A couple of days back , I said I'd offer an example of an 'unnecessary control' in the context of ISO/IEC 27001. So here goes . Picking one at random, I'll lay into  ISO/IEC 27001:2022 control A.5.28 " Collection of evidence ".  The control text reads " The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events ". How can anyone possibly justify excluding such an eminently sensible control from their ISO27001  I nformation S ecurity M anagement S ystem? Reading and interpreting that control literally, word-by-word, one could certainly argue that:

With an ISO/IEC 27001 I nformation S ecurity M anagement S ystem, the choice of information security controls is almost * entirely a matter for the organisation's management, according to their assessment of the organisation's information risks.  The overall information risk management process is straightforward: Identify risks affecting the organisation's information. Explore the risks, quantifying them in some way. Decide what, if anything to do about the risks (avoid, mitigate, share or accept). Do it! Monitor for and deal with changes to the risks, their evaluation and treatment etc . 

As anticipated, the I nternational A ccreditation F orum has published updated guidance on the transition arrangements for certification of organisations against ISO/IEC 27001:2022 , the new third edition of the standard released in October . There are several possibilities under various circumstances (as I understand it*) ... 1) Organisations that are already certified to ISO/IEC 27001:2013 (or to equivalent national translations of that old 2013 edition of the standard) have about three years to move to the  new 2022 edition . Meanwhile, surveillance audits can use either edition of the standard, whichever the organisation chooses to use. 2) Organisations currently preparing to be certified prior to June 2023 can choose either edition:

While waiting impatiently for today's stormy NZ weather to subside so I can get outside and survey the damage, I spent a productive few hours writing-up a pair of recent consultancy assignments as case studies for  the SecAware website . < The first case study concerns helping a US tech support company to regain its ISO 27001 certification by rebuilding its failed ISMS. Officially, the assignment was simply an ISMS internal audit. In practice, it involved some lightweight mentoring and support for a capable CISO. T he second case study concerns consultancy support for a 6-month ISMS implementation project for an innovative NZ agritech company > Again, although the centrepiece of the assignment was an ISMS management review, it involved gently mentoring and guiding the project managers (two contractors) and providing assurance for the client's senior management - plus stress-reduction when both contractors departed shortly before certification.

Additionally, management should ensure that everyone adequately secures information in practice, which involves: Establishing clear policies and procedures for information security; Allocating the associated resources and priorities to 'make it so';  Providing frequent security awareness updates for everyone, partly as a reminder of the obligations, partly to keep up with current threats, vulnerabilities and impacts; Training specialists in particular areas ranging from basic hygiene to advanced security controls, incident management and forensics; Finally, organizations should monitor the effectiveness of their information risk and security management practices and the security posture using assurance measures such as risk assessments, security control tests and audits to ensure that things are working as intended. In conclusion, a pragmatic approach to information risk and security management is essential for organizations in today's complex and rapidly changing technolog...

In part 1, I discussed BIA/BCM as a means to focus on the organisation's most important information. The next step in the pragmatic IRM approach is to explore examine risks affecting that information. An appreciaiton of  the importance of various information risks to the business is key to determining which information security controls might be 'essential', 'necessary' (the ISO27k term), 'important', 'appropriate', 'optional', 'unnecessary' or 'inappropriate'. 

As IT becomes increasingly complex, as the threat landscape becomes ever more sinister, and as we have grown critically dependent on information, a pragmatic approach to managing information risks and security becomes not just valuable but vital.  It's existential - a matter of survival. The pragmatic approach involves adopting a realistic and practical perspective when identifying, evaluating and deciding how to address information risks, balancing the need for protection against maintaining smooth business operations.