Control

No, not that kind of 'medium'! Two new ISO/IEC JTC 1/SC 27/WG 1  standards projects are under way, raising fundamental questions about how we standardise and promote information security. 1. Practical ISMS implementation guidance First, we are defining the scope and plan for a second part to ISO/IEC 27003 (possibly a distinct standard or some other format). This project aims to offer ISMS implementation advice for small, medium and large organizations, with a specific emphas

I've received the first W orking D raft for the revision of ISO/IEC 27102 :2019 - "Information security management - Guidelines for cyber-insurance ". With a new title already approved ("Information security, cybersecurity and privacy protection — Guidelines for applying ISO/IEC 27001 and related standards in support of cyber insurance ") and a revised scope, the committee intends to refocus the second edition more explicitly on the I nformation S ecurity M anagement S ystem

Having seen yet another comment on social media this morning along the lines of "I'm petrified that the certification auditor will raise a nonconformity if we don't adopt specific Annex A controls", I've added an ISO27k FAQ under the assurance section . This is one of the most frequent of F requently A sked Q uestions, a frustratingly persistent concern relating to the natural anxieties about being audited. I've been audited. I've been an auditor. Audits are challenging,

I'm intrigued by the notion of 'adversaries' being classed and treated as 'stakeholders' for risk management purposes. Adversaries' interests, concerns, requirements and expectations are (on the whole) diametrically opposed to the organisation's and its more conventional stakeholders. However, as with all stakeholders ( e.g . owners, workers, partners, suppliers, customers, authorities, communities, society ...), they are willing to invest in achieving the outcomes they desir