ISO/IEC 27001 is a succinct, formally-worded standard for two key reasons: It is deliberately generic, being applicable to all manner of organisations regardless of difference in location/s, size, industry, maturity, structure, information risk and security status ... and so on. In effect, it specifies the lowest common denominator - the things that ALL organisations should be doing to manage their information security controls, as a minimum. The hurdle is set low enough that every organisation ought to find value in designing, implementing and operating an I nformation S ecurity M anagement S ystem as laid out in the standard. It is a certifiable standard, explicitly specifying the characteristics that every certified organisation's ISMS is expected to have. Again, it is a minimal specification with no concept of typical, average or maximum security: that is entirely down to the organisations themselves to determine, following the information risk management processes minimally de...

ISO/IEC 27001 is an international standard specifying the requirements for Information Security Management Systems, in a succinct, formalized style that makes the standard amenable to conformity auditing and certification. The standard is generic and hence can be applied to all types and sizes of organization, in any industry, anywhere in the world. A ‘management system’ is described by ISO as “the way in which an organization manages the interrelated parts of its business in order to achieve its objectives.” The approach is designed to feed managers the information they need to oversee, and the governance/management levers necessary to direct, the organization’s activities. As such, the standard stops short of mandating specific information security controls, leaving that to management’s discretion according to its determination of the organization’s information risks. ISO’s standardized approach is common across its management systems standards such as ISO 9001 (quality management)...

On LinkeDin this morning, Morten Ingvard asked: "As part of updating and reshaping some parts of our information security management system (ISMS), I'm not convinced that the new categorization of controls in ISO/IEC 27002:2022 (Organizational, people, physical and technical), is the best suit for our organization to rationally identify relevant controls for their work. I understand there is an increased focus on the use of attribution - so controls can be selected based on different perspectives, but I want to have a "default view" that the organization can read and understand, and currently, I'm strongly considering sticking with a categorization structure looking more like the older 2013-version in ISO/IEC 27001." Here's my response to Morten: "The categories are primarily a convenient way to sequence the controls in the standard. It was the 'default view' selected by ISO/IEC JTC1/SC27.

Finding weaknesses/concerns and improvement opportunities in the organisation's information risk, security and related arrangements is a valid and potentially valuable outcome of an ISO/IEC 27001 certification audit. Arguably, however, that is what the management reviews and internal audits are supposed to achieve.   Certification auditing is primarily intended to provide assurance for the organisation and third parties that the organisation has correctly interpreted and implemented the standard, a specific key objective. One way to resolve this conundrum is for certification auditors to distinguish: " Major nonconformities " - demonstrable and substantial failures to fulfil any of the mandatory requirements of 27001; from " Minor nonconformities " - insubstantial failures and/or failures against the discretionary requirements of 27001; and  " Observations " - anything else noted in the audit that the auditor believes is worth bringing to management...

The conventional focus of risk analysis is to examine the probability of incidents occurring, and their likely impacts if they do - and fair enough, those are obviously key factors ... but not the only ones. Add itional factors to consider include : Quality of information and analysis : risks that are commonplace and conventional are generally better understood than those which are novel or rare (such as AI risks, right now); Volatility : if the threats, vulnerabilities and business are reasonably stable, the risks are more easily determined/predicted than if they are volatile, changing unpredictably; Complexity : ugly, horrendously complicated risks are more likely to involve unrecognised interactions;

Towards the end of last year, I wrote a series of blog entries expanding on 20 terms of art, mostly for fun, partly for education, and partly as an exercise in creative thinking ... and today I'm doing it again. As a recap, here are the original 20: Accountability  is ... Assurance  is ... Audit  is ... Authorisation  is ... Control  is ... Cyber  is ... Fragility  is ... Governance  is ... Impact  is ... Information  is ... ISO27k  is ... Oversight  is ... Resilience  is ... Responsibility  is ... Risk  is ... Security  is ... System is ... Threat  is ... Trust  is ... Vulnerability  is ... Today, I'm nose-to-the-grindstone, writing my book on information risk management, doing my best to 'tell a good story'. I'm trying to make sense of the jumble of concepts and thoughts in my head, hopefully expressing things clearly enough for readers to understand and be inspired to think and do things di...

I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks: Acceptance : living with the risk, hoping that it doesn't materialise; Avoidance : steering well clear of, or stopping, risky activities; Mitigation : reducing the probability and/or impact of incidents using various types of control;   Sharing : with others, such as business partners, insurers and communities. However, it occurs to me that a further eight risk treatment approaches are possible, whether you consider them alternatives, variants or complementary: Procrastination : delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective