KPMG's Soft Controls model caught my beady eye this week:
Thursday 18 April 2024
Measuring and managing ethics
Wednesday 27 March 2024
Pragmatic ISMS implementation guide (free!)
Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.
- 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:
- These changes are mostly minor aside from the new section 6.3 on ISMS changes.
Friday 15 September 2023
Checklust security
Patrick says:
"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."
Thursday 10 August 2023
Hyperglossary published!
- Information risk
- Information security
- Cybersecurity (IT/Internet security)
- ICS/SCADA/OT security
- Artificial Intelligence
- Privacy, data protection, personal information
- Governance
- Conformity and compliance
- Incidents
- Business continuity
- and more.
Thursday 27 July 2023
Hyper-glossary nearing completion (?)
My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined.
Here's an example of a definition originally added a couple of years ago and most recently amended today:
There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.
Tuesday 23 May 2023
Incident notification procedure [UPDATED x2]
Thursday 13 April 2023
ISMS management reviews vs ISMS internal audits
Forumites duly offered advice and agendas. So far so good!
However, I made the point that ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice.
Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors must be independent of the ISMS, whereas management reviews can be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence brings a fresh perspective and valuable insight that insiders simply cannot match.
In my considered opinion, independence and formality follow a continuum through these activities:
Thursday 30 March 2023
ISO 27001 templates and services on sale
- ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.
Tuesday 21 March 2023
Using AI/ML to draft policy
Sunday 19 March 2023
ISMS support tools (episode 4 of 4)
- Intuitive, easy to use;
- Interoperable;
- Facilitates customisation where appropriate;
- Readily maintained;
- Well supported, documented etc.;
Friday 17 March 2023
ISMS support tools (episode 3 of 4)
So far, I've waffled on about the variety of ISMS support tool types on the market, and about gross differences between ISMS user organisations in terms of industry, size etc.
Next, think about the kinds of things they might expect their ISMS support tools to do. Digging beneath the superficial "support our ISO/IEC 27001 ISMS", organizations may well expect/require the tools to help them with security controls such as:
- Access rights and permissions;
- Alerts or alarms;
- Anti-spam;
- Antivirus;
- Assorted security processes;
- Backups;
Thursday 16 March 2023
ISMS support tools (episode 2 of 4)
- Conventional commercial companies, government agencies and departments, charities and not-for-profits, conglomerates, kieretsu and groups, schools, colleges and universities ...;
- Organisations of all sizes, micro-to-macro;
Wednesday 15 March 2023
ISMS support tools (episode 1 of 4)
Unfortunately, it's not quite that simple!
Supposedly comprehensive ISMS systems
More focused ISMS systems
Tuesday 7 March 2023
Preparing managers to be ISO27001 certified
Since these are commonplace issues, I address them here on SecAware blog for the benefit of others in the same situation now ... or at earlier stages. Management being ready for the certification audit has implications for the way an ISO/IEC 27001 Information Security Management System was originally initiated/conceived, scoped, planned and approved, as well as how it is managed once it comes into operation.
1. Does the auditor need to talk to the CEO or would another member of Top Management such as the COO or a VP be sufficient?
Thursday 2 March 2023
Information risk management, a business imperative
Information risk management focuses on identifying, evaluating and treating risks to the organisation's valuable business information including:
Sunday 19 February 2023
Transition to ISO/IEC 27001:2022 - updated
1) Organisations that are already certified to ISO/IEC 27001:2013 (or to equivalent national translations of that old 2013 edition of the standard) have about three years to move to the new 2022 edition. Meanwhile, surveillance audits can use either edition of the standard, whichever the organisation chooses to use.
2) Organisations currently preparing to be certified prior to June 2023 can choose either edition:
Monday 13 February 2023
Two ISMS case studies
The second case study concerns consultancy support for a 6-month ISMS implementation project for an innovative NZ agritech company >
Again, although the centrepiece of the assignment was an ISMS management review, it involved gently mentoring and guiding the project managers (two contractors) and providing assurance for the client's senior management - plus stress-reduction when both contractors departed shortly before certification.
Saturday 28 January 2023
Why get ISO 27001 certified?
If you have designed and implemented an Information Security Management System based on ISO/IEC 27001, you should be realising a variety of business benefits through improved information risk and information security management.
Fantastic!
The international standard specifies a framework, a rational structure with which to identify, evaluate and treat the organisation's information risks systematically. The framework is a tool that enables senior management to govern and manage the information risk and security activities in ways that align with and support the achievement of business objectives, plus obligations to or expectations of third parties.
Through strategies, policies and procedures, plus measurement and assurance processes, management has the levers to direct, organise and oversee a more efficient and effective approach to information risk and security. Information risks are systematically prioritised for treatment using suitable security controls (technological, physical, procedural and others). With appropriate controls in place, incidents grow less frequent and are identified and resolved sooner causing less disruptive and costly consequences. Appropriate security metrics, reviews and audits enable management to direct corporate resources effectively, gaining confidence in the organisation's ability to handle information risks.
2 more topic-specific information security policies
We have just completed and released another two information security policy templates through SecAware.com.
The latest additions are security policy templates on:
- APIs (Application Programming Interfaces) and microservices, used as building blocks to construct compound applications;
- DNS (Domain Name Service), used to associate domain names with Internet server IP addresses.
Tuesday 3 January 2023
New year sale: security templates
Kick-off 2023 with a bang!
Visit SecAware for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more.
Happy new year!