Despite the excellent work done to restructure and update the standard, I still feel some commonplace 'good practice' information security controls are either M issing I n A ction or inadequately covered by ISO/IEC 27002:2022 , these nine TEN for example: Business continuity controls, covering resilience, recovery and contingency aspects in general, not just in the IT security or IT domains. ISO 22301 is an excellent reference here, enabling organisations to identify, rationally evaluate and sensibly treat both high probability x low impact and low probability x high impact information risks (the orange zone on probability impact graphics), not just the obvious double-highs (the reds and flashing crimsons!). Therefore, '27002 could usefully introduce/summarise the approach and refer readers to '22301 and other sources for the details. Availability and integrity controls supporting/enabling the exploitation of high-quality, up-to-date, trustworthy business information a...

Last Thursday, a member of the ISO27k Forum launched a new discussion thread with this poser (lightly edited): "Having recently become an ISMS coordinator, I must prepare a monthly report to management. How does one write an information security report?  What should be reported?"  Over the weekend we've raised and debated a bunch of ideas, such as a tiered approach, starting at the detailed operational level with effectiveness metrics for the selected information security controls, then aggregating and summarising information for less frequent reports to higher management, emphasising the business perspective ( e.g. reporting not just the number of incidents, but a breakdown by severity level mapping to business impacts for senior management). Using appropriate metrics makes sense, of course. It also occurs to me that, aside from structuring the reports according to the information security controls and incidents , you could use the information risks in a similar wa...

T oday I published a 20-page white paper about 'control attributes', inspired by those presented in ISO/IEC 27002:2022 The concept behind the paper has been quietly brewing for a couple of months or more, taking the past few weeks to crystallise into words in a form that I'm happy to share publicly. In a nutshell, 'attributes' are characteristics or features that can be used to categorise, sort or rank information security controls by various criteria. That simplistic concept turns out to unlock some powerful possibilities, described pragmatically in the paper.  It's a more innovative and valuable technique than it may appear. Along the way, I regret inadvertently upsetting the team of JTC 1/SC 27 editors working on ISO/IEC 27028 by sharing an incomplete draft with them in the hope it might become the basis of the initial draft of the new standard.   During a Zoom meeting. At 3:00am, NZ time. I wasn't at my best. Ooops. Anyway, now the paper is published, I...