Two dozen information risks that ISO forgot

  1. Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber

  2. Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice

  3. Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in)

  4. Inept and inaccurate identification, analysis and quantification of risk, including reliance on poor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propaganda, rhetoric

  5. Inept, inadequate and inappropriate measurement of controls, processes, activities, technologies, people, projects, plans, relationships etc.

  6. Failure to act on information received including metrics, reports, rumours, advisories, warning signs, alerts, alarms, indicators etc. 

  7. Misunderstanding of the true purpose and nature of both risk and control, and related aspects/concepts such as governance, compliance, safety, ownership, value

  8. Complexity and opaqueness (reducing clarity and understanding) of risks, threats, vulnerabilities, impacts, controls, systems, interactions, dependencies and conflicts

  9. Undue dependence, reliance on/faith in fallible controls, and unrealistic expectations of their effectiveness

  10. Inadequate investment in myriad controls - spreading the butter too thin - and unjustifiable/unreasonable/inappropriate variation in security investments - lumpy butter

  11. Opportunity costs e.g. insufficient resourcing for important, valuable or necessary risk and security work (including analysis) due to excessive or inefficient expenditure elsewhere, and vice versa

  12. Superficial, flawed or missing analysis plus inadequate attention to and appreciation of complexity, interdependencies, dynamics and the limits of our knowledge

  13. Partial or total disregard for uncertainties, both in general and in specific circumstances, including compound effects of complexity and 'unfortunate coincidences'

  14. Business continuity aspects including resilience, recovery AND contingency

  15. Blind spots, ignorance, accidental or deliberate disregard of relevant factors for various reasons e.g. operational technologies, insider threats

  16. Blame culture, and in fact culture generally i.e. sociology, corporate politics, plausible deniability ...

  17. Poor maintenance, monitoring and management of the controls - plus inadequate specification, engineering/design/architecture, corner-cutting, bungled builds and implementation activities, inadequate selection, training and support for all involved, blah blah blah

  18. Inappropriate, counterproductive, conflicting, unrealistic and unrecognised compliance and conformity pressures 

  19. Failure to consider and design 'the big picture' around risk management including the relationships between risks, opportunities, investments, priorities etc. 

  20. Naievete, misunderstandings or plain ignorance of accountability, responsibility, blame and related concepts 

  21. Ethics.

  22. Scattergun approaches (trying to do everything at once) and myopia (focusing intently and exclusively on particular aspects, and not necessarily the right ones at that)
     
  23. Failure to stitch things together into a coherent, long-term, comprehensive strategy that properly integrates with, supports and takes account of the bigger systems e.g. the criminal fraternity, politics, enterprise risk

  24. Failure to account for or manage dynamics and changes, including step-changes and evolution, obvious, subtle and concealed changes, misunderstood changes with wrongly attributed causes, simplistic and inept single-factor analysis, insufficient attention to conflicts, gaps, issues, concerns, entropy, interrelatedness, differing objectives and priorities etc.

  25. Naive expectations that any list of risks and controls is ever 'complete' or 'comprehensive' or 'sufficient' or 'adequate'
The ISO/IEC 27002 information security controls either don't cover those information risks at all, or cover them so tangentially/subtly that they are easily missed. Worse still, for each control in Annex A ISO/IEC 27001 collapses roughly a page of details from '27002 down to a single sentence headline, while the standard's main body clauses on the management controls are stilted and overburdened with subtle yet unstated and variant interpretations, reducing comprehension still further - especially for readers who are not experienced information risk and security professionals (such as general business managers determining strategies, priorities, resourcing requirements, objectives and governance arrangements) confronted by charlatans and jobsworth certification auditors.

[\rant]

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more