Within a year or so, organisations will be able to have their P rivacy I nformation M anagement S ystems certified compliant with ISO/IEC 27701 , thanks to a new accreditation standard ISO/IEC TS 27006 part 2 , currently in draft. A PIMS is very similar to an I nformation S ecurity M anagement S ystem, hence compliance auditing and certification are also very similar – so much so that I’ve heard some certification bodies are already taking the initiative by issuing PIMS certificates despite their not being formally accredited for that. Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices.  A PIMS should materially reduce an organisation’s risk of suffering privacy breaches.   However, as with an ISMS, ‘materially reduce’ is not quite t...

SecAware ISMS Launchpad comprises a set of templates for the mandatory documentation that every compliant I nformation S ecurity M anagement S ystem must have: a basic ISMS strategy, scope, Statement of Applicability, Risk Treatment Plan, information security policy, that sort of thing. If your organisations only needs an ISO/IEC 27001 certificate, this tidy stack of templates forms a stable, compliant platform from which to launch your ISMS.   Download Launchpad and get started today ! Hot on its tail, today we announce the next phase of our mission to convince every organisation to manage its information risks properly. If your organisation sees the value in going a little beyond the bare minimum, SecAware ISMS Take-off takes you to the next stage.  Take-off provides all of these: The Take-off materials primarily concern  management . An ISO27k ISMS is, after all, a management system . Template #2 " Strategic objectives for information risk and security managemen...

We were chatting over coffee  t his morning about an organisation that is recruiting at the moment. Having been through the cycle of advertising, preselecting/long-listing, interviewing and short-listing candidates, their references came back negative, forcing the organisation to reboot the recruitment process. On the one hand, that's a disappointing and somewhat costly outcome. It suggests, perhaps, that the preselection and interviewing steps could be tightened up. Were there warning signs - yellow or red flags that could/should have been spotted earlier in the process? On the other, it also indicates that the selection/recruitment process is effectively identifying and weeding-out unsuitable applicants, avoiding what could have turned out to be even costlier incidents down the line if the appointments had been made and the new recruits had turned out to be unsuitable. So, Proportion of shortlisted candidates rejected as a result of poor references  is one of several possibl...

For the next phase of SecAware ISMS , I'm documenting the management process for determining and allocating information risk and security responsibilities.  The procedure itself is straightforward - just one page of written instructions covering a simple four step process - but a raft of examples of the activities various functions perform in relation to information risk and security takes it up to six pages, even though the examples are presented tersely as bullet points. It turns out there may be  several corporate functions, teams and individuals, each performing numerous activities relating to information risk and security.   Admittedly, my knowledge in this area has accumulated in the course of working mostly for large, relatively mature organisations, a couple of which had all of the functions staffed by professionals busily performing virtually all of the activities. Small-to-medium sized organisations don't have the luxury of being able to carve-up ...

Today we've been chatting about this on the ISO27k Forum :  "Let's assume that the company is willing to accept risks with a potential financial impact less than $50k. Obviously after performing risk assessment, we need to decide which treatment option we should follow. In case when the potential impact of the risk is below $50k - (risk appetite), we should accept the risk, right?    My question is: what happens if for some reason, multiple Low Risks (below risk appetite value/already accepted) occur at the same time? Should the Risk Appetite represent an aggregation of all low risks or just reflect the appetite for a single risk?" I suggested considering 'coincident risks' as another entire category or class of risks, some of which may well be above the risk appetite/acceptance threshold even if the individual risks fall below it.  It gets worse. There are many other coincidences, errors, failures, issues and exceptional circumstances that could occur - in e...

" The Winning Business Case : how to create a compelling conceptual, analytical and pitch model that your audience will love" is a free eBook from OCEG - more than 20,000 words of advice about generating and pitching a business case for investment in some sort of risk-based project or initiative. The O pen C ompliance and E thics G roup identifies as:  "a global nonprofit think  tank that helps organizations reliably achieve objectives, address uncertainty  and act with integrity ...  We inform, empower, and help advance our 85,000+ members on governance, risk management, and compliance (GRC). Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrit...

Having drafted a generic requirement specification for systems supporting an ISO27k ISMS, I’m slowly trawling the Web for products in the hope of finding apps, templates and services that we would be willing to use ourselves and recommend to our consulting clients. So far I’ve found about 20 commercial or open-source ISMS systems plus maybe twice that number of risk management systems, plus quite a variety of more focused systems supporting incident management, business continuity, vulnerability management, patch management etc . It’s a confusing, sprawling and dynamic market … so I’m also working on a structured evaluation process that will help us pick out gems from the stones on offer, depending on our own and our clients' specific needs. Along the way, I've picked up murmurings of discontent from customers saddled with low-quality content supplied with some ISO27k ISMS systems and toolkits. Aside from variation between the products, could it be, I wonder, that some of the p...

Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management . Currently, though, I’m gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb. With barely enough cash-flow to sustain the business during COVID and the obvious need to focus on core business activities, it’s no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, howeve...

Here's something we don't see very often, well for no more than a fraction of a second, normally, discreetly tucked away at the bottom left corner of the browser window. Today was different. Today the message was there long enough for me to grab that little screen shot. Meanwhile, I had to wait s e v e r a l l   o   n   g m i n u t e s for the Google search results to appear.   Minutes I tell you, minutes! Several of them! Shock! Horror!  My little world stood still for a moment, my online life on hold. In an instant, I realised that not only have we grown accustomed to near instantaneous access to Google's gigantic Web catalogue, but that I am actually quite dependent on it. I do sometimes use other search engines but I always scurry back to Google because it works well, almost always. The only reason I am bloggering on about it here is that a Google service failing is so unusual, exceptional in fact. Almost unheard of.   The techn...

Do you recall when APTs were A Thing? A dvanced P ersistent T hreats were exemplified by Stuxnet , a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.   We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing. Meanwhile, we are frequently  constantly assaulted by ordinary, conventional, old-school malware - R etarded P ersistent T hreats as it were. In contrast to APTs, RPTs ...

We have just released ISMS Launchpad , a suite of mandatory ISO27k materials - templates for each of the documents required  for organisations to be certified compliant with ISO/IEC 27001:2013. The idea is to get you past the initial staring-blankly-at-a-blank-page stage, trying to figure out what the standard really means by "Statement of Applicability", "ISMS Scope" or whatever. We know how daunting this can be, especially for small companies that want or need to implement the ISO27k standards but lack the resources and expertise. We appreciate that it is tricky to interpret the wording of the standards and come up with documentation that will satisfy the certification auditors' expectations.  With nobody to turn to except Alexa and maybe the ISO27k Forum , it's hard to navigate the ISO27k universe unaided. So, this is what we set out to provide: All the mandatory docs as specified in the main body of '27001 and required of  all organisations seeking ...