More results...
This morning I bumped into a marketing/promotional piece announcing PageProof’s certified “compliance” (conformity!) with “ISO 27001” (ISO/IEC 27001!). Naturally, they take the opportunity to mention that information security is an integral part of the…
While arguably better than
nothing at all, an unstructured approach to the management of information security results in organisations adopting a jumble, a
mixed bag of controls with no clear focus or priorities and – often –
glaring holes in the ar…
Following its exit from the EU, the UK is having to pick up on various important matters that were previously covered by EU laws and regulations. One such issue is to be addressed through a new law on online safety.”Online safety: what’s that?” I hear …
Compliance is a concern that pops up repeatedly on the ISO27k Forum, just this morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 “Identification of applicable legislation and contractual requirements”, members generally ask wh…
News emerged during June of likely further delays to the publication of the third edition of ISO/IEC 27001, this time due to the need to re-align the main body clauses with ISO’s revised management systems template (specfically, the 2022 edition of the…
Control 5.9 in ISO/IEC 27002:2022 recommends an inventory of information assets that should be “accurate, up to date, consistent and aligned with other inventories”. Fair enough, but what are ‘information assets’? What, exactly, are we suppo…
Inspired by an exchange on the ISO27k Forum yesterday morning, I wrote and published a simple 2-page exemptions policy template for SecAware. In essence, after explaining what ‘exemptions’ are, the policy requires that they are authorised after du…
Although the
organisational/business context is clearly relevant and important to information risk and
security management, it is tricky to describe. In my opinion, clause 4 of ISO/IEC 27001 is so succinct that it leaves readers perplexed as to …
The SecAware corporate information security policy template incorporates a set of generic principles for information risk and security such as “Our Information Security Management System
conforms to generally accepted good security practices as descri…
Inspired by an insightful comment on LinkeDin from an SC 27 colleague on the other side of the world (thanks Lars!), I spent most of last week updating the SecAware security policy templates and ISO27k ISMS materials.The main change was to distinguish …