Why get ISO 27001 certified?

If you have designed and implemented an Information Security Management System based on ISO/IEC 27001, you should be realising a variety of business benefits through improved information risk and information security management. 

Fantastic!

The international standard specifies a framework, a rational structure with which to identify, evaluate and treat the organisation's information risks systematically. The framework is a tool that enables senior management to govern and manage the information risk and security activities in ways that align with and support the achievement of business objectives, plus obligations to or expectations of third parties.

Through strategies, policies and procedures, plus measurement and assurance processes, management has the levers to direct, organise and oversee a more efficient and effective approach to information risk and security. Information risks are systematically prioritised for treatment using suitable security controls (technological, physical, procedural and others). With appropriate controls in place, incidents grow less frequent and are identified and resolved sooner causing less disruptive and costly consequences. Appropriate security metrics, reviews and audits enable management to direct corporate resources effectively, gaining confidence in the organisation's ability to handle information risks.

AI/ML risks and opportunities

I am currently researching topics such as 'information risk management' and 'risk treatment', using Google as usual and comparing it against ChatGPT to see how it fares. 

Many of the pages suggested by Google are either too superficial or (to varying extents) factually incorrect, biased or misguided, hence are of little to no value - in my personal opinion anyway, knowing that I am naturally subject to confirmation bias and others. Roughly three quarters of the pieces offered by Google are not worth opening, and a fair proportion of the remaining quarter are superficial marketing collateral (a.k.a. tripe).

If AI/ML robots such as ChatGPT simply suck up, blend and spew out such information indiscriminately in generating their outputs, regardless of the quality of their sources, they are likely to present and further the prevaling opinions, feeding the mindless group-think that spreads misinformation, conspiracy theories and so on, not just tripe. 

This situation highlights, for me, three key things:

1. Critical thinking (such as thoroughly researching, sifting through considering, evaluating and validating information before drawing conclusions and making significant decisions based upon it) is an extremely important skill for this information age, one that large sections of the population apparently lack, hinting at a widespread systemic failure of our educational systems.
   
   
2. The true knowledge, expertise, credibility and personal integrity of authors (both people and robots!) is unfortunately of limited value given the previous point. It doesn't really matter to most readers, particularly those who don't even consider it.
   
   
3. 
   

2 more topic-specific information security policies

We have just completed and released another two information security policy templates through SecAware.com.

The latest additions are security policy templates on:

• APIs (Application Programming Interfaces) and microservices, used as building blocks to construct compound applications;
• DNS (Domain Name Service), used to associate domain names with Internet server IP addresses.
  
  

The full SecAware policy suite now has 83 templates:

They were all researched and written to a consistently high quality, by me. They are designed to mesh together, complementing each other. I maintain them, updating individual policies as and when required and reviewing the entire suite every year or so. 

We provide them as MS Word documents that you can easily customise. Get in touch for additional policies, procedures or guidelines, or if you need assistance to adapt them to your corporate style. 

Buy them individually for $20 or take the whole lot for $399, saving over $1200.

Book review: The Consultant's Handbook

Title: The Consultant's Handbook: How to use your expertise to deliver client success and run a profitable business

Author: Andrew Sheves

ISBN: 978-1-7345116-7-3

Price: $15 from Amazon

GH rating: 85%

Summary

Straightforward, straight-talking guidance for busy consultants looking to establish and grow their practice.  

Book review: template

Cover scan -->

Title:

Author:

ISBN:

Price:

GH rating: %

Summary

Pros

Cons

Value

Purchase from Barnes & Noble

Handling ISMS nonconformities reported by audit

A new member of the ISO27k Forum asked how long they have to resolve a minor nonconformity reported by the certification auditors.

I didn't know the answer so I looked it up in ISO/IEC 27006. Clause 9.6.3.1 says (in part):

"The time allowed to implement corrective action shall be consistent with the severity of the nonconformity and the associated information security risk." 

Significant risks should be addressed as a priority, whereas minor risks may be addressed 'in due course', perhaps as part of other planned changes or when the opportunity arises. Furthermore, complex issues are bound to take some time to resolve, whereas simple things may be resolved more or less on the spot. 

I suggested the reported nonconformity should be addressed in the normal way, using the organisation's documented ISMS processes along these lines:

Book review: The Art of Writing Technical Books

Title: The Art of Writing Technical Books

Author: Peter H. Gregory

ISBN: 978-1-957807-49-2

Price: US$15* 

GH rating: 85%

Summary

If you are thinking seriously about writing your first book, Peter's plain-talking guidance slices through the bewildering cloud of choices and issues you face.  Working with a literary agent, publisher and assorted experts is an obscure and convoluted process.  Peter explains it well.

Two dozen data centre fire controls

Fire is clearly a significant risk to any data centre given that a major incident (disaster!) is reported globally roughly every quarter year on average plus an unknown number of smaller/unreported ones. Limited public disclosure of data centre fire investigation reports makes it tough, even for experienced professionals, to assess and quantify the risk.  However, since the likely impacts and costs of such major incidents are obviously non-trivial and the number of incidents is definitely not zero, it would be negligent to ignore the risks.

Controls to avoid, mitigate or share data centre/IT facility fire risks include:

1. Governance and management arrangements taking due account of information risks including physical security aspects when designing and procuring information services such as commercial cloud services and data centre/co-location facilities - which, by the way, don't automatically reduce

Qualitative vs quantitative risk assessment

 

The risk assessment core of the risk management process involves, identifying, analysing and evaluating risks - not to understand or quantify them so much as to inform the subsequent management decisions about how to handle them.

Unless those managers who will make the decisions understand, trust, value and utlimately use the information provided by the analysts, risk assessment is a pointless, costly exercise. Providing useful information to support decisions is thus a pragmatic risk assessment objective.   

New year sale: security templates

Kick-off 2023 with a bang!  

Visit SecAware for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more.

Happy new year!