Measuring and managing ethics

KPMG's Soft Controls model caught my beady eye this week:

KPMG are evidently using these 8 factors to analyse, measure and help clients manage their corporate cultures, claiming that "Our model gives organisations a valid tool for getting a clear picture of the current organisational situation, confront it, and break through the silence and passivity." Hmmm, 'silence and passivity', really KPMG? Well OK, whatever. It appears to be a viable approach.

Pragmatic ISMS implementation guide (free!)

Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.

Overall, the meeting was very productive in that we got through a long list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points.

In summary:

• 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:
  
  
• These changes are mostly minor aside from the new section 6.3 on ISMS changes.

Checklust security

"Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscape" is an ISACA 'industry news' article by Patrick Barnett. 

Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists.

Patrick says:

"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."

Hmmm. OK. Despite the definitive initial statement, I take that introduction as an implicit acknowledgement that there may be more than 70 questions ... and indeed many of the 70 are in fact compound/complex questions, such as "35. Do you prevent the disclosure of internal IP address and routing information on the Internet?" Most of us would instinctively answer "Yes" to that ... but look more closely: the question concerns "IP address" and "routing information", meaning both not either part. What qualifies as "routing information" anyway? And what about other network traffic apart from IP? What is 'disclosure'? What does Patrick mean by 'prevent'? And are we only concerned about 'the Internet'? If you are serious about addressing the information risks relating to NAT and all that (all that), you surely appreciate the naivete of question 35. If this is all Greek to you, maybe not. 

Hyperglossary published!

Having declared it officially 'done', the SecAware information security hyperglossary is finally self-published as an eBook in PDF format. More than three thousand terms-of-art are defined in the areas of:

• Information risk 
• Information security 
• Cybersecurity (IT/Internet security)
• ICS/SCADA/OT security
• Artificial Intelligence
• Privacy, data protection, personal information
• Governance
• Conformity and compliance
• Incidents 
• Business continuity
• and more. 

It has taken me three decades so far to compile the glossary, initially just as a reference for my personal use, then for our security awareness clients, and now for anyone with a little cash to spare and an interest in the field.

Hyper-glossary nearing completion (?)

My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined.

Here's an example of a definition originally added a couple of years ago and most recently amended today:

There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.

Incident notification procedure [UPDATED x2]

I have developed a generic procedure documenting the incident notification process for sale through SecAware. 

I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

ISMS management reviews vs ISMS internal audits

Over on the ISO27k Forum this week, Ray asked us for "guidance on conducting and documenting 'Management Reviews' that include the agenda items required by the standard in 9.3. Any templates shall be much appreciated." 

Forumites duly offered advice and agendas. So far so good!

However, I made the point that ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice. 

Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors must be independent of the ISMS, whereas management reviews can be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence brings a fresh perspective and valuable insight that insiders simply cannot match. 

In my considered opinion, independence and formality follow a continuum through these activities:

ISO 27001 templates and services on sale

For organisations planning to implement ISO/IEC 27001 for the first time, the standard's requirements can be confusing, especially given the amount of dubious advice available on the web. For instance, one issue that crops up frequently on the ISO27k Forum and here on the blog is that the information security controls in Annex of the standard A are not required - in fact, they are not even recommended or suggested, despite what some non-experts advise. Annex A is provided as a checklist, a prompt to ensure we have considered a wide range of information risks. 

The standard's main body clauses, in contrast, formally specify the functional requirements for an Information Security Management System. In order for an organisation to be certified, the ISMS must be designed to fulfil the specified requirements, and must be operational, managing whatever information security controls and other treatments are appropriate given the organisation's information risks. 

In short, implementing '27001 is not a simple box-ticking compliance exercise. 

This Easter, we are offering:

• ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.

Using AI/ML to draft policy

This week, I am preparing a new template for the SecAware policy suite covering the information risks and security, privacy, compliance, assurance and governance arrangements for Artificial Intelligence or Machine Learning systems. With so much ground to cover on this complex, disruptive and rapidly-evolving technology, it is quite a challenge to figure out the key policy matters and express them succinctly in a generic form.

Just for kicks, I set out by asking GPT-4 to draft a policy but, to be frank, it was more hindrance than help. The draft was quite narrowly focused, entirely neglecting several relevant aspects that I feel are important - the information risks arising from the use of commercial AI/ML services by workers, for instance, as opposed to AI/ML systems developed in-house.

The controls it espoused were quite vague and limited in scope, but that's not uncommon in policies. It noted the need for accountability, for instance, but didn't clarify the reasons nor explain how to achieve accountability in practice. It was not pragmatic.

ISMS support tools (episode 4 of 4)

This final episode in the series about specifying and selecting ISMS support tools/systems concerns the general usability requirements typical of almost any computer system, such as:

• Intuitive, easy to use;
• Interoperable;
• Facilitates customisation where appropriate;
• Readily maintained;
• Well supported, documented etc.;

ISMS support tools (episode 3 of 4)

So far, I've waffled on about the variety of ISMS support tool types on the market, and about gross differences between ISMS user organisations in terms of industry, size etc.

Next, think about the kinds of things they might expect their ISMS support tools to do. Digging beneath the superficial "support our ISO/IEC 27001 ISMS", organizations may well expect/require the tools to help them with security controls such as:

• Access rights and permissions;
• Alerts or alarms;
• Anti-spam;
• Antivirus;
• Assorted security processes;
• Backups;

ISMS support tools (episode 2 of 4)

Previously I blogged about the bewildering variety of tools, systems and services supporting ISO/IEC 27001 Information Security Management Systems. The tools, in turn, are being used in various ways for various purposes by a bewildering range of organisations.

The ISMS specified by ISO/IEC 27001 is "intended to be applicable to all organizations, regardless of type, size or nature", a deliberately broad scope that takes in:

• Conventional commercial companies, government agencies and departments, charities and not-for-profits, conglomerates, kieretsu and groups, schools, colleges and universities ...; 
• Organisations of all sizes, micro-to-macro;

ISMS support tools (episode 1 of 4)

From time to time, members of the ISO27k Forum seek opinions about systems on which to run their ISO/IEC 27001 Information Security Management Systems, anticipating feedback or recommendations for certain products.

Unfortunately, it's not quite that simple!

For starters, the ISMS support systems come in several flavours. Our toolboxes are bulging ...

Supposedly comprehensive ISMS systems

These claim to support every conceivable aspect of information risk and security management, incident management, business continuity, compliance, governance, assurance and more. Whether that reflects a comprehensive architecture and design from the ground up, or a more limited core system on to which various adornments have been tacked over the years (sometimes including functional units from totally different systems and suppliers), is not necessarily obvious until users explore the limits and perhaps fall between the cracks.

More focused ISMS systems

Preparing managers to be ISO27001 certified

This morning, a new member of the ISO27k Forum asked us some questions about his organisation's upcoming ISO/IEC 27001 certification audit (paraphrased below). 

Since these are commonplace issues, I address them here on SecAware blog for the benefit of others in the same situation now ... or at earlier stages. Management being ready for the certification audit has implications for the way an ISO/IEC 27001 Information Security Management System was originally initiated/conceived, scoped, planned and approved, as well as how it is managed once it comes into operation.

1. Does the auditor need to talk to the CEO or would another member of Top Management such as the COO or a VP be sufficient?

That is for the auditor to decide. CEOs are invariably busy people ... but the CEO's non-involvement (even before being asked!) hints at a lack of support or engagement from senior management*. If other senior managers are more willing and able to be interviewed, that should suffice, especially if they subtly or directly confirm that the CEO supports the ISMS, or if the CEO has overtly supported the ISMS (e.g. by personally endorsing or mandating the information security policy). See also Q4 below.

2. Approximately how much time is required for an audit interview?

Information risk management, a business imperative

Information risk management is a crucial business issue in the digital age. This piece describes a systematic and proactive approach to information risk management with a healthy dose of pragmatism.

It is obvious that serious incidents such as ransomware can disrupt operations, severely damaging an organisation's reputation, brands and customer trust, threatening its financial stability and longevity ... but that's not all. Even relatively minor incidents can accumulate significant costs over time, starving other important business activities of resources. Given that practically everything depends on information, the starting point is to embed information risk management fully into the organisation's business strategy and routine operations.

Most organisations have basic information security controls in place. However, a strategic approach is less common, while a truly comprehensive business-oriented approach to information risk management remains quite rare. 

Information risk management focuses on identifying, evaluating and treating risks to the organisation's valuable business information including: 

Transition to ISO/IEC 27001:2022 - updated

As anticipated, the International Accreditation Forum has published updated guidance on the transition arrangements for certification of organisations against ISO/IEC 27001:2022, the new third edition of the standard released in October. There are several possibilities under various circumstances (as I understand it*) ...

1) Organisations that are already certified to ISO/IEC 27001:2013 (or to equivalent national translations of that old 2013 edition of the standard) have about three years to move to the new 2022 edition. Meanwhile, surveillance audits can use either edition of the standard, whichever the organisation chooses to use.

2) Organisations currently preparing to be certified prior to June 2023 can choose either edition:

Two ISMS case studies

While waiting impatiently for today's stormy NZ weather to subside so I can get outside and survey the damage, I spent a productive few hours writing-up a pair of recent consultancy assignments as case studies for the SecAware website.

< The first case study concerns helping a US tech support company to regain its ISO 27001 certification by rebuilding its failed ISMS.

Officially, the assignment was simply an ISMS internal audit. In practice, it involved some lightweight mentoring and support for a capable CISO.

The second case study concerns consultancy support for a 6-month ISMS implementation project for an innovative NZ agritech company >

Again, although the centrepiece of the assignment was an ISMS management review, it involved gently mentoring and guiding the project managers (two contractors) and providing assurance for the client's senior management - plus stress-reduction when both contractors departed shortly before certification.

Why get ISO 27001 certified?

If you have designed and implemented an Information Security Management System based on ISO/IEC 27001, you should be realising a variety of business benefits through improved information risk and information security management. 

Fantastic!

The international standard specifies a framework, a rational structure with which to identify, evaluate and treat the organisation's information risks systematically. The framework is a tool that enables senior management to govern and manage the information risk and security activities in ways that align with and support the achievement of business objectives, plus obligations to or expectations of third parties.

Through strategies, policies and procedures, plus measurement and assurance processes, management has the levers to direct, organise and oversee a more efficient and effective approach to information risk and security. Information risks are systematically prioritised for treatment using suitable security controls (technological, physical, procedural and others). With appropriate controls in place, incidents grow less frequent and are identified and resolved sooner causing less disruptive and costly consequences. Appropriate security metrics, reviews and audits enable management to direct corporate resources effectively, gaining confidence in the organisation's ability to handle information risks.

2 more topic-specific information security policies

We have just completed and released another two information security policy templates through SecAware.com.

The latest additions are security policy templates on:

• APIs (Application Programming Interfaces) and microservices, used as building blocks to construct compound applications;
• DNS (Domain Name Service), used to associate domain names with Internet server IP addresses.
  
  

The full SecAware policy suite now has 83 templates:

They were all researched and written to a consistently high quality, by me. They are designed to mesh together, complementing each other. I maintain them, updating individual policies as and when required and reviewing the entire suite every year or so. 

We provide them as MS Word documents that you can easily customise. Get in touch for additional policies, procedures or guidelines, or if you need assistance to adapt them to your corporate style. 

Buy them individually for $20 or take the whole lot for $399, saving over $1200.

New year sale: security templates

Kick-off 2023 with a bang!  

Visit SecAware for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more.

Happy new year!