- ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.
Thursday 30 March 2023
ISO 27001 templates and services on sale
Saturday 25 March 2023
Black hawk down ... but not out
I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination.
Resilience is not simply:
- Being secure
- Being strong
- Recovering effectively, efficiently or simply recovering from incidents
- Avoiding or mitigating incidents
- Any specific technical approach or system
- Any particular human response, action or intent
- A backstop or ultimate control
- Heroic acts
- A construct, something we design and build
- Something that can simply be mandated or demanded
- Specific to particular circumstances, situations or applications
- A general concept, a philosophy, a belief
- An engineering and architectural approach
Tuesday 21 March 2023
Using AI/ML to draft policy
Monday 20 March 2023
Metrics episode 1
Sunday 19 March 2023
ISMS support tools (episode 4 of 4)
- Intuitive, easy to use;
- Interoperable;
- Facilitates customisation where appropriate;
- Readily maintained;
- Well supported, documented etc.;
Friday 17 March 2023
ISMS support tools (episode 3 of 4)
So far, I've waffled on about the variety of ISMS support tool types on the market, and about gross differences between ISMS user organisations in terms of industry, size etc.
Next, think about the kinds of things they might expect their ISMS support tools to do. Digging beneath the superficial "support our ISO/IEC 27001 ISMS", organizations may well expect/require the tools to help them with security controls such as:
- Access rights and permissions;
- Alerts or alarms;
- Anti-spam;
- Antivirus;
- Assorted security processes;
- Backups;
Thursday 16 March 2023
ISMS support tools (episode 2 of 4)
- Conventional commercial companies, government agencies and departments, charities and not-for-profits, conglomerates, kieretsu and groups, schools, colleges and universities ...;
- Organisations of all sizes, micro-to-macro;
Wednesday 15 March 2023
ISMS support tools (episode 1 of 4)
Unfortunately, it's not quite that simple!
Supposedly comprehensive ISMS systems
More focused ISMS systems
Tuesday 7 March 2023
Preparing managers to be ISO27001 certified
Since these are commonplace issues, I address them here on SecAware blog for the benefit of others in the same situation now ... or at earlier stages. Management being ready for the certification audit has implications for the way an ISO/IEC 27001 Information Security Management System was originally initiated/conceived, scoped, planned and approved, as well as how it is managed once it comes into operation.
1. Does the auditor need to talk to the CEO or would another member of Top Management such as the COO or a VP be sufficient?
Friday 3 March 2023
The power of power measurement
Electrical power consumption by a computer cupboard, IT room, tech suite, data centre or facility is one of my favourite [pet!] metrics for several reasons:
- It is readily measured using a wattmeter, watt-hour meter or ammeter on the main supply line/s;
- Compared to more technical metrics, power is simple to plot, report, explain and understand;
- As the installed IT equipment and usage gradually changes, so does the power consumption. It is straightforward to track and predict the overall trends without necessarily measuring and controlling every single item and change;
- Step changes in power consumption indicate substantial changes in the IT equipment or usage. Marked decreases are welcome but quite rare (e.g. as older equipment is retired from service or replaced by more modern, energy-efficient stuff), whereas marked increases in consumption - especially if unexpected - may be cause for concern;
- The first law of thermodynamics tells us that all the input energy has to go somewhere i.e. heat which can be costly to remove, increases global warming, increases fire risks and decreases equipment lifetimes.
In more detail, a high PRAGMATIC score (~77%) indicates that IT power consumption is a valuable metric, well worth considering:
Thursday 2 March 2023
Information risk management, a business imperative
Information risk management focuses on identifying, evaluating and treating risks to the organisation's valuable business information including: