Risk

Having seen yet another comment on social media this morning along the lines of "I'm petrified that the certification auditor will raise a nonconformity if we don't adopt specific Annex A controls", I've added an ISO27k FAQ under the assurance section . This is one of the most frequent of F requently A sked Q uestions, a frustratingly persistent concern relating to the natural anxieties about being audited. I've been audited. I've been an auditor. Audits are challenging,

I'm intrigued by the notion of 'adversaries' being classed and treated as 'stakeholders' for risk management purposes. Adversaries' interests, concerns, requirements and expectations are (on the whole) diametrically opposed to the organisation's and its more conventional stakeholders. However, as with all stakeholders ( e.g . owners, workers, partners, suppliers, customers, authorities, communities, society ...), they are willing to invest in achieving the outcomes they desir

ISO/TC 215 has updated ISO 27799 to reflect ISO/IEC 27002:2022 , omitting the previous edition's content re ISO/IEC 27001 . The standard now concentrates on the implementation of organisational, people, physical and technological controls within the healthcare industry.

An updated D raft I nternational S tandard ISO/IEC 27028 has been released to ISO/IEC JTC 1/SC 27 for voting by early February 2026. I have been expecting a 'Technical Specification' rather than full International Standard but maybe I missed the memo. Not to worry. The DIS is in good shape. So far I spotted just a few minor grammatical issues and concerns about terminology (risk tolerance denotes a different concept to risk appetite, - these are not synonyms; likewise for 'co

A new SC27 project has been approved, developing an ISO27k standard on privacy for the B rain- C omputer I nterface, part of meditech or healthtech you could say. Consider the privacy implications of these vaguely-conceivable if mostly futuristic/other-worldly BCI applications: Brain implants picking-up neurological signals to control prosthetic limbs or weapons, ideally providing 'force feedback' for proportional control, dexterity and accuracy. Remote control/direction of

Voting has commenced on the D raft I nternational S tandard ISO/IEC 27091 on AI privacy, with national standards bodies invited to vote and comment by Feb 25th 2026. I have updated the standard's page on this website , based on a brief skim-reading of the DIS, so far. I will update that page if I find the time to study the standard properly and reconsider my opinions. In summary, although I have concerns about the scope, focus and coverage of the standard, it does offer us

The D raft I nternational S tandard version of this forthcoming security and privacy standard on 'big data' has been released for national bodies to vote and comment before March 2026. Supplementing ISO's 'official' page about this standard , I have outlined the structure of the standard on its detailed info page on this website. If the DIS is approved by the voting members of ISO/IEC JTC 1/SC 27 without significant comments or objections, it may be published later in 2026

When drafting technical standards, there are natural tensions concerning the audience, purpose and language used. On the one hand, 'technical' implies complexities and precision in the content, with details relating to science and engineering. This generally means writing for a competent and knowledgeable professional audience, providing specific details to guide and enable them to get to grips with the subject matter. A technical standard on, say, nuts and bolts would typi

From Nvidia's triumphant press release yesterday : “Blackwell sales are off the charts, and cloud GPUs are sold out,” said Jensen Huang, founder and CEO of NVIDIA. “Compute demand keeps accelerating and compounding across training and inference — each growing exponentially. We’ve entered the virtuous cycle of AI. The AI ecosystem is scaling fast — with more new foundation model makers, more AI startups, across more industries, and in more countries. AI is going everywhere, do

Given the astounding volume of financial investment driving innovation at breakneck speed, A rtificial I ntelligence is an impressive and yet still relatively rudimentary techology. In particular, today's gen erative AI services are capable of spouting content that reads quite well, giving the superficial appearance of intelligence and value. However, all is not as it seems. Barely beneath the surface lies the sloppy depths, the robots making stuff up to plug numerous gaps in

Before the sun came up this morning, fueled by strong coffee and prompted by yet another lame social media thread about this, I've written a new FAQ concerning disclosure of the S tatement o f A pplicability. On LinkeDin, there's the usual confusing muddle of concerns and conflicting advice when someone asked whether a company can share its SoA, adding that (according to someone on Reddit last night [allegedly]) the [certification?] auditor said they "cannot share the SoA bec