Search Results

Back Up Next ISO/IEC 27037 ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (first edition) Up Abstract “ISO/IEC 27037:2012 provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value. It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions. ISO/IEC 27037:2012 gives guidance for the following devices and circumstances: digital storage media used in standard computers like hard drives, floppy disks, optical and magneto optical disks, data devices with similar functions; mobile phones, Personal Digital Assistants (PDAs), Personal Electronic Devices (PEDs), memory cards; mobile navigation systems; digital still and video cameras (including CCTV); standard computer with network connections; networks based on TCP/IP and other digital protocols; and devices with similar functions as above. The above list of devices is an indicative list and not exhaustive.” [Source: ISO/IEC 27037:2012] Introduction This standard provides guidance on identifying, gathering/collecting/acquiring, handling and protecting/preserving digital forensic evidence i.e. “digital data that may be of evidential value” for use in court. The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. One of the most critical issues in forensic investigations is the acquisition and preservation of evidence in such a way as to ensure its integrity. As with conventional physical evidence, it is crucial for the first and subsequent responders (defined as “Digital Evidence First Responders” and “Digital Evidence Specialists”) to maintain the chain of custody of all digital forensic evidence, ensuring that it is gathered and protected through structured processes that are acceptable to the courts. More than simply providing integrity, the processes must provide assurance that nothing untoward can have occurred. This requires that a defined baseline level of information security controls is met or exceeded. Digital forensic evidence can come from any electronic storage or communications media such as smartphones and other smart devices, computers, game consoles etc . plus online/network/cloud storage. By its nature, digital forensic evidence is fragile - it can be easily damaged or altered due to improper handling, whether by accident or on purpose. Prior to the release of ISO/IEC 27037, there were no globally-accepted standards on acquiring digital evidence, the first step in the process. Police have developed their own national guidelines and procedures for the acquisition and protection of electronic evidence. However, this creates issues when cross-border crimes are committed since digital forensic evidence acquired in one country may need to be presented in the courts of another. Evidence that may have been acquired or protected without the requisite level of security may be tainted or legally inadmissible. Scope The standard provides detailed guidance on the identification, collection and/or acquisition, marking, storage, transport and preservation of electronic evidence, particularly to maintain its integrity. It defines and describes the processes through which evidence is recognized and identified, documentation of the crime scene, collection and preservation of the evidence, and the packaging and transportation of evidence. The scope covers ‘traditional’ IT systems and media rather than vehicle systems, cloud computing etc. The guidance is aimed primarily at first responders. Every country has its own unique legislative system. A crime committed in one jurisdiction may not even be regarded as a crime in another. The challenge is to harmonize processes across borders such that cybercriminals can be prosecuted accordingly. Therefore, a means to allow and facilitate the exchange and use of reliable evidence (i.e. an international standard on acquiring digital evidence) is required. “Digital evidence”, meaning information from digital devices to be presented in court, is interpreted differently in different jurisdictions. For the widest applicability, the standard avoids using jurisdiction-specific terminology. It does not cover analysis of digital evidence, nor its admissibility, weight, relevance etc . It also does not mandate the use of particular tools or methods. Structure Main clauses: 5: Overview 6: Key components of identification, collection, acquisition and preservation of digital evidence 7: Instances of identification, collection, acquisition and preservation Annex A: Digital Evidence First Responder core skills and competency description Annex B: Minimum documentation requirements for evidence transfer Status The current first edition was published in 2012 and confirmed unchanged in 2018. Commentary This standard concerns the initial capturing of digital evidence. In addition: ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly. ISO/IEC 27042 covers what happens after digital evidence has been collected i.e. its analysis and interpretation. ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur. ISO/IEC 27050 (in 4 parts) concerns electronic discovery which is pretty much what the other standards cover. British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” may also be of interest. I don’t understand why SC 27 maintains several distinct forensics standards, covering different aspects of forensics, when they are in reality complementary parts of the same process. A properly structured multi-part standard would make more sense to me, with an overview part 1 explaining how the jigsaw pieces fit together. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27554 ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] Up Abstract ISO/IEC 27554 "provides guidelines for identity-related risk, as an extension of ISO 31000:2018. More specifically, it uses the process outlined in ISO 31000 to guide users in establishing context and assessing risk, including providing risk scenarios for processes and implementations that are exposed to identity-related risk. [ISO/IEC 27554] is applicable to the risk assessment of processes and services that rely on or are related to identity. [ISO/IEC 27554] does not include aspects of risk related to general issues of delivery, technology or security.” [Source: ISO/IEC 27554:2024] Introduction This standard facilitates the application of the ISO 31000 risk management guidelines to identity management , supporting or supplementing various identity management standards. It applies the ISO 31000 risk management process to establish the context and assess risk, suggesting some risk scenarios for the processes and implementations specifically involving identity-related risk. Scope The standard applies to the assessment, specifically, of risks associated with ‘services and transactions’ that rely on or are related to identity management, excluding risks arising generally from delivery, technology or security. It can be used in conjunction with other standards concerning controls to protect identity information. The standard succinctly explains identity-related risk definition, context and impacts. It covers the central part of the classical ISO 31000-style risk management process, excluding risk monitoring and review, and risk communication and consultation. Structure Main sections: 4: Principles - simply refers to the ISO 31000 principles 5: Framework - refers to the ISO 31000 approach 6: Process - refers to the ISO 31000 risk management process 7: Identity-related risk assessment 8: Identity-related context establishment 9: Identity-related risk identification 10: Identity-related risk analysis 11: Identity-related risk evaluation 12: Identity-related risk treatment - refers to ISO 31000 ... with appendices on related standards on risk and identity management, and “risk impact assessment”. Status The current first edition was published in 2024 . Commentary ISO 31000 remains useful, along with ISO/IEC 27005 ... begging questions about the value of another standard in this area, especially one so naively and narrowly focused. In my jaundiced opinion, the standard misrepresents the probability element of risk, equating it to the amount of control applied rather than the predicted rate of occurrence. Conflating risk and control could be seen as a fundamental problem with the approach, confusing inherent (pre-treatment) and residual (post-treatment) risk. Language/terminological issues (e.g. “B.1 Assessing the degree of impact of a consequence”) beg further questions. Rewriting this standard in plain English might help bring such issues into the disinfecting glare of sunlight. The use of ‘degrees’, ‘levels’, ‘scales’ and ‘categories’ of risk, and ‘strength’ of identity-related processes (presumably controls?) indicates a subjective and qualitative approach ... and yet the standard suggests “collapsing the distinct indicators into a single combined value” at one point and for unexplained reasons presents numeric values in a ‘Plot matrix’ ... at which point I’m afraid I completely lost the plot. Repeat after me: Ordinary arithmetic is inappropriate for ordinal numbers. Ordinary arithmetic is inappropriate for ordinal numbers. Ordinary arithmetic is inappropriate for ordinal numbers. ... Up Up Up This page last updated: 26 January 2026

Back Up Next ISO/IEC 27033-2 ISO/IEC 27033-2:2012 Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security (first edition) Up Abstract ISO/IEC 27033 part 2 “gives guidelines for organizations to plan, design, implement and document network security.” [Source: ISO/IEC 27033-2:2012] Introduction Part 2 revised and replaced ISO/IEC 18028 part 2. Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Scope Planning, designing, implementing and documenting network security. Objective: “to define how organisations should achieve quality network technical security architectures, designs and implementations that will ensure network security appropriate to their business environments, using a consistent approach to the planning, design and implementation of network security, as relevant aided by the use of models/frameworks. (In this context, a model/framework is used to outline a representation or description showing the structure and high level workings of a type of technical security architecture/design)” . Structure Main clauses: 6: Preparing for design of network security 7: Design of network security 8: Implementation Annex A: Cross-references between ISO/IEC 27001:2005 /ISO/IEC 27002:2005 network security-related controls and ISO/IEC 27033-2:2012 clauses Annex B: Example documentation templates Annex C: ITU-T X.805 framework and ISO/IEC 27001:2005 control mapping Status ISO/IEC 27033-2 revised and replaced ISO/IEC 18028-2. The current first edition of part 2 was published way back in 2012 and confirmed unchanged in 2018. It is now seriously out of date, referring to old editions of other standards and missing out on current networking security issues such as cloud security and virtual networking. Commentary Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Serves as a foundation for detailed recommendations on end-to-end network security. Covers risks, design, techniques and control issues. Refers to other parts of ISO/IEC 27033 for more specific guidance. Up Up Up This page last updated: 23 February 2026

Back Up Next ISO/IEC 27102 ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance (first edition) Up Abstract ISO/IEC 27102 "provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organisation's information security risk management framework. ...” [Source: ISO/IEC 27102:2019] Introduction There is a global market for ‘cyber-insurance’, providing options for the transfer of some information/commercial risks to commercial providers. At present, the focus is primarily on sharing risk and providing compensation for the business costs and consequences arising from ‘cyber-incidents’ (such as serious privacy breaches caused by hacks and malware infections) that have not been entirely avoided, mitigated or simply accepted by the organisation. Scope This standard explains: Essential insurance concepts to information risk and security professionals; Essential cybersecurity concepts to insurance professionals; What the insurers and customers of cyber-insurance typically expect of each other; How to scope, determine, specify and procure appropriate cyber-insurance to managers, procurement and insurance sales professionals, and others involved in the negotiations and contracting process; The advantages and disadvantages, costs and benefits, constraints and opportunities in this area. Structure Main clauses: 5: Overview of cyber-insurance and cyber-insurance policy 6: Cyber-risk and insurance coverage 7: Risk assessment supporting cyber-insurance underwriting 8: Role of ISMS in support of cyber-insurance Annex A: Examples of ISMS documents for sharing Status The current first edition was published in 2019 . The second edition is at W orking D raft stage, refocusing on how cyber insurance can both support and draw upon an ISMS, and updating to reflect the current 2022 versions of ISO/IEC 27001 and 27002. A new title has been approved (“Guidelines for the use of ISMS in support of cyber insurance” ) plus a revised scope (“This document provides guidelines when considering purchasing cyber-insurance as a risk treatment option to manage the impact of a cyber-incident within the organization’s information security risk management framework, as well as leveraging the organization’s ISMS when sharing relevant data and information with an insurer. This document gives guidelines for: a) considering the purchase of cyber insurance as a risk treatment option to share cyber risks; b) leveraging cyber insurance to assist in managing the impact of a cyber incident; c) sharing of data and information between the insured and an insurer to support underwriting, monitoring and claims activities associated with a cyber insurance policy; d) leveraging an ISMS when sharing relevant data and information with an insurer. This document is applicable to organizations that intend to purchase cyber insurance, regardless of type, size or sector.” ). Commentary The standard offers sage advice on the categories or types of incident-related costs that may or may not be covered. It concerns what I would call everyday [cyber] incidents, a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various kinds of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance depends on the policy wording and interpretation. Insurers are well aware of their dependence on integrity and credibility, plus the ability to pay out on rare but severe events. This standard is a basis for mutual understanding, supporting full and frank discussions between cyber-insurers and their clients on the terms and conditions leading to appropriate insurance cover. Meanwhile both insurers and insured share a common interest in avoiding, preventing or mitigating all kinds of incident involving valuable yet vulnerable information (including the digitals), which is where the remaining ISO27k standards shine. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27035-3 ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition) Up Abstract ISO/IEC 27035 part 3 “gives guidelines for information security incident response in ICT security operations. [ISO/IEC 27035-3] does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion ...” [Source: ISO/IEC 27035-3:2020 ] Introduction Part 3 concerns the 'security operations' elements in response to an IT incident. Scope Part 3 concerns the organisation and processes necessary for the information security function to prepare for, and respond to, IT security events and incidents. Structure Main clauses: 5: Overview 6: Common types of attacks 7: Incident detection operations 8: Incident notification operations 9: Incident triage operations 10: Incident analysis operations 11: Incident containment , eradication and recovery operations 12: Incident reporting operations Annex A: Example of the incident criteria based on information security events and incidents Status The current first edition of part 3 was published in 2020 . In 2025, the standard fell due for review by ISO/IEC JTC 1/SC 27 to decide whether it should be withdrawn, revised or retained as-is. Watch this space. Commentary The standard primarily concerns the IT Department's responses to active, deliberate cyber-attacks such as major hacks or malware infections such as ransomware. However, various other kinds of incident may require similar IT-related responses e.g .: Failed software patches, installations, reconfigurations or other changes to systems, applications, networks, services, protocols etc. Inappropriate and damaging automated activities by AI systems and agents, plus incidents relating to shadow-IT and shadow-AI (unauthorised arrangements outside IT Department's remit). Hardware failures. Business incidents or situations requiring urgent IT responses, such as takeover attempts or mergers. Environmental disasters such as storms, floods, fires, plane crashes, wars, power cuts and telecomms outages. Serious incidents involving the workforce such as pandemics, strikes or mass resignations. Failures of other important security controls, including governance and management controls e.g. serious fraud or exec-level impropriety. Supply chain incidents or those affecting related organisations e.g. other parts of a group structure or multinational enterprise. Therefore, business continuity and resilience arrangements are inevitably linked to risk, incident and security management, as well as business management. It's a complex and dynamic mesh of issues, only part of which is covered by this standard. The standard’s title contains a commonplace but unexpanded abbreviation: ICT. Plain old "IT" has included communications and networking for decades, so I'm not sure why anyone feels the need to insert the 'C'. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC 27559 ISO/IEC 27559:2022 — Information security, cybersecurity and privacy protection — Privacy-enhancing data de-identification framework (first edition) Up Abstract ISO/IEC 27559 "provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.” [Source: ISO/IEC 27559:2022] Introduction This standard proposes a ‘principles-based’ framework/structure for identifying and mitigating privacy-related risks such as re-identification of supposedly de-identified data. It advises on properly de-identifying (anonymising) personal data in order to build trust with data subjects and comply with applicable privacy laws and regulations. Scope As data analytics increasingly relies on sharing and combining data sets containing supposedly de-identified (anonymized) data, the risks of re-identification are growing more significant. This standard provides guidance on the principles involved in recognizing and mitigating those risks. It stops short of the specific technologies and their implementation. Structure Main clauses: 5: Overview 6: Context assessment - essentially, determining the general concerns and hence main requirements in this area, using analytical approaches such as threat modelling. Understanding the business situations in which personal data are shared both within and without the organisation suggests the possibility of procedural and administrative controls (such as contracts and agreements) to be applied by data custodians 7: Data assessment - understanding the data structures to identify possible ‘attacks’ (unauthorised/inappropriate attempts to obtain personal information that would compromise privacy) 8: Identifiability assessment and mitigation - understanding how personal information might be gleaned from available/accumulated data that (whether individually or as a whole) has been inadequately anonymized, and mitigating the risks (e.g. applying the de-identification techniques described in ISO/IEC 20889) to an acceptable level (not necessarily zero!) 9: De-identification governance - directing and controlling the people involved in maintaining privacy, for example by determining and assigning appropriate roles and responsibilities, defining policies and procedures, managing and mopping-up after privacy breach incidents Annex A: Example identifiers Annex B: Example threshold identifiability benchmarks Status The current first edition was published in 2022 . Commentary As our personal information is increasingly obtained and shared both within and among organisations, this standard has a valuable role in setting the ground rules. It specifies how to do so without unnecessarily compromising the privacy of the individuals concerned, or exposing personal data to compromise by various means (e.g. data aggregation and inference attacks). As such, it facilitates the process by increasing the level of trust between providers and acquirers of personal information, supporting privacy arrangements in general. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27503 ISO/IEC 27503 — Privacy and security guidelines on intelligent travel services [PWI pre-draft] Up Abstract ?? Introduction ?? Scope ?? Structure ?? Status P reliminary W ork I tem in 2026. No information yet on ISO.org Commentary ISO/IEC JTC 1/SC 27/WG 5 is studying the information security and privacy aspects of 'intelligent travel services'. It seems to be referring to Uber and the like i.e. ride-sharing schemes for road travel but I'm definitely not sure and might be completely wrong about that. Up Up Up This page last updated: 2 April 2026

Back Up Next ISO/IEC 27050-2 ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) Up Abstract ISO/IEC 27050 part 2 “provides guidance for technical and non-technical personnel at senior management levels within an organisation, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. [Part 2] describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.” [ Source: ISO/IEC 27050-2:2018 ] Introduction Part 2 guides management on identifying and treating the information risks related to eDiscovery e.g. by setting and implementing eDiscovery-related policies and complying with relevant (mostly legal) obligations and expectations. It also offers guidance on good governance for forensics work i.e. the overarching framework or structure within which digital forensic activities take place and are managed through a controlled, repeatable and trustworthy suite of activities. Scope Governance and management of eDiscovery. Structure Main clauses: 5: Electronic discovery background 6: Governance of electronic discovery 7: Management of electronic discovery 8: Risks and environmental factors 9: Compliance and review Status The current first edition of part 2 was published in 2018 . Commentary Part 2 suggests a few possible metrics, although organisations are well advised to determine their own based on their objectives relating to eDiscovery, eForensics, incident management, information risks and so forth. Of all the things going on in this area, which parts and aspects are important for the business and why? [Hint: what are the key risks and key controls?] What kinds of information would help management manage them? What questions arising are likely to need answering? Those are strong clues to the metrics that would actually be worthwhile for a given organisation, as opposed to those suggested by others - including ISO. Thankfully, part 2 outlines information risks that various information security controls are intended to mitigate. However, the list of risks is incomplete, for example it fails to mention that damage, theft, loss or some other incident affecting ESI can compromise its value and admissibility in court, potentially decimating an otherwise valid case. It's a starting point though, something worth elaborating on. Up Up Up This page last updated: 22 February 2026

Back Up Next ISO/IEC TS 27116-1 ISO/IEC TS 27116-1 — Information security, cybersecurity and privacy protection — Framework for customised and multipurpose evaluation [DRAFT] Up Abstract [ISO/IEC TS 27116-1] "defines a general framework for customized and multipurpose evaluation.” (!) [Source: Preliminary Wowrk Item Oct 2025] Introduction ?? Scope ?? Structure ?? Status A standard development project commenced in 2024, producing a P reliminary W ork I tem in October 2025. Commentary The PWI was incomplete so I still don’t know what kind of ‘evaluations’ this standard will cover. Evaluation of what? Against what? Why? How? When? By whom? So many questions but next to no answers thus far. The dash-1 suggests this may be a multi-part standard. I have no idea what other parts are planned, if any. Up Up Up This page last updated: 26 January 2026

FAQ about maturing your ISMS - what to do next after the implementation slog and thrill of certification Up Up Up Maturity How should we prepare for recertification? Email everyone shortly before the recertification audit, reminding them of their responsibilities towards both information security and the ISMS. Give them guidance and tips on how to conduct themselves during the audit. This is a classic security awareness opportunity! Unlike the interim surveillance audits which tend to focus on specific areas, a recertification audit will give the entire ISMS a thorough once-over. Since your ISMS has been in operation for some time (~3 years), the auditors will naturally expect to find a mature ISMS that is nevertheless moving forward, proactively responding to the inevitable changes using the C orrective A nd P reventive A ction (continual improvement or maturity) processes embedded within the ISMS. Recertification requires a formal audit. That can be tough for organisations that have let their ISMS drift or decay after the elation of their initial certification. Renewal of your certification is not a forgone conclusion! The audit’s prime focus will, of course, be to check and confirm conformity with ISO/IEC 27001 . The key issue is to determine that you are effectively managing your information security usng the framework specified in the standard. Use this checklist as a basis for planning the things you need to do before the audit: Check that your ISMS internal and external audits are fully up to date, with plans in place for future audits. Are all audit findings/observations, recommendations and agreed actions either completed and closed off, or currently in progress (with clear signs of that actually happening, in practice)? Use the results of recent audits to drive forward any necessary changes and to reinforce the concept that the audits are all about making justified improvements. (It is worth double-checking that any other similar audits covering information risks, controls and compliance/conformity are also addressed.) Collate evidence of continuing management commitment to the ISMS such as minutes of security committee meetings, decisions and actions taken, approved corrective or preventive action plans and the results of follow-up or close-out actions, and budgets. Complete a full management review of the ISMS, including your SoA and RTP. Document all findings and recommendations as preventive or corrective actions and ensure all actions are suitably initiated, allocated and managed. Try to get all significant issues closed off, or at least well under way, before the audit ... which means doing the management review in good time. Review your information risks . If there have been significant changes in the external business environment (e.g. new legal or regulatory compliance obligations, new ISO27k standards , new security partners), internal situation (e.g. reorganisations) or technologies (e.g. new platforms and application systems in IT, OT, IoT, cloud or AI), you may need to redo your information risk assessment from scratch using the documented methods, and update your RTP. All risks should be treated, in other words avoided, controlled, shared or explicitly accepted by whoever is accountable and, for significant risks, there should also be contingency plans in place in case the treatments fail. Review all the ISMS documentation (policies, standards, guidelines, procedures etc .) to ensure it is up to date, complete, formally approved/mandated/signed off, version-controlled and made available to those who need it (e.g. uploaded into the ISMS area on your intranet). Ruthlessly seek out and destroy old or outdated ISMS documentation. Get your information security awareness and training activities bang up to date and ensure a plan is in place for future activities. Ensure everyone knows where to find the ISMS policies and related materials and is aware of the content (a useful tip is to give everyone a shortcut to the information security documentation on their desktops). Ensure everyone is familiar with, and in fact actively complies with their responsibilities towards information security, for example any obligations arising from privacy legislation and relevant information security procedures. Check the documentation relating to any recent information security incidents , for instance to confirm that corrective or preventive actions were documented and duly completed. Step back from the detail to confirm that the process is operating smoothly. Review your information security metrics . Given that your ISMS has matured, are they still relevant and useful or do they need adjusting? Have you in fact been routinely reporting and measuring against them (collate recent evidence to prove it) and have any actions necessary been taken (again, check those CAPA plans)? Get yourself round each area of the business and grill likely audit interviewees (both managers and staff) regarding their part in the ISMS. Ask them some searching questions (try the auditors’ favourite “Show me...” to check that they can actually produce solid evidence substantiating whatever they claim or believe to be true) and try to find the weaknesses or concerns before the auditors turns up - not to hide them but to address them! This is invaluable preparation or training for the auditees. Tell them up front that you are not being harsh with them but are asking stiff questions to help them prepare and make the actual recertification audit go more smoothly. It’s tough love. Remember that the ISMS is dynamic, constantly adapting to changing business needs arising from evolving information risks. It will never be perfected or finished as such but, so long as it is properly managed, reviewed and fully supported by management, you will be fine. What if things change after we are certified? Stay in touch with your certification body, keeping them updated with (significant) changes and giving them the opportunity to say whether further surveillance visits or audits are in order. Building a strong working relationship with your auditors has the distinct advantage of "no surprises" on both sides, but it takes a little effort to establish and maintain the relationship, as indeed do all relationships (business or otherwise!). That depends on the nature and scale of the changes. Change is an inevitable and inherent part of the challenge. Minor changes to the ISMS are expected to occur as it naturally evolves in line with changing business needs for information security, for example through the action of various internal reviews triggering corrective and preventive actions: these should have no effect on your certification status since they are an anticipated and normal part of any ISMS. Larger scale business or organisational changes may involve more significant changes to the scope of the ISMS, for example other parts of the business being integrated with the ISMS, mergers/acquisitions or downscaling/divestments: these may be substantial enough to invalidate your original certificate without at least a surveillance visit from your certification auditors, but it's impossible to give hard-and-fast rules. Whether your ISMS changes are deemed substantial enough to invalidate your certificate, or to warrant recertification, depends on several factors such as: The scale or size of the change/s; The nature or type of change/s; The likely impact of business and organisational changes on your ISMS and/or information risks and hence the risk treatments required; How long it has been since your last certification or surveillance audit, and how long before the next one; and The certification body's policies and practices in this regard. Aside from the certification angle, you should definitely update your information asset and information risk/control registers and maybe your RTP and SoA. You may need to update your security policies and perhaps restructure the team managing and running the ISMS, which may well imply the need for a new budget. Don’t forget to check your ISMS internal audit plans too, and if appropriate adapt your metrics accordingly. How can we boost our security culture? Use suitable metrics to measure relevant parameters of your corporate security culture and drive it in the right direction, adjusting the approach and celebrating successes along the way. Try these five tips for size: Culture is heavily influenced by management, especially senior management. This is one of the key reasons that genuine senior management support is essential when implementing an ISMS ... which implies the importance of addressing senior management, helping them understand and appreciate the value of information security from the earliest opportunity. Corporate culture is also heavily influenced by powerful opinion-formers within the organisation (at any level of the hierarchy), by internal communications and networks (both formal and informal), and by the wider business/industry and national cultures in which people live. These are influenceable to varying degrees. An effective information security awareness program will identify and target the people/groups, themes, messages and styles across all these areas. Culture is an emergent property or characteristic of the organisation, demonstrated by people's actions and beliefs even when they are not being watched. This includes senior management: it is no good them saying “This awareness session is essential for everyone” if they don’t make a genuine effort to attend and actively participate. Changing corporate culture as a whole may be viewed as a massive long-term change management activity. Anyone who truly understands how to do massive change management reliably can make a fortune! It is a very complex and difficult topic, highly dependent on the specific context, plus the history leading up to the decisions to change. A serious information security or privacy incident, for example, is a classic trigger to “Do something, now! ”. Culture is dynamic: it will continue to change or evolve naturally even after it has been pushed in a certain direction, and that future evolution is not entirely controllable. This is the main advantage of rolling or continuous security awareness programs, since a single awareness event or course will gradually be forgotten and awareness levels will decay unless constantly refreshed. Covering a planned, regular sequence of security topics is a good way to make sure that the materials remain interesting and engaging, along with having excellent awareness content prepare by people who understand and empathise with the audiences. Plan to develop and enhance the security culture over the long term. Investing time and effort consistently into this will pay dividends - it is worth it. Tackle it in bite-sized chunks rather than all at once, aiming for incremental, solid improvements rather than dramatic but often short-lived effects. Which security metrics should we use? If metrics are to provide management with answers, what are their questions? The G oal- Q uestion- M etric method, coupled with the PRAGMATIC approach, is a powerful way to build a worthwhile suite of valuable information security metrics. It's tough to give simple advice on metrics: it is arguably the hardest part of what we do. But here goes. It is unrealistic to expect a standard set of security metrics, in just the same way that there is no universal set of security controls: there are simply too many variables. In time, a core set of reasonably commonplace controls and metrics may emerge from the mire but there will probably never be total consensus. Even if there was a standard set, you would still have to extend it to suit your unique situation anyway. In short, there is no way around figuring out the information risks, controls and metrics that matter to your particular organisation. Metrics-related references worth studying: ISO/IEC 27004 - the current 2016 version is useful, the long-awaited next edition promises to be even better; "IT Security Metrics " book by Lance Hayden explains the G oal-Q uestion-M etric structured approach in the IT security context; "PRAGMATIC Security Metrics " book by Krag Brotby and Gary Hinson lays out a method for systematically specifying, selecting/designing and improving information security metrics. The accompanyin website SecurityMetametrics.com has an FAQ. "Metrics: you are what you measure ", a brilliant paper by Hauser and Katz, warns about inadvertently driving the organisation the wrong way as a result of inappropriate metrics; NIST SP800-55 "Measurement Guide for Information Security" (2024) – volume 1 (identifying and selecting measures) and volume 2 (developing an information security measurement program). Well-written, up-to-date, and FREE! As you read through that lot, start thinking hard about what you and your management might really want to know about how you are doing on information security, and start defining and prioritising the collective requirements. This is the crux of your problem. Management probably wants to know things like “Are we secure enough?” or “Are we more secure now than last quarter?” and “What are our most significant information risks?” and “Why is information security so expensive?”! These are really tough questions to answer, so work hard to refine them and make them at least partly answerable. Hint: look at those parts of the ISMS which caused you the most grief when designing and implementing it. Are there parts of the ISMS that remain self-evidently painful to operate? If so, these are classic ISMS process improvement opportunities, and hopefully good places to gather metrics that will help you justify, plan and make those improvements, with the spin-off benefit that you will be making things easier for those involved. It may seem too early but it's almost certainly worth talking to your management about what they might expect during this metrics design phase. Look at what kinds of metrics they get from other management systems. Find out what they actually use versus what they get, and look for clues about what kinds of things work best in your organisation. Consider phoning your peers at other similar organisations for some good ideas. Find out what formats and styles of reporting they like best or hate most. Ask them what few reports they could really not do without. Think minimalist at the start. Next, start looking at the realities of gathering information on those things you really want to know, and continue refining your requirements. Some metrics will be straightforward (great! These are probably keepers), some will be feasible but more difficult (bear these in mind - may need more work) and some will be so awkward and/or costly that the effort required to measure them will outweigh any benefit obtained (park these, at least for now: you may revisit them later as your ISMS matures). Be careful with any existing infosec metrics: some of them may be being measured simply because they are easy to measure, such as simple counts of things (“23 malware incidents this month”, “23 million spams blocked today” or whatever). Unfortunately, such simple metrics typically don't tell management, especially senior management, anything really worthwhile. While a few may have value to the Information Security Manager as operational metrics, most are at best ‘nice to have’ numbers rather than “Oh boy, this one is in the red, we’d better turn dial ZZY to the left 20 degrees”! Most of all, avoid the temptation to list and discuss all the information security-related things you can measure, like a giant shopping list. Some of them may be worthwhile ingredients, but most will be distracting and unhelpful. Trust me, this is not an effective way to start designing your ISMS metrics. If you must have one, keep the shopping list to yourself but share the menu. Finally, towards the end of your lunchtime (!), it's time to start experimenting, trialling a few metrics, getting the data gathering, analysis and presentation processes working and getting feedback from management. Give them some ‘sample’ reports and ask them if they know what to do about the things you are reporting. This is where all your pre-work starts to pay off, hopefully. If you have chosen well, you should by now be ready to routinely report a few good metrics, and more than that use management should be using them to make decisions. Management should be saying “Ah, I see, yes, nice, let's have more of these ...” and “Mmm, that's not quite what I had in mind. I really need to know about ...”. During this stage, you will inevitably find that you need to gather more detailed ‘supporting’ metrics to underpin the high level/strategic management stuff, and you will also figure out that there are various routine/operational issues and controls within the ISMS that deserve measuring and using for day-to-day purposes by the Information Security Manager and team. Now is the time to work on defining targets. At what level, exactly, does metric 26 go ‘into the red’? Why there? Is it a point or a range? Whereabouts on the scale can we relax? Then, over the next several decades (!!), keep on refining your metrics, testing new ones, dropping the ones that aren't working and responding to changes in your ISMS, the risks and controls, the people, the fashions, the good ideas you pick up at conferences ... and extending the answer to this FAQ with your wisdom. How can I become an ISO27k consultant? Dive deep to figure out your value proposition as a consultant - not your amazing personal qualities but the valuable business benefits you bring to clients, substantially outweighing your charges. Why should clients employ you rather than your competitors, if anyone? What's in it for them? Start by studying the ISO27k standards – in particular the core set: ISO/IEC 27000 (overview & glossary) ISO/IEC 27001 (formal ISMS specification) ISO/IEC 27002 (catalogue of security controls) ISO/IEC 27003 (ISMS implementation) ISO/IEC 27004 (security metrics) ISO/IEC 27005 (risk management process) ISO27k "Lead Auditor " or "Lead Implementer " courses can be a quick way to tackle the basics, depending on the nature and quality of the course materials and the competence of the trainers ... but 'basics' is the crux of it. A few hours or days in class is barely a start. ISO/IEC 27021 describes the competencies generally expected in this area. Continue your self-development by actively researching and learning about governance, risk and control concepts. Study NIS2 , DORA , PCI-DSS , COBIT , privacy laws, COSO ERM and so on. Take a good look at the remaining ISO27k standards including ISO/IEC 27701 , plus others such as ISO 22301 and the NIST SP 800 series and other certifications such as SOC 2 and Cyber Essentials . Impress potential clients with the breadth and depth of your knowledge. Read voraciously. If you are not one already, read-up on becoming a consultant (what that entails, how to start out, key aspects, things to expect, things to do, things to avoid ...) and running a business (useful to understand clients, even if you anticipate joining an established consultancy). Aside from all that reading, real-world experience is crucial. Take on small infosec-related projects. Do research. Keep up with recent incidents, vulnerabilities and advisories. Write and publish papers. Participate actively in professional communities such as the ISO27k Foru m , LinkeDin , ISACA ENGAGE and ISSA . Seek mentorship or guidance from more experienced peers. Accumulate knowledge, experience and expertise in governance, risk and control, in security, privacy, resilience and so forth. Your competence, credibility and hence success as a consultant influences the nature and quality of your work, and vice versa . You'll know when you have gained sufficient wisdom to make a real difference in the world - and so will your peers and clients. Meanwhile, slog. Previous Up Next