the organization with these five 'key operating principles': "The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message.  The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient ...  The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly. ... The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business. ...  And the fin...

December 2019 sees the release of our 200 th  security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys.  Yeah right! I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people. Vigilance is often the only remaining hurdle to be overcome, m...

Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often did. Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends. On P robability- I mpact G raphics, it is possible to represent changing risks with arrows or trajectories, or even time-sequences.   I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective).   [Click the PIG to watch it dance] It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainti...