Inspired by these pizza baking instructions, I thought I'd have a go at condensing an entire ISO/IEC 27001 implementation project to its absolute fundamentals.  So here goes ...

In a discussion thread on the ISO27k Forum about selecting appropriate information security controls, a member told us: "As far as software development is concerned, we really need the controls A8.25 and following". I queried that determination, guessing  their thought process may have been along these lines:  We do software development. Controls A8.25+ concern software development. Therefore, for conformity with ISO/IEC 27001, controls A8.25+ are applicable and cannot be excluded. #3 is patently a false conclusion, a logical error. The Annex A controls are  not  formally required for conformity with the standard. They are not mandatory - none of them, not one. If you believe otherwise, kindly explain which specific clause from ISO/IEC 27001 contains that explicit requirement because, despite hunting high and low over many years, and despite numerous claims from so-called experts in the field, I simply can't find it. There  is , however, a formal req...

Implementing and using an ISO/IEC 27001 I nformation S ecurity M anagement S ystem can be tricky, especially given limited resources or in complex or dynamic business and technology environments.   While largely-manual approaches may suffice for small, simple, stable organisations, dedicated ISMS support tools (computer applications and cloud services) are well worth considering.   With dozens of ISMS tools on the market, the obvious question is which to choose.   Here are some commonplace requirements or factors to consider: Support information risk identification, evaluation, treatment and monitoring, of course. Support compliance/conformity with applicable standards, regs, laws and contractual obligations. Interoperable with existing systems/processes for asset management, risk management, business continuity management, incident management, vulnerability scanning, anti-malware etc . Support the identification, investigation and resolution of security incidents. Supp...

Recovering from a ransomware incident is costlier, more complicated and much slower that people commonly assume. "Just restore the backups and you're good to go, right?". Spoiler alert: restoring networks and IT systems from backups is only a fraction of this.  Here's a reasonably complete set of ransomware recovery activities that would normally led by general business and IT managers : Wake up and smell the coffee! Deal with the unfolding crisis and a degree of confusion. Invoke the crisis management process. Settle things down. Assemble the business incident management team. Invoke the incident management process. Form the IT incident management team. Contact insurers, law enforcement and security experts for guidance.

In the past few days, I have been triggered yet again by someone fearing that ISO/IEC 27001 certification auditors may insist that various Annex A controls are applicable and must therefore be implemented for conformity. Apocryphal nightmares about auditors doing exactly that tend to stoke the fear and prolong the myth. Myth, yes, myth. I've said it before and no doubt I'll say it again: the Annex A information security controls are not formally required for conformity with the standard - none of them, not even one. If you or your auditors believe otherwise, kindly tell us which clause of the standard applies. What are the exact words leading to that conclusion? Spoiler alert: there are none. There is no such requirement. IT DOES NOT EXIST. There is , however, a conformity requirement to check through Annex A for any controls that might reduce otherwise untreated information risks, but even then there is no (repeat, no ) obligation to implement the controls as stated in A...

There is a growing appreciation, perhaps even consensus in the field that information risk management - or indeed risk management in general - is not simply a matter of predicting or controlling the future, at least not in a rational and deterministic manner. Given that the future is inherently complex and uncertain (= risky!), the best we can reasonably hope for is to reduce somewhat the number and negative impacts of disruptive events and incidents, while simultaneously hopefully increasing the chances and value of positive, beneficial outcomes. Both objectives are asymptotic: the effort and investment required to progress increase exponentially as we get ever closer to those two goals, ultimately putting them both beyond our means given finite resources (oh and one or two other things to pour our money into!). In other words, despite our best intentions, we know we are doomed to fail at some point. That's not merely a pessimistic outlook: I'm an optimist by nature. In this c...

Truly effective deception isn't even recognised as such - it passes completely unnoticed.  There is no shortage of now-recognised examples that the deceived didn't spot at the time and maybe still haven't noticed. Here's a sample: A stick insect appears to a predator to be an inedible stick, not a tasty insect Spotted from an enemy's reconnaisance biplane, an inflatable tank or field gun may appear solid, a credible threat at least While an accomplice distracts a resident by knocking at the front door on a pretext, the cunning thief slips around the back Phishers emulate the look and feel of legitimate emails, senders and websites to dupe victims into visiting and disclosing their credentials, using spurious urgency to shortcut or bypass checks, specific timing and wording, and sheer volume to exploit the offguard vulnerables

Recently I enjoyed a lecture by a bank's economist to local business leaders concerning the NZ economy. Observing the blizzard of graphs, I was struck by his short timeline , stretching to about a couple of years ahead. Now I'm sure the economist is earning his crust at the bank. Of course they need to keep on top of day-to-day and month-to-month fluctuations in the economic parameters, playing the markets. Equally, I'm sure the bank has other experts with a longer-term outlook, diligently modelling the implications of national and global issues including political, social, environmental and technological, for many years or decades ahead - for at least as long as the bank's mortgages and business loan periods anyway. Nevertheless, that prompted me to think about planning horizons in information risk and security management, within the broader context of budgeting and investment management in any commercial organisation - a pertinent topic as we plummet towards the new c...

Objectives are king. If strategy is the organisational or personal journey ahead, we must truly understand our objectives to move ahead confidently in the right direction, systematically measuring progress towards those objectives.  If the objectives are uncertain, well, any path will do, and our measures are largely pointless: we may know how far we've come and how much fuel we've consumed so far but we're not sure how much further we need to go, nor in what direction and at what speed. That's sub-optimal. So far so good. But what if the objectives are hidden, in conflict, or not what they seem? There are clearly potential problems with objective-led approaches - a little seething cluster of problems in fact.  So, then, it seems objectives have objectives. 

We should congratulate and support colleagues around the world who have conceived, organised and promoted creative events for October's cybersecurity awareness month. Seriously, well done all of you. Thank you for your energy and efforts. Thank you for caring. Thank you for doing your bits. Thank you for taking time out of whatever else you were doing, perhaps even allocating some of your budget towards this. I am being 100% genuine here: this is not a sarcastic piece. I am truly grateful.

The Institute of Directors has just released their Code of Conduct for Directors , promoting six principles: Leading by example. Integrity. Transparency. Accountability. Fairness. Responsible business. So far, so good ... although somehow I feel there's something missing. But what?

In a previous philosophical phriday post , I moaned about vendors of security compliance support/management tools and services over-promising and under-delivering - an admittedly biased, even cynical opinion piece about the compliance imperative . A recent article in Corporate Compliance Insights notes that "CISOs are not just defenders against cyber threats but also champions of compliance and operational resilience". Hmmm, are CISOs 'compliance champs', really? Today, I'm discussing alternatives to being compliance-driven. How else can organisations drive their information risk, security and related concerns in a positive direction?

  Today I asked Google's Gemini to rewrite yesterday's blog piece " in the style of a naive student of IT" : "Hey guys, so I was thinking about this weird thing that happens online. People get really mad about stuff, like really mad. They all start yelling at each other and saying the same things over and over again. It's like a big echo chamber, and it gets out of control. For example, there was this time people were freaking out about 5G towers. They thought it was going to hurt people, but scientists said it was totally safe. But the people who were mad kept saying it was bad, and they got other people to believe them too. It was crazy! When people get really mad like that, it's hard to talk to them. They don't want to listen to anything else, and they just keep shouting. It's like a big fight, and it can make things worse. So, what can we do about this? Well, one thing is to just wait for people to calm down. Sometimes, if we let them vent f...

For kicks, I prompted Google's Gemini AI robot to rewrite yesterday's blog piece "in the style of a professor or university lecturer".  This is wot it rote me: A fundamental challenge in contemporary society is the phenomenon of outrage , wherein groups of individuals exhibit disproportionate emotional responses to perceived threats or injustices. This often manifests in the form of echo chambers on social media, where like-minded individuals amplify and reinforce each other's concerns. Such amplification can rapidly escalate emotions to unreasonable levels, hindering rational discourse and critical thinking. Consider, for example, the contentious issue of 5G cell tower placement near schools. Outraged individuals may perceive this as a grave threat to public health, accusing authorities, scientists, and industry leaders of callousness and disregard for their concerns. The perceived risk is often amplified through groupthink, leading to a sense of collective out...

For decades, I have appreciated  Peter Sandman 's approach to outrage - the social phenomenon in which groups of people react strongly to some perceived threat, issue, concern or whatever, drawing-in other like-minded individuals via social media. The echo chamber (positive feedback loop) can rapidly escalate emotions to an unreasonable degree with a lack of reasoned, critical thinking - according to those allegedly responsible for the issue anyway.    In the case of, say, the placing of 5G cell towers in/near schools, the outraged can become furious that the risk (as they see it) is being 'callously ignored' by the equipment suppliers, site developers, authorities and scientists, and enraged that they are 'not being taken seriously'. From their perspective,  thanks to group think (social endorsement),  the  perceived   risks are portrayed and understood to be deadly serious .  Leaders within the outraged community gain notoriety, influence and p...

 

First, two definitions: " Certification " is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ... " Accreditation " is the process of confirming that whoever is checking and issuing certificates is properly qualified, competent and trusted to issue meaningful certificates by following prescribed processes. It adds credibility, meaning and value to the certification and issued certificates ... provided the accreditation body or person is competent and trustworthy, the checks were done properly, and the a...

The last of a dozen learning points I made in a post-incident review of the Crowdstrike incident was: "Unless changes are actually made as a result of an incident, the uncertainties (risks) remain. We have missed out on a valid learning and improvement opportunity." Although I accept that nobody is obliged to learn from incidents, make changes or improve, the Crowdstrike incident was Big News when it occurred back in July, and here we are in October. So it's fair to ask what - if anything - are we doing differently now? [I'm using Crowdstrike here simply as a well-known example. Even if the Crowdstrike incident had no material impacts on your organisation, you have undoubtedly suffered various incidents, possibly something serious or critical. As you read on, by all means substitute some other significant recent incident in place of "Crowdstrike" if that helps you relate to this piece.]  A cyberattack can be a devastating event for any organization. It'...

  Risk and security professionals typically believe that a company's risk tolerance or risk appetite determines whether risks are or are not acceptable. However, they seldom define the terms which are used loosely and interchangeably in practice. So what are they? If you accept ( as I previously asserted in this place ) that risk is uncertainty, risk tolerance implies a willingness to tolerate or put up with a certain amount of uncertainty, while risk appetite suggests a desire for a certain amount of uncertainty.  OK so far, but what is ' a certain amount of uncertainty '? That seems paradoxical.

Lately I've been pondering the thought that 'risk' is 'uncertainty' - it's not simply that risky decisions and activities involve some element of doubt, that they might work out extremely well or go horribly wrong, but that the lack of certainty is itself a critical factor. As well as the rational mathematical basis in probability theory and statistics , there is also an emotional aspect to uncertainty. It affects the way we perceive, prepare for and address issues. It affects our planning and capability. It can be debilitating, resulting in indecision and delay even though that may make things even worse: sometimes, it is better to make a decision now (despite the uncertainties) and press ahead in the belief that we will cope with whatever eventuates. Conversely, it may be better to delay a decision and hold back while gathering more information, building resources, preparing and aligning those involved, and considering various eventualities. Uncertainty ha...