I literally don’t understand a question that came up on the ISO27k Forum this week. A member asked: ‘Should a control be discontinued because a reassessment showed a lower  acceptable risk score?’  I find it interesting to pick apart the question to explore the reasons why I don't understand it, and the implications. See what you think ...  Any control may legitimately be ‘discontinued’ (removed, unimplemented, retired, replaced, modified etc.) provided that change has been duly thought-through, assessed, justified, and deemed appropriate for whatever reasons.   It may be important, though, to be reasonably certain that discontinuation is, in fact, in the best interests of the organization, and that’s often hard to determine as controls can be quite complex in themselves, and are part of a highly complex ‘control environment’.   A seemingly trivial, unimportant, even redundant control (such as an alert) might turn ...

Yet another good question came up on the ISO27k Forum today*. Someone asked whether to add the company's Facebook page to their information asset register (implying that it would need to be risk-assessed and secured using the Information Security Management System processes), or whether the asset should be the Facebook account (ID and password, I guess)**. From the marketing/corporate perspective, good customer relations are perhaps the most valuable information assets of all, along with other external relations ( e.g. your suppliers, partners, prospective and former customers, regulators/authorities and owners) and internal relations (the workforce, including staff, management, contractors, consultants and temps, plus former and prospective workers). It’s tempting to think of these as just categories or faceless corporations, but in reality the interactions are between individual human beings, so social relations  in general are extremely important in business.  ...

Are you responsible for your organisation's information security or cybersecurity budget? Are you busily putting the finishing touches to your 2021 budget request, still working on it, just thinking about it, or planning to do it, honestly, when you next come up for breath? Budgeting is generally a dreaded, stressful management task. Not only do we have to figure out the figures but we typically anticipate a tough battle ahead leading (probably) to a disappointing outcome and yet more problems. On top of that, 2020 has been an exceptional year thanks to COVID. The business and information security implications of knowledge workers suddenly working from home, en masse, are still playing out now, while the economic impacts of COVID do not bode well for any of next year's budgets except perhaps for the manufacture of vaccines, masks, gloves, sanitiser and respirators. A substantial part of information security expenditure is (whatever we may believe as professionals) discretionary...

One of the recurrent (zombie) threads on the ISO27k Forum concerns the status of ISO/IEC 27001:2013 Annex A. Typically the zombie is prodded from its slumber by a relatively inexperienced member naively suggesting that certain security controls from Annex A are essential or mandatory for certification. In the course of debating and attempting to bury the zombie, some members trot out their own curious interpretations of the standard, pointing out actual and apparent discrepancies in the wording which, to them, indicate that Annex A is at least partly mandatory. I'm too polite to say they are wrong, but I believe they are misguided or mistaken - partly, it must be admitted, because the standard is ambiguously worded in some areas, hence it has to be interpreted care fully in practice. To be clear, based on my three decades' professional experience and membership of ISO/IEC JTC 1/SC 27, my position is that  none  of the controls outlined in Annex A are mandatory.  None at...

We've been chatting on the ISO27k Forum  lately about using various IT systems to support ISO27k ISMSs. This morning, in response to someone saying that a particular tool which had been recommended did not work for them, Simon Day made the point that " Each organisation trying to implement an ISMS will find it’s own way based on their requirements. " Having surveyed the market for ISMS products recently, I followed-up with my usual blurb about organisations having different information risks and business situations, hence their requirements in this area are bound to differ, and in fact vary dynamically (in part because organisations mature as they gain experience with their ISMS: their needs change). The need for flexibility is why the ISO27k standards are so vague (essentially: figure out your own requirements by identifying and evaluating your information risks using the defined governance structure - the ISMS itself), rather than explicitly demanding particular securit...

The New Zealand Stock Exchange is having a rough week.  Under assault from a sustained DDoS attack, its web servers have crumpled and fallen in an untidy heap again today, the fourth day of embarrassing and costly disruption. DDoS attacks are generally not sophisticated hacks but crude overloads caused by sending vast volumes of data to overwhelm the servers.   The Host Error message above shows "RedShield" which appears to be a security service remarkably similar to a Web Application Firewall (although the company claims to be producing something far better) ... If so, RedShield appears to be passing DDoS traffic to the stock exchange web servers which can't cope. Presumably, this particular DDoS attack does not fit the profile of the attacks that RedShield is designed to block, in other words RedShield is patently not preventing the DDoS. I don't know whether RedShield is supposed to block DDoS traffic and is failing to do so, or if DDoS protection is simply not pa...

A couple of days ago I blogged about MURAL, just one of many creative tools supporting collaborative working. If you missed it, please catch up and contemplate about how you might use tools such as that right now for teamworking during the COVID lockdowns. Today I've been thinking about 'the new normal' as the world emerges from the pandemic, inspired by the intersection of two threads. Firstly, thanks to a Zoom session with participants and presenters from Queensland, I've been reading-up on "industry 4.0". I'm not totally au fait with it yet but as I see it the key distinguishing features are: Ever-increasing automation of manufacturing, with smart devices and robotics supplementing the capabilities of both manual and knowledge workers; Industrial IoT, coupling sensors and actuators on the production line with each other, allowing workers to interact with the machinery through screens and keyboards etc. and a growing  layer of automation smarts and netwo...

Systematically checking through ISO/IEC 27001 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to ... which can make it tricky to both comply with the standard and persuade the certification auditors of that. Here's an example, one of the document templates from SecAware ISMS Launchpad : That succinct one-pager addresses two requirements from the standard: Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance; Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness....

Yesterday I started preparing an  ISMS communications plan to satisfy  ISO/IEC 27001 :2013 clause 7.4, with a little help from the Web. Naturally I started out with the standard itself. Clause 7.4 doesn't literally demand that organisations must have a "communications plan" as such, otherwise it would have been one of the mandatory documents included in SecAware ISMS Launchpad . Oh no, it's more circumspect: the standard says "the organization shall determine the need for internal and external communications relevant to the information security management system"  ... and proceeds to outline - yes, you guessed it - a "communications plan". ISO/IEC 27003:2017 confirms our assessment by stating explicitly: "Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system" . In other words, a documented comms plan ...

Inspired by a heads-up from a colleague on LinkeDin, I bumped into MURAL today. MURAL is a 'digital workspace for visual collaboration' by virtual teams.    The animated demonstration on their home page caught my beady eye. Here's a static snapshot as a small group of people are busy placing/moving blobs on a graphic, presumably while discussing what they are doing on a parallel channel (e.g. Zoom): Replacing the static monochrome graph with one of our colourful red-amber-green Probability Impact Graphics, a Risk-Control Spectrum, Universal Awareness Device, mind map, word cloud, process flowchart, any form of metric, clustered Post-It Notes, architecture diagrams, conceptual designs, strategy maps ... or ... whatever ... the approach would work nicely. MURAL looks like a creative, fun and productive way for groups or teams working from home to collaborate virtually as if they were physically present in one of those soulless corporate meeting rooms lined with whiteboards ...