Posts

Showing posts from July, 2022

Learning points from a 27001 certification announcement

Image
This morning I bumped into a marketing/promotional piece announcing PageProof’s certified "compliance" (conformity!) with "ISO 27001" (ISO/IEC 27001!). Naturally, they take the opportunity to mention that information security is an integral part of their products. The promo contrasts SOC2 against '27001 certification, explaining why they chose ‘27001 to gain some specific advantages such as GDPR compliance - and fair enough. In the US, compliance is A Big Thing. I get that. It occurs to me, though, that there are other, broader advantages to ‘27001 which the promo could also have mentioned, further valuable benefits of their newly-certified ISMS.

Resilience is ...

Image
... "the ability for systems, networks, processes, people, functions, departments, business units, business operations, organisations, business relationships, even entire nations to continue operating more-or-less unaffected by security incidents, thereby ensuring availability and hence business continuity" [source:  SecAware glossary ] ... depending on others and being there for them when they need us most ... "robustness, stability, dependability" [source:  SecAware glossary ] ... the rod bending alarmingly ... while landing a whopper ... an oak tree growing roots against the prevailing wind ... taking the punches, reeling but not out for the count ... demonstrating, time after time, personal integrity ... willingness to seize opportunities, taking chances ... coping with social distancing, masks and all that ... accumulating reserves for the bad times ahead ... the bloody-minded determination to press on ... disregardin g trivia, focusing on what matters ... ...

Risk management trumps checklist security

Image
While arguably better than nothing at all, an unstructured approach to the management of information security results in organisations adopting a jumble, a mixed bag of controls with no clear focus or priorities and – often – glaring holes in the arrangements. The lack of structure indicates the absence of genuine management understanding, commitment and support that is necessary to give information risk and security due attention - and sufficient resourcing - throughout the business.    It's hard to imagine anyone considering such a crude, messy approach adequate, even those who coyly admit to using it!  I'm not even sure it qualifies as 'an approach'.   Anyway, the next rung up the ladder sees the adoption of a checklist approach: essentially, someone says 'Just adopt these N controls and you'll be secure'! It may be true that some information security controls are more-or-less universal, so any organisation that does not have them all might be missin...

Security in software development

Image
Prompted by some valuable customer feedback earlier this week, I've been thinking about how best to update the SecAware policy template on software/systems development. The customer is apparently seeking guidance on integrating infosec into the development process, which begs the question "Which development process?". These days, we're spoilt for choice with quite a variety of methods and approaches.  Reducing the problem to its fundamentals, there is a desire to end up with software/systems that are 'adequately secure', meaning no unacceptable information risks remain. That implies having systematically identified and evaluated the information risks at some earlier point, and treated them appropriately - but how? The traditional waterfall development method works sequentially from business analysis and requirements definition, through design and development, to testing and release - often many months later. Systems security ought to be an integral part of th...

ISO management systems assurance

Image
In the context of the ISO management systems standards , the internal audit process and accredited certification systems as a whole, are assurance controls primarily intended to confirm that organisations' management systems conform to the explicit requirements formally expressed in the respective ISO standards. A conformant management system, in turn, is expected to manage (design, direct, control, monitor, maintain …) something: for ISO/IEC 27001 , that 'something-being-managed' is the suite of information security controls and other means of addressing the organisation’s information risks (called 'information security risks' or 'cybersecurity risks' in the standards). For ISO 9001, it is the quality assurance activities designed to ensure that the organisation's products (goods and services) are fit for purpose. For ISO 14001, it is the controls and activities necessary to minimise environmental damage. My point is that the somethings-being-managed ar...

Skyscraper of cards

Image
Having put it off for far too long, I'm belatedly trying to catch up with some standards work in the area of R oot o f T rust, which for me meant starting with the basics, studying simple introductory articles about RoT. As far as I can tell so far, RoT is a concept -  the logical basis, the foundation on which secure IT systems are built. 'Secure IT systems' covers a huge range. At the high end are those used for national security and defence purposes, plus safety- and business-critical systems facing enormous risks (substantial threats and impacts). At the low end are systems where the threats are mostly accidental and the impacts negligible - perhaps mildly annoying. Not being able to tell precisely how many steps you've taken today, or being unable to read this blog, is hardly going to stop the Earth spinning on its axis. In fact' mildly' may be overstating it. 'Systems' may be servers, desktops, portables and wearables, plus IoT things and all mann...

The discomfort zone

Image
Compliance is a concern that pops up repeatedly on the ISO27k Forum , just this  morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 "Identification of applicable legislation and contractual requirements", members generally ask what laws are relevant to the ISMS.  That's a tough one to answer for two reasons.   Firstly, I'm not a lawyer so I am unqualified and unable to offer legal advice. To be honest, I'm barely familiar with the laws and regs in the UK/EU and NZ, having lived and worked here for long enough to absorb a little knowledge. The best I can offer is a layman's perspective. I feel more confident about the underlying generic principles of risk, compliance, conformity, obligations, accountabilities, assurance and controls though, and have the breadth of work and life experience to appreciate the next point ... Secondly, there is a huge range of laws and regs that have some relevance to information risk, security, management and t...

Standards development - a tough, risky business

Image
News emerged during June of likely further delays to the publication of the third edition of ISO/IEC 27001 , this time due to the need to re-align the main body clauses with ISO's revised management systems template (specfically, the 2022 edition of the ISO/IEC Directives, Part 1 "Consolidated ISO Supplement —  Procedure for the technical work — Procedures specific to ISO",  Annex SL "Harmonized approach for management system standards").    Although we already have considerable discretion over which information security controls are being managed within our ISO/IEC 27001 I nformation S ecurity M anagement S ystems today, an unfortunate side-effect of standardisation, harmonisation, adoption, accreditation and certification is substantial inertia in the system as a whole. It’s a significant issue for our field where the threats, vulnerabilities, impacts and controls are constantly shifting and often moving rapidly ahead of us … but to be honest it’s equally pro...

Shout, shout, let it all out

Image
Here's an insightful and enjoyable way to explore your psyche and vent a little tension at the end of a tough month, week or day. First, find yourself a private space to watch Tears for Fears . Now shout, shout, let it all out: what are the things you could do without?  Grab a scrap of paper and start writing down the things you could do without . You'll find yourself stimulated by your own words to think of other things, other stuff you don't want, don't like, can't stand, even hate.  Fine, scribble away. How's it going? How do you feel now - vented? Released? Or still knotted up, twisted out of shape? Come on, I'm talking to you, come on. If it all gets too much, take a break. Set your list aside to ferment for a while - as long as it takes. There's no rush. You're the boss.  If you are so inclined, come back later to tidy up your list and make sense of it. How you do that is up to you. For me, it's mind-mapping, grouping things together, draw...