Control

ISO/IEC 27565:2026 is a brand new ISO27k standard on Z ero- K nowledge P roofs. It explains how to go about collecting and verifying personal information for various legitimate purposes without 'over-collecting' i.e. requiring and gathering additional information beyond that strictly needed for the stated purpose - verifying whether a statement or claim is or is not true. Age verification is a common example. A new law in Australia, for instance, prohibits youngsters from

Cover page ISO/IEC TS 27103:2026 "Cybersecurity - Guidance on using ISO and IEC standards in a cybersecurity framework" is, essentially, a mapping of NIST's C yber S ecurity F ramework to ISO27k and other standards. The Technical Specification belatedly updates references to various clauses in the 2022 editions of ISO/IEC 27001 and 27002 from 2018's T echnical R eport. Read more about the standard here on this site and at ISO.org

No, not that kind of 'medium'! Two new ISO/IEC JTC 1/SC 27/WG 1  standards projects are under way, raising fundamental questions about how we standardise and promote information security. 1. Practical ISMS implementation guidance First, we are defining the scope and plan for a second part to ISO/IEC 27003 (possibly a distinct standard or some other format). This project aims to offer ISMS implementation advice for small, medium and large organizations, with a specific emphas

I've received the first W orking D raft for the revision of ISO/IEC 27102 :2019 - "Information security management - Guidelines for cyber-insurance ". With a new title already approved ("Information security, cybersecurity and privacy protection — Guidelines for applying ISO/IEC 27001 and related standards in support of cyber insurance ") and a revised scope, the committee intends to refocus the second edition more explicitly on the I nformation S ecurity M anagement S ystem

Having seen yet another comment on social media this morning along the lines of "I'm petrified that the certification auditor will raise a nonconformity if we don't adopt specific Annex A controls", I've added an ISO27k FAQ under the assurance section . This is one of the most frequent of F requently A sked Q uestions, a frustratingly persistent concern relating to the natural anxieties about being audited. I've been audited. I've been an auditor. Audits are challenging,

I'm intrigued by the notion of 'adversaries' being classed and treated as 'stakeholders' for risk management purposes. Adversaries' interests, concerns, requirements and expectations are (on the whole) diametrically opposed to the organisation's and its more conventional stakeholders. However, as with all stakeholders ( e.g . owners, workers, partners, suppliers, customers, authorities, communities, society ...), they are willing to invest in achieving the outcomes they desir