If you have designed and implemented an I nformation S ecurity M anagement S ystem based on ISO/IEC 27001 , you should be realising a variety of business benefits through improved information risk and information security management.  Fantastic! The international standard specifies a framework, a rational structure with which to identify, evaluate and treat the organisation's information risks systematically.  The framework is a tool that enables senior management to govern and manage the information risk and security activities in ways that align with and support the achievement of business objectives, plus obligations to or expectations of third parties. Through strategies, policies and procedures, plus measurement and assurance processes, management has the levers to direct,  organise and oversee a more efficient and effective approach to information risk and security.  Information risks are systematically prioritised for treatment using suitable security controls...

I am currently researching topics such as 'information risk management' and 'risk treatment', using Google as usual and comparing it against ChatGPT to see how it fares.  Many of the pages suggested by Google are either too superficial or (to varying extents) factually incorrect, biased or misguided, hence are of little to no value - in my personal opinion anyway, knowing that I am naturally subject to confirmation bias and others. Roughly three quarters of the pieces offered by Google are not worth opening, and a fair proportion of the remaining quarter are superficial marketing collateral (a.k.a. tripe). If AI/ML robots such as ChatGPT simply suck up, blend and spew out such information indiscriminately in generating their outputs, regardless of the quality of their sources, they are likely to present and further the prevaling opinions, feeding the mindless group-think that spreads misinformation, conspiracy theories and so on, not just tripe.  This situation highlig...

We have just completed and released another two information security policy templates through SecAware.com . The latest additions are security policy templates on: APIs ( A pplication P rogramming I nterfaces) and microservices , used as building blocks to construct compound applications; DNS ( D omain N ame S ervice) , used to associate domain names with Internet server IP addresses. The full SecAware policy suite now has 83 templates: They were all researched and written to a consistently high quality, by me. They are designed to mesh together, complementing each other. I maintain them, updating individual policies as and when required and reviewing the entire suite every year or so.  We provide them as MS Word documents that you can easily customise.  Get in touch for additional policies, procedures or guidelines, or if you need assistance to adapt them to your corporate style.  Buy them individually for $20 or take the whole lot for $399, saving over $1200.

Title: The Consultant's Handbook : How to use your expertise to deliver client success and run a profitable business Author: Andrew Sheves ISBN: 978-1-7345116-7-3 Price: $15 from Amazon GH rating: 85% Summary Straightforward, straight-talking guidance for busy consultants looking to establish and grow their practice.  

A new member of the ISO27k Forum asked how long they have to resolve a minor nonconformity reported by the certification auditors. I didn't know the answer so I looked it up in  ISO/IEC 27006 . Clause 9.6.3.1 says (in part): "The time allowed to implement corrective action shall be consistent with the severity of the nonconformity and the associated information security risk."  Significant risks should be addressed as a priority, whereas minor risks may be addressed 'in due course', perhaps as part of other planned changes or when the opportunity arises. Furthermore, complex  issues are bound to take some time to resolve, whereas  simple  things may be resolved more or less on the spot.  I suggested the reported nonconformity should be addressed in the normal way, using the organisation's documented ISMS processes along these lines:

Title: The Art of Writing Technical Books Author: Peter H. Gregory ISBN: 978-1-957807-49-2 Price: US$15 *  GH rating: 85% Summary If you are thinking seriously about writing your first book, Peter's plain-talking guidance slices through the bewildering cloud of choices and issues you face.  Working with a literary agent, publisher and assorted experts is an obscure and convoluted process.  Peter explains it well.

Fire is clearly a significant risk to any data centre given that  a major incident (disaster!) is reported globally roughly every quarter year on average  plus an unknown number of smaller/unreported ones. Limited public disclosure of data centre fire investigation reports makes it tough, even for experienced professionals , to assess and quantify the risk.  However, s ince the likely impacts and costs of such major incidents are obviously non-trivial and the number of incidents is definitely not zero, it would be negligent to ignore the risks. Controls to avoid, mitigate or share data centre/IT facility fire risks include: Governance and management arrangements taking due account of information risks including physical security aspects when designing and procuring information services such as commercial cloud services and data centre/co-location facilities - which, by the way, don't automatically reduce

  The  risk assessment  core of the risk management process involves, identifying, analysing and evaluating risks -  not to understand or quantify them so much as to inform the subsequent management decisions about how to handle them. Unless those managers who will make the decisions understand, trust, value and utlimately use the information provided by the analysts, risk assessment is a pointless, costly exercise.  Providing useful information to support decisions is thus a pragmatic risk assessment objective.   

Kick-off 2023 with a bang!   Visit  SecAware  for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more. Happy new year!