ISO 27001 templates and services on sale

For organisations planning to implement ISO/IEC 27001 for the first time, the standard's requirements can be confusing, especially given the amount of dubious advice available on the web. For instance, one issue that crops up frequently on the ISO27k Forum and here on the blog is that the information security controls in Annex of the standard A are not required - in fact, they are not even recommended or suggested, despite what some non-experts advise. Annex A is provided as a checklist, a prompt to ensure we have considered a wide range of information risks. 

The standard's main body clauses, in contrast, formally specify the functional requirements for an Information Security Management System. In order for an organisation to be certified, the ISMS must be designed to fulfil the specified requirements, and must be operational, managing whatever information security controls and other treatments are appropriate given the organisation's information risks. 

In short, implementing '27001 is not a simple box-ticking compliance exercise. 

This Easter, we are offering:

• ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.

Black hawk down ... but not out

I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination.

Resilience is not simply: 

• Being secure
• Being strong
• Recovering effectively, efficiently or simply recovering from incidents
• Avoiding or mitigating incidents
• Any specific technical approach or system
• Any particular human response, action or intent
• A backstop or ultimate control
• Heroic acts
• A construct, something we design and build
• Something that can simply be mandated or demanded
• Specific to particular circumstances, situations or applications

It's bigger than any of those - in fact bigger than all of them, combined. Resilience is all of those, and more ...

Resilience is:

• A general concept, a philosophy, a belief
• An engineering and architectural approach

Using AI/ML to draft policy

This week, I am preparing a new template for the SecAware policy suite covering the information risks and security, privacy, compliance, assurance and governance arrangements for Artificial Intelligence or Machine Learning systems. With so much ground to cover on this complex, disruptive and rapidly-evolving technology, it is quite a challenge to figure out the key policy matters and express them succinctly in a generic form.

Just for kicks, I set out by asking GPT-4 to draft a policy but, to be frank, it was more hindrance than help. The draft was quite narrowly focused, entirely neglecting several relevant aspects that I feel are important - the information risks arising from the use of commercial AI/ML services by workers, for instance, as opposed to AI/ML systems developed in-house.

The controls it espoused were quite vague and limited in scope, but that's not uncommon in policies. It noted the need for accountability, for instance, but didn't clarify the reasons nor explain how to achieve accountability in practice. It was not pragmatic.

Metrics episode 1

Choosing/designing, using and improving metrics can be modeled as a rational process:

A. The starting point is to determine or clarify the ultimate/strategic goals for the area being measured (e.g. information risk and security management), plus any interim/tactical objectives, preferably in business terms. These may already be documented in the form of, for example, the rationale in a business case proposing an ISO/IEC 27001-style Information Security Management System, the mission statement for the Information Risk and Security department/function, and/or the organisation’s information risk management strategies.

B. The information risk and security goals and objectives will often beg questions or imply success/fail criteria. For example, the objective “To comply with applicable legal, regulatory and contractual obligations concerning information security and privacy” begs questions about the nature and number of those obligations, the compliance status, the costs and benefits of compliance (including the risks associated with partial or noncompliance), enablers and barriers to compliance etc. Generally speaking, the questions or criteria relate in some manner to strategic, management or operational decisions, although the relationship is not always direct and obvious. While it may be tempting to try to address all points at once, identifying a smaller number of key questions, criteria or issues may be a more effective approach.

C. The questions and criteria imply the need for information, in other words they can be viewed as the requirements for a suite of information security metrics. Based on the requirements, new metrics can be selected (e.g. from published or private collections of information security metrics, suggested by professional colleagues or discovered by research) or designed from scratch, or existing metrics may be selected and if necessary modified, to generate the requisite information. Selecting or designing suitable metrics involves balancing and comparing various parameters such as their predictive value, relevance to information security, accuracy and net value (benefits less costs).

D. Having selected a number of information security metrics, the next logical step is to start gathering relevant data. ‘Instrumentation’ refers to the process of obtaining data from the organisation’s IT systems, processes and activities, for instance configuring the logging and reporting facilities built-in to automated systems to send data to collection points for analysis and reporting. For manual procedures, instrumentation involves ensuring that relevant information is recorded routinely.

E. Measurement data may be “pushed” to a collection point, or it may be “pulled” from the sources. Either way, the flows may be periodic and regular, ad hoc (on-demand or sporadic) or some combination, depending on the particular metric. The collection point must collate and store the information in a suitable structure. It must also protect the information to ensure its confidentiality, integrity and availability, as with any information asset.

F. Analysis may be as simple as determining a binary condition (e.g. the presence or absence of a conformity certificate) but is normally a matter of assessing the degree or extent of various parameters (often several in combination) relative to criteria. Statistical methods are commonly applied. Identifying beneficial or adverse trends is another form of analysis, implying historical analysis. The parameters, analyses, criteria, may have been explicitly pre-defined as part of step C, but are often left to the discretion of the analysts, working in conjunction with the intended audiences for the metrics, allowing for dynamic changes according to the measurement values, emergent properties and the changing business and security contexts.

G. Reporting or presenting metrics is best viewed as an interactive process in which information is exchanged, considered, interpreted and challenged, generating the motivation to address any issues identified, along with details such as the direction and amount of adjustment needed.

H. The decisions supported by information security metrics are many and varied, as are the actions arising. Decisions relating to the effectiveness and efficiency of the ISMS as a whole, for example, may lead to systematic improvements or changes of approach. 

I. From time to time, the organisation’s information security metrics, along with the associated analysis, reporting and actions arising, should be reviewed to determine whether they are suitable and sufficient. These reviews can happen at several levels, ranging from someone reconsidering the specification of a single security metric up to an organisation-wide review or audit of the information security measurement system as a whole. Deficiencies may lead to fine-tuning of the parameters (such as altering the reporting period for regularly-reported metrics) or changes to the mix of metrics (such as retiring metrics that are no longer of value, and perhaps replacing them with better alternatives).

ISMS support tools (episode 4 of 4)

This final episode in the series about specifying and selecting ISMS support tools/systems concerns the general usability requirements typical of almost any computer system, such as:

• Intuitive, easy to use;
• Interoperable;
• Facilitates customisation where appropriate;
• Readily maintained;
• Well supported, documented etc.;

ISMS support tools (episode 3 of 4)

So far, I've waffled on about the variety of ISMS support tool types on the market, and about gross differences between ISMS user organisations in terms of industry, size etc.

Next, think about the kinds of things they might expect their ISMS support tools to do. Digging beneath the superficial "support our ISO/IEC 27001 ISMS", organizations may well expect/require the tools to help them with security controls such as:

• Access rights and permissions;
• Alerts or alarms;
• Anti-spam;
• Antivirus;
• Assorted security processes;
• Backups;

ISMS support tools (episode 2 of 4)

Previously I blogged about the bewildering variety of tools, systems and services supporting ISO/IEC 27001 Information Security Management Systems. The tools, in turn, are being used in various ways for various purposes by a bewildering range of organisations.

The ISMS specified by ISO/IEC 27001 is "intended to be applicable to all organizations, regardless of type, size or nature", a deliberately broad scope that takes in:

• Conventional commercial companies, government agencies and departments, charities and not-for-profits, conglomerates, kieretsu and groups, schools, colleges and universities ...; 
• Organisations of all sizes, micro-to-macro;

ISMS support tools (episode 1 of 4)

From time to time, members of the ISO27k Forum seek opinions about systems on which to run their ISO/IEC 27001 Information Security Management Systems, anticipating feedback or recommendations for certain products.

Unfortunately, it's not quite that simple!

For starters, the ISMS support systems come in several flavours. Our toolboxes are bulging ...

Supposedly comprehensive ISMS systems

These claim to support every conceivable aspect of information risk and security management, incident management, business continuity, compliance, governance, assurance and more. Whether that reflects a comprehensive architecture and design from the ground up, or a more limited core system on to which various adornments have been tacked over the years (sometimes including functional units from totally different systems and suppliers), is not necessarily obvious until users explore the limits and perhaps fall between the cracks.

More focused ISMS systems

Preparing managers to be ISO27001 certified

This morning, a new member of the ISO27k Forum asked us some questions about his organisation's upcoming ISO/IEC 27001 certification audit (paraphrased below). 

Since these are commonplace issues, I address them here on SecAware blog for the benefit of others in the same situation now ... or at earlier stages. Management being ready for the certification audit has implications for the way an ISO/IEC 27001 Information Security Management System was originally initiated/conceived, scoped, planned and approved, as well as how it is managed once it comes into operation.

1. Does the auditor need to talk to the CEO or would another member of Top Management such as the COO or a VP be sufficient?

That is for the auditor to decide. CEOs are invariably busy people ... but the CEO's non-involvement (even before being asked!) hints at a lack of support or engagement from senior management*. If other senior managers are more willing and able to be interviewed, that should suffice, especially if they subtly or directly confirm that the CEO supports the ISMS, or if the CEO has overtly supported the ISMS (e.g. by personally endorsing or mandating the information security policy). See also Q4 below.

2. Approximately how much time is required for an audit interview?

The power of power measurement

Electrical power consumption by a computer cupboard, IT room, tech suite, data centre or facility is one of my favourite [pet!] metrics for several reasons:

• It is readily measured using a wattmeter, watt-hour meter or ammeter on the main supply line/s;
  
  
• Compared to more technical metrics, power is simple to plot, report, explain and understand;
  
  
• As the installed IT equipment and usage gradually changes, so does the power consumption. It is straightforward to track and predict the overall trends without necessarily measuring and controlling every single item and change; 
  
  
• Step changes in power consumption indicate substantial changes in the IT equipment or usage. Marked decreases are welcome but quite rare (e.g. as older equipment is retired from service or replaced by more modern, energy-efficient stuff), whereas marked increases in consumption - especially if unexpected - may be cause for concern;
  
  
• The first law of thermodynamics tells us that all the input energy has to go somewhere i.e. heat which can be costly to remove, increases global warming, increases fire risks and decreases equipment lifetimes. 

In more detail, a high PRAGMATIC score (~77%) indicates that IT power consumption is a valuable metric, well worth considering:

Information risk management, a business imperative

Information risk management is a crucial business issue in the digital age. This piece describes a systematic and proactive approach to information risk management with a healthy dose of pragmatism.

It is obvious that serious incidents such as ransomware can disrupt operations, severely damaging an organisation's reputation, brands and customer trust, threatening its financial stability and longevity ... but that's not all. Even relatively minor incidents can accumulate significant costs over time, starving other important business activities of resources. Given that practically everything depends on information, the starting point is to embed information risk management fully into the organisation's business strategy and routine operations.

Most organisations have basic information security controls in place. However, a strategic approach is less common, while a truly comprehensive business-oriented approach to information risk management remains quite rare. 

Information risk management focuses on identifying, evaluating and treating risks to the organisation's valuable business information including: