- Assess whether current board culture, composition and agendas are fit for purpose in the current disruptive business environment.Assess the current team culture, composition, priorities, skills & competences, expertise, relationships, interests etc. with a view towards the future. How should the team evolve or adapt to changing circumstances, building on past successes and learning from failures?
Friday 19 April 2024
Systematically improving professional services
Thursday 18 April 2024
Measuring and managing ethics
KPMG's Soft Controls model caught my beady eye this week:
Wednesday 28 February 2024
ISMS implementation project guidance checklist
Project definition, justification, scoping and planning
⬚ Study
the standards, in depth: complete lead implementer training if possible.
⬚ Study
the business, in depth, to understand its objectives, strategies, culture, governance
arrangements, existing information risk and security management etc.
⬚ If
the organisation has a defined, structured approach for this phase, use it!
⬚ Build
a business case that identifies and promotes the business benefits of the ISMS.
⬚ Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.
Tuesday 27 February 2024
Mil-spec management lessons
"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."
That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning.
The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.
Monday 26 February 2024
27001 & climate change
Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:
- “The organization shall determine whether climate change is a relevant issue” (clause 4.1);
- “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).
Sunday 11 February 2024
Innovative approaches to ISO/IEC 27001 implementation
This week I've read an interesting, inspiring piece by Robin Long exploring the costs, benefits, approaches and strategic options for implementing ISO27k.
I like Robin's idea of trying things out and banking some 'security wins' before committing to a full implementation. A full-scope ISMS is a major commitment requiring strong understanding and support from management, requiring a high degree of trust in the team and CISO/ISM/project leader as well as the [planned] ISMS. Demonstrating and celebrating security wins is a good way to build trust and sustain it, once the ISMS is running.
Sunday 17 December 2023
Categorised plans
Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog.
Friday 28 July 2023
Using security enquiries by customers as a security metric
"If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report.You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization.My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer.It doesn’t get much better than that."
Wednesday 12 July 2023
A pragmatic alternative to the SuperCISO [L O N G]
JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical.
For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.
Wednesday 5 July 2023
What do auditors do, and for whom? [L O N G]
"advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just being seen as a transactional, bureaucratic overhead."
... which seems entirely appropriate and ethical to me. Nicely put!
Fuelled by two strong coffees, I've been mulling over a further response from my pal Chris Hall - an experienced and respected auditor and consultant who expressed the opinion that the role of a certification auditor is:
"... simply to assess whether the organisation conforms to the requirements of clauses 4 to 10 of ISO27001. That is all. And to report on it, pointing out where the ISMS does not conform ..."
I see things a little differently and (as usual!) more complex/nuanced in practice than Chris indicates.
Tuesday 30 May 2023
BCM for WFH
- Use of cloud computing services*;
- Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;
Tuesday 23 May 2023
Incident notification procedure [UPDATED x2]
Wednesday 26 April 2023
Using ChatGPT more securely
This pragmatic guideline explores the information risks associated with AI/ML, from the perspective of an organisation whose workers are using ChatGPT (as an example).
Having identified ~26 threats, ~6 vulnerabilities and dozens of possible impactful incident scenarios, I came up with ~20 information security controls capable of mitigating many of the risks.
See what you make of it. Feedback welcome. What have I missed? What controls would you suggest?
Thursday 13 April 2023
ISMS management reviews vs ISMS internal audits
Forumites duly offered advice and agendas. So far so good!
However, I made the point that ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice.
Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors must be independent of the ISMS, whereas management reviews can be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence brings a fresh perspective and valuable insight that insiders simply cannot match.
In my considered opinion, independence and formality follow a continuum through these activities:
Wednesday 12 April 2023
mmmmmm, More Meaningful Management Metrics
One straw-man argument is that 'managing by the numbers' can imply a myopic focus on commonplace business metrics such as stock price or annual profit, both of which can be manipulated to some extent by managers even at the expense of long term resilience and commercial success, let alone other business objectives. Despite Taylor's outmoded 'scientific management' experiments having been debunked a century ago, some LinkeDinners in the thread evidently still believe that science (in the form of numeric data) and management are poles apart.
I beg to differ. That's so last century!
Management is complex, dynamic and nuanced, hence I accept that simplistic or crude metrics can't possibly address the entire practice. For example, speed is obviously a key metric for a racing car: however, going fast is just one part of racing, even on the drag strip. Staying on-track with both vehicle and driver holding together for the duration of a meet are also important for the team manager, the whole team in fact. An exploding drag car might conceivably project sufficient material across the line to qualify in record time, but there would be nothing left to compete in the final!
Sunday 2 April 2023
To what extent do you trust the robots?
Thursday 30 March 2023
ISO 27001 templates and services on sale
- ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.
Saturday 25 March 2023
Black hawk down ... but not out
I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination.
Resilience is not simply:
- Being secure
- Being strong
- Recovering effectively, efficiently or simply recovering from incidents
- Avoiding or mitigating incidents
- Any specific technical approach or system
- Any particular human response, action or intent
- A backstop or ultimate control
- Heroic acts
- A construct, something we design and build
- Something that can simply be mandated or demanded
- Specific to particular circumstances, situations or applications
- A general concept, a philosophy, a belief
- An engineering and architectural approach
Tuesday 21 March 2023
Using AI/ML to draft policy
Sunday 19 March 2023
ISMS support tools (episode 4 of 4)
- Intuitive, easy to use;
- Interoperable;
- Facilitates customisation where appropriate;
- Readily maintained;
- Well supported, documented etc.;