Friday 30 June 2023

Reading between the lines of ISO27001 (L O N G)

ISO/IEC 27001 is a succinct, formally-worded standard for two key reasons:

  1. It is deliberately generic, being applicable to all manner of organisations regardless of difference in location/s, size, industry, maturity, structure, information risk and security status ... and so on. In effect, it specifies the lowest common denominator - the things that ALL organisations should be doing to manage their information security controls, as a minimum. The hurdle is set low enough that every organisation ought to find value in designing, implementing and operating an Information Security Management System as laid out in the standard.

  2. It is a certifiable standard, explicitly specifying the characteristics that every certified organisation's ISMS is expected to have. Again, it is a minimal specification with no concept of typical, average or maximum security: that is entirely down to the organisations themselves to determine, following the information risk management processes minimally defined in the standard.

There are many things the standard does not specify at all, or at least not in detail, for example here is clause 6.3 (new to ISO/IEC 27001:2022):

6.3 Planning of changes

When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

That's it, the entire specified requirement consists of a 3-word heading and a single 24-word sentence. 

Oh boy.

Let's explore that one example in more detail - a deep dive into interpreting the precise language of the standard [dons lawyer's flash suit and all-knowing smirk] ...

Read more »
No comments:

Thursday 22 June 2023

ISO/IEC 27001 and the other ISO27k standards

ISO/IEC 27001 is an international standard specifying the requirements for Information Security Management Systems, in a succinct, formalized style that makes the standard amenable to conformity auditing and certification. The standard is generic and hence can be applied to all types and sizes of organization, in any industry, anywhere in the world.

A ‘management system’ is described by ISO as “the way in which an organization manages the interrelated parts of its business in order to achieve its objectives.” The approach is designed to feed managers the information they need to oversee, and the governance/management levers necessary to direct, the organization’s activities. As such, the standard stops short of mandating specific information security controls, leaving that to management’s discretion according to its determination of the organization’s information risks.

ISO’s standardized approach is common across its management systems standards such as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO 22301 (business continuity).
Read more »
No comments:

Tuesday 20 June 2023

Security control categories and attributes



On LinkeDin this morning, Morten Ingvard asked:

"As part of updating and reshaping some parts of our information security management system (ISMS), I'm not convinced that the new categorization of controls in ISO/IEC 27002:2022 (Organizational, people, physical and technical), is the best suit for our organization to rationally identify relevant controls for their work. I understand there is an increased focus on the use of attribution - so controls can be selected based on different perspectives, but I want to have a "default view" that the organization can read and understand, and currently, I'm strongly considering sticking with a categorization structure looking more like the older 2013-version in ISO/IEC 27001."

Here's my response to Morten:

"The categories are primarily a convenient way to sequence the controls in the standard. It was the 'default view' selected by ISO/IEC JTC1/SC27.

Read more »
No comments:

Wednesday 14 June 2023

CIS controls

Introduction

GAISP and GASSP

"The CIS Critical Security Controls® (CIS Controls®) started as a simple grassroots activity to identify the most common and important real-world cyber-attacks that affect enterprises every day, translate that knowledge and experience into positive, constructive action for defenders, and then share that information with a wider audience. The original goals were modest—to help people and enterprises focus their attention and get started on the most important steps to defend themselves from the attacks that really mattered."

[CIS Critical Security Controls v8]   

The CIS controls

  1. Inventory and control of enterprise assets: 

  2. Inventory and control of software assets:
     
  3. Data protection:

  4. Secure configuration of enterprise assets and aoftware:

  5. Account management:
Read more »
No comments:

Tuesday 13 June 2023

Squeezing more value from certification audits



Finding weaknesses/concerns and improvement opportunities in the organisation's information risk, security and related arrangements is a valid and potentially valuable outcome of an ISO/IEC 27001 certification audit. Arguably, however, that is what the management reviews and internal audits are supposed to achieve.  

Certification auditing is primarily intended to provide assurance for the organisation and third parties that the organisation has correctly interpreted and implemented the standard, a specific key objective.

One way to resolve this conundrum is for certification auditors to distinguish:
  1. "Major nonconformities" - demonstrable and substantial failures to fulfil any of the mandatory requirements of 27001; from

  2. "Minor nonconformities" - insubstantial failures and/or failures against the discretionary requirements of 27001; and 

  3. "Observations" - anything else noted in the audit that the auditor believes is worth bringing to management's attention.
Of those three, only majors are grounds for refusing to issue the certificate.
Read more »
No comments:

Friday 9 June 2023

More about my information risk management book

As the book's author, I determine what to write about (or not) and how best to express it. Thinking about that led me to clarify my objectives, penning this for the introductory chapter:

"I intend to provide the information, tools/techniques and impetus to:

  • Change the way you think about information risk; 

  • Help you make better management decisions – ‘better’ in the specific sense of ‘more appropriate for your organisation, more likely to achieve the associated objectives’; 

  • Motivate you to do things more rationally, sensibly, effectively and efficiently, making best use of the available resources, not least your own cognitive abilities and valuable time; 

  • Encourage you to think about what is going on around you in risk management terms, in particular spotting creative opportunities as well as risks, seeing ‘security’ and ‘controls’ as just one way to tackle the myriad situations before you."

 

No comments:

Risk quantification - other factors (UPDATED)


The conventional focus of risk analysis is to examine the probability of incidents occurring, and their likely impacts if they do - and fair enough, those are obviously key factors ... but not the only ones. Additional factors to consider include:

  • Quality of information and analysis: risks that are commonplace and conventional are generally better understood than those which are novel or rare (such as AI risks, right now);

  • Volatility: if the threats, vulnerabilities and business are reasonably stable, the risks are more easily determined/predicted than if they are volatile, changing unpredictably;

  • Complexity: ugly, horrendously complicated risks are more likely to involve unrecognised interactions;
Read more »
No comments:

Thursday 8 June 2023

Oder from chaos from order

Towards the end of last year, I wrote a series of blog entries expanding on 20 terms of art, mostly for fun, partly for education, and partly as an exercise in creative thinking ... and today I'm doing it again.

As a recap, here are the original 20:

  1. Accountability is ...
  2. Assurance is ...
  3. Audit is ...
  4. Authorisation is ...
  5. Control is ...
  6. Cyber is ...
  7. Fragility is ...
  8. Governance is ...
  9. Impact is ...
  10. Information is ...
  11. ISO27k is ...
  12. Oversight is ...
  13. Resilience is ...
  14. Responsibility is ...
  15. Risk is ...
  16. Security is ...
  17. System is ...
  18. Threat is ...
  19. Trust is ...
  20. Vulnerability is ...

Today, I'm nose-to-the-grindstone, writing my book on information risk management, doing my best to 'tell a good story'. I'm trying to make sense of the jumble of concepts and thoughts in my head, hopefully expressing things clearly enough for readers to understand and be inspired to think and do things differently. It's hard work!

Just because the book is non-fiction doesn't stop it being creative, so I've returned to the listing technique I used last year, elaborating on it a little. The revised process is:

Read more »
No comments:

Friday 2 June 2023

A round dozen risk treatment options



I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks:

  1. Acceptance: living with the risk, hoping that it doesn't materialise;

  2. Avoidance: steering well clear of, or stopping, risky activities;

  3. Mitigation: reducing the probability and/or impact of incidents using various types of control;
     
  4. Sharing: with others, such as business partners, insurers and communities.

    However, it occurs to me that a further eight
    risk treatment approaches are possible, whether you
    consider them alternatives, variants or complementary:

  5. Procrastination: delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective
Read more »
No comments:
Subscribe to: Posts (Atom)