An evolutionary revolution?

"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."

That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.

Pragmatic ISMS implementation guide (free!)

Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.

Overall, the meeting was very productive in that we got through a long list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points.

In summary:

• 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:
  
  
• These changes are mostly minor aside from the new section 6.3 on ISMS changes.

Knit your own security metrics

This morning on the ISO27k forum, Vurendar told us: 

"I saw your pragmatic book but I was confused on the way criteria and no’s were assigned. If you could guide will really help.  I’m doing a RBI Based compliance assessment where regulator has asked for such metrics. Help would be really appreciated."  

Here's my reply. 

For guidance on choosing which metrics to take a look at and maybe score, I recommend Lance Hayden's book "IT Security Metrics" which describes the Goal-Question-Metric approach. 

A nightmare on DR street

A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.

Oh boy.

Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.