Systematically improving professional services

My beady eye has been caught by another excellent thought-provoking Protiviti article by Jim DeLoach with Randy Armknecht concerning board-level blind spots.

I highly recommend reading and contemplating Are There Blind Spots in Your Boardroom?

Jim and Randy offered ten practical suggestions for boards to address the issue. Here they are with my thoughts and ideas on how to apply them in other contexts, besides the boardroom, such as within the information risk and security management team for example:

1. Assess whether current board culture, composition and agendas are fit for purpose in the current disruptive business environment.
   
   
   Assess the current team culture, composition, priorities, skills & competences, expertise, relationships, interests etc. with a view towards the future. How should the team evolve or adapt to changing circumstances, building on past successes and learning from failures?

Measuring and managing ethics

KPMG's Soft Controls model caught my beady eye this week:

KPMG are evidently using these 8 factors to analyse, measure and help clients manage their corporate cultures, claiming that "Our model gives organisations a valid tool for getting a clear picture of the current organisational situation, confront it, and break through the silence and passivity." Hmmm, 'silence and passivity', really KPMG? Well OK, whatever. It appears to be a viable approach.

An evolutionary revolution?

"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."

That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.

Pragmatic ISMS implementation guide (free!)

Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.

Overall, the meeting was very productive in that we got through a long list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points.

In summary:

• 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:
  
  
• These changes are mostly minor aside from the new section 6.3 on ISMS changes.

Knit your own security metrics

This morning on the ISO27k forum, Vurendar told us: 

"I saw your pragmatic book but I was confused on the way criteria and no’s were assigned. If you could guide will really help.  I’m doing a RBI Based compliance assessment where regulator has asked for such metrics. Help would be really appreciated."  

Here's my reply. 

For guidance on choosing which metrics to take a look at and maybe score, I recommend Lance Hayden's book "IT Security Metrics" which describes the Goal-Question-Metric approach. 

A nightmare on DR street

A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.

Oh boy.

Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.

ISMS implementation project guidance checklist

This checklist will be appended to a new SecAware guideline on implementing an ISMS, elaborating clause-by-clause on ISO/IEC 27001 - essentially, our version of ISO/IEC 27003.  It offers pragmatic guidance for information security managers and CISOs - nothing too obscure or complex.

---oooOOOooo---

Project definition, justification, scoping and planning

⬚  Study the standards, in depth: complete lead implementer training if possible.

⬚  Study the business, in depth, to understand its objectives, strategies, culture, governance arrangements, existing information risk and security management etc.

⬚  If the organisation has a defined, structured approach for this phase, use it!

⬚  Build a business case that identifies and promotes the business benefits of the ISMS.

⬚  Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.

Mil-spec management lessons

 

"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."

That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning. 

The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.

27001 & climate change

Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:

• “The organization shall determine whether climate change is a relevant issue” (clause 4.1);
  
  
• “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).

So, it is fair to ask what has climate change got to do with information risk and security? Is it even relevant? Having been been mulling that over for quite some while now, I've come up with a dozen points of relevance:

For more on those twelve, read "Secure the Planet".

The clock in that image is a reminder that time is pressing, so here are half-a-dozen things information risk and security professionals can do to help.

ISMS internal audit priorities

A thread on the ISO27k Forum sparked my imagination over coffee this morning.

Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan. 

Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements.

ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the standard, and is effectively implemented and maintained. There is no "ALL" in the standard's main body clauses. Spreadsheets are not mentioned at all, not even once.

Mandatory documentation in ISO27001

ISO/IEC 27001 formally requires just 14 types of "documented information" of every organisation competently certified conformant with the standard, as a minimum:

1.       ISMS scope (Clause 4.3);

2.       Information security policy (Clause 5.2);

3.       Information security risk assessment procedure (Clause 6.1.2);

4.       Statement of applicability (Clause 6.1.3 d);

5.       Information security risk treatment procedure (Clause 6.1.3);

6.       Information security objectives (Clause 6.2);

7.       Personnel records (Clause 7.2);

8.       ISMS operational information (Clause 8.1);

9.       Risk assessment reports (Clause 8.2);

10.   Risk treatment plan (Clause 8.3);

11.   Security measurements (Clause 9.1);

12.   ISMS internal audit programme and audit reports (Clause 9.2.2);

13.   ISMS management review reports (Clause 9.3.3);

14.   Records of nonconformities and corrective actions (Clause 10.1).

However, in the course of writing an ISMS implementation guideline, I have realised that #8 on the list is, strictly speaking, discretionary, not mandatory.

Innovative approaches to ISO/IEC 27001 implementation

This week I've read an interesting, inspiring piece by Robin Long exploring the costs, benefits, approaches and strategic options for implementing ISO27k.  

I like Robin's idea of trying things out and banking some 'security wins' before committing to a full implementation. A full-scope ISMS is a major commitment requiring strong understanding and support from management, requiring a high degree of trust in the team and CISO/ISM/project leader as well as the [planned] ISMS. Demonstrating and celebrating security wins is a good way to build trust and sustain it, once the ISMS is running.

I'm also intrigued by the possibilities of unconventional, creative, less boring approaches to implementation project planning - for example, instead of plodding sequentially through ISO/IEC 27001, clause-by-clause, think about: