Exciting news: extension ladders, stubby snakes!


Having done, seen and learnt a lot in the course of working with the ISO27k standards and precursors since the mid-90's, I'm keen to share my accumulated knowledge with those of you who are relatively new to the field, just setting out and perhaps struggling to get to grips with it all.

You needn't learn everything the hard way like I did: I can help you move ahead smartly, avoiding tar pits, finding taller ladders and shorter snakes.

Knowledge transfer is the focal point of consultancy assignments but, as a lone freelancer, my influence is limited to a handful of clients at a time. Even taking into account the collective expertise of the tens of thousands of ISO27k consultants working around the globe, we simply don't have the resources to support and guide everyone all the time. 

Consultancy can be costly, despite the potential to deliver significant net value, which is particularly challenging for smaller cash-strapped organisations and start-ups, as opposed to their larger,  more mature and more resourceful peers. Permanently employing information risk and security professionals is no easy option either, given limited supply and increasing global demand. Small organisations are lucky to have IT or risk specialists in-house or on-tap, let alone competent cybersecurity pro's. We are spread thinner than oxygen molecules in the stratosphere.

The ISO27k Forum I launched sixteen years ago has grown steadily to nearly 5,000 members, a global and wonderfully supportive self-help community from whom I am continually learning. Aside from various points made in answering and debating different approaches, the initial questions often intrigue me. Maybe 1 in every 3 or 4 questions hint at a lack of understanding or appreciation of the standards and the risk-based approach of ISO27k. Roughly as many again are seeking ways to do things, approaches that are often described in ISO27k or elsewhere. There is plenty of advice out there, perhaps too much and of variable quality. Bringing order to the chaos is something I enjoy: battling entropy may be a fool's errand but this fool is amused to try. 

So, with all that in mind, I have embarked on writing a book about designing, building, operating and exploiting an Information Risk Management System. As is my wont, it will lay out a pragmatic approach with sufficient explanation for readers to understand why things are best done in a certain way. ISO/IEC 27001 and other standards typically state quite succinctly what is required but, aside from "XYZ shall be done ..." with the implied threat "... or your IRMS cannot be certified", they rarely even hint at the benefits and, for the sake of brevity and simplicity, largely ignore alternative approaches, other (perhaps better) ways to achieve the same ends.

I plan to incorporate genuine examples and anecdotes drawn from my own consulting work, from discussions on the ISO27k Forum, and other sources. 

The book will align strongly with the ISO27k standards, partly because I know them inside-out but mostly because the information-risk-driven approach works so well for all manner of organisations, despite significant differences. That said, there are significant opportunities to incorporate sound advice from NIST, CSA, OWASP, ISACA, PCI and others as well.    

There will be a liberal sprinking of 'Hinson tips' throughout, with a particular emphasis on shortcuts and suggestions for small organisations. It might be useful to offer readers a suite of document templates and checklists, curiously reminiscent of our SecAware materials although I need to sort out the economics first. Maybe a reader's discount coupon would work? We'll see.

As with PRAGMATIC Security Metrics, I like the idea of keeping the main text clear and uncluttered by moving subsidiary points and more detailed explanations to footnotes on the same pages: readers in a hurry may prefer to skim read the whole book, ignoring all the footnotes/small print on a first pass but perhaps returning for a deeper dive once they experience issues in practice. It's like two books in one - an introductory overview plus a textbook with additional guidance. 

I am tempted to add exercises, not just for students in class but for practitioners learning the ropes by doing infosec in the trenches. This might even turn into a collaborative crowdsource exercise to accumulate and assess readers' answers and perhaps share further exercises, if I can make it happen. I'll need your help though!

Meanwhile, I'm taking my own medicine by elaborating on the objectives. Why am I embarking on this project? What do I hope to achieve? What are the benefits for me, for my readers and for society in general? What should I avoid? Where and how can I add the most value? What makes this book different to all the others out there, not least ISO/IEC 27001 and related standards? What shape is success?

I have already developed a skeleton structure and penned 5,000 words given the usual rush of adrenaline for any new project. Must dash: lots more words are desperate to escape my grey matter. Go fingers, go!