May 16 2025

C-I-A + 2: The Full Spectrum of Information Security

Category: Information Securitydisc7 @ 8:43 am

The five pillars of information security form the foundation for designing and evaluating security policies, systems, and processes. In a world driven by AI, the pillars of information security remain essential…


1. Confidentiality

Definition: Ensuring that information is accessible only to those authorized to access it.
Goal: Prevent unauthorized disclosure of data.
Controls & Examples:

  • Encryption (e.g., AES for data at rest or TLS for data in transit)
  • Access controls (e.g., role-based access, multifactor authentication)
  • Data classification and labeling
  • VPNs for secure remote access


2. Integrity

Definition: Assuring the accuracy and completeness of data and system configurations.
Goal: Prevent unauthorized modification or destruction of information.
Controls & Examples:

  • Hashing (e.g., SHA-256 to verify file integrity)
  • Digital signatures
  • Audit logs
  • File integrity monitoring systems


3. Availability

Definition: Ensuring that information and systems are accessible to authorized users when needed.
Goal: Minimize downtime and ensure reliable access to critical systems.
Controls & Examples:

  • Redundant systems and failover clusters
  • Backup and disaster recovery plans
  • Denial-of-service (DoS) protection
  • Regular patching and maintenance


4. Authenticity

Definition: Verifying that users, systems, and data are genuine.
Goal: Ensure that communications and data originate from a trusted source.
Controls & Examples:

  • Digital certificates and Public Key Infrastructure (PKI)
  • Two-factor authentication
  • Biometric verification
  • Secure protocols like SSH, HTTPS


5. Non-repudiation

Definition: Ensuring that a party in a communication cannot deny the authenticity of their signature or the sending of a message.
Goal: Provide proof of origin and integrity to avoid disputes.
Controls & Examples:

  • Digital signatures with timestamps
  • Immutable audit logs
  • Secure email with signing and logging
  • Blockchain-based verification in advanced systems

Together, these five pillars help protect the confidentiality, accuracy, reliability, authenticity, and accountability of information systems and are essential for any organization’s risk management strategy.

Foundations of Information Security

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services


May 15 2025

From Oversight to Override: Enforcing AI Safety Through Infrastructure

Category: AI,Information Securitydisc7 @ 9:57 am

You can’t have AI without an IA

As AI systems become increasingly integrated into critical sectors such as finance, healthcare, and defense, their unpredictable and opaque behavior introduces significant risks to society. Traditional safety protocols may not be sufficient to manage the potential threats posed by highly advanced AI, especially those capable of causing existential harm. To address this, researchers propose Guillotine, a hypervisor-based architecture designed to securely sandbox powerful AI models.

Guillotine leverages established virtualization techniques but also introduces fundamentally new isolation strategies tailored for AI with existential-risk potential. Unlike typical software, such AI may attempt to analyze and subvert the very systems meant to contain them. This requires a deep co-design of hypervisor software with the underlying hardware—CPU, memory, network interfaces, and storage—to prevent side-channel leaks and eliminate avenues for reflective exploitation.

Beyond technical isolation, Guillotine incorporates physical fail-safes inspired by systems in nuclear power plants and aviation. These include hardware-level disconnection mechanisms and even radical approaches like data center flooding to forcibly shut down or destroy rogue AI. These physical controls offer a final layer of defense should digital barriers fail.

The underlying concern is that many current AI safety frameworks rely on policy rather than technical enforcement. As AI becomes more capable, it may learn to bypass or manipulate these soft controls. Guillotine directly confronts this problem by embedding enforcement into the architecture itself—creating systems that can’t be talked out of enforcing the rules.

In essence, Guillotine represents a shift from trust-based AI safety toward hardened, tamper-resistant infrastructure. It acknowledges that if AI is to be trusted with mission-critical roles—or if it poses existential threats—we must engineer control systems with the same rigor and physical safeguards used in other high-risk industries.

Ā Guillotine: Hypervisors for Isolating Malicious AIs.

Googleā€˜s AI-Powered Countermeasures Against Cyber Scams

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

The Role of AI in Modern Hacking: Both an Asset and a Risk

Businesses leveraging AI should prepare now for a future of increasing regulation.

NIST: AI/ML Security Still Falls Short

DISC InfoSec’s earlier post on the AI topic

Trust Me – ISO 42001 AI Management System

 Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: AIMS, AISafety, artificial intelligence, Enforcing AI Safety, GuillotineAI, information architecture, ISO 42001


May 15 2025

CoinbaseĀ data breach highlights significant vulnerabilities in the cryptocurrency industry

Coinbase‘s recent data breach, estimated to cost between $180 million and $400 million, wasn’t caused by a technological failure, but rather by a sophisticated social engineering attack. Cybercriminals bribed offshore support agents to obtain sensitive customer data, including personally identifiable information (PII), government IDs, bank details, and account information.

This highlights a critical breakdown inĀ Coinbase‘s internal security, specifically in access control and oversight of its contractors. No cryptocurrency was stolen directly, but the exposure of such sensitive data poses significant risks to affected customers, including identity theft and financial fraud. The financial repercussions forĀ CoinbaseĀ are substantial, encompassing remediation costs and customer reimbursements. The incident raises serious questions about the security practices within the cryptocurrency industry and whether the term “innovation” appropriately describes practices that expose users to such significant risks.

Impact and Fallout

While no cryptocurrency was stolen, the breach exposed sensitive customer information, such as names, bank account numbers, and routing numbers . This exposure poses risks of identity theft and fraud. Coinbase has estimated potential costs for cleanup and customer reimbursements to be between $180 million and $400 million. The breach has also led to increased regulatory scrutiny and potential legal challenges .

Broader Implications

This incident highlights a critical issue in the crypto industry: the reliance on human factors and inadequate security training. Despite advanced technological safeguards, human error remains a significant vulnerability. The breach was not due to a failure in technology but rather a breakdown in trust, access control, and oversight. It raises questions about the industry’s approach to security and whether current practices are sufficient to protect users .

Moving Forward

The Coinbase breach serves as a wake-up call for the crypto industry to reevaluate its security protocols, particularly concerning employee training and access controls. It underscores the need for robust security measures that address not only technological vulnerabilities but also human factors. As the industry continues to evolve, prioritizing comprehensive security strategies will be essential to maintain user trust and ensure the integrity of crypto platforms.

The scale of the breach and its potential long-term consequences for customers and the reputation ofĀ CoinbaseĀ are considerable, prompting discussions about necessary improvements in security protocols and regulatory oversight within the cryptocurrency space.

Coinbase faces $400M bill after insider phishing attack

Here are some countermeasures to prevent similar incidents from happening again.

To prevent future breaches like the recent Coinbase incident, a multi-pronged approach is necessary, focusing on both technological and human factors. Here’s a breakdown of potential countermeasures:

Enhanced Security Measures:

  • Multi-Factor Authentication (MFA): Implement robust MFA across all systems and accounts, making it mandatory for all employees and contractors. This adds an extra layer of security, making it significantly harder for unauthorized individuals to access accounts, even if they obtain credentials.
  • Zero Trust Security Model: Adopt a zero-trust architecture, assuming no user or device is inherently trustworthy. This involves verifying every access request, regardless of origin, using continuous authentication and authorization mechanisms.
  • Regular Security Audits and Penetration Testing: Conduct frequent and thorough security audits and penetration testing to identify and address vulnerabilities before malicious actors can exploit them. These assessments should cover all systems, applications, and infrastructure components.
  • Employee Training and Awareness Programs: Implement comprehensive security awareness training programs for all employees and contractors. This should cover topics like phishing scams, social engineering tactics, and safe password practices. Regular refresher courses are essential to maintain vigilance.
  • Access Control and Privileged Access Management (PAM): Implement strict access control policies, limiting access to sensitive data and systems based on the principle of least privilege. Use PAM solutions to manage and monitor privileged accounts, ensuring that only authorized personnel can access critical systems.
  • Data Loss Prevention (DLP): Deploy DLP tools to monitor and prevent sensitive data from leaving the organization’s control. This includes monitoring data transfers, email communications, and cloud storage access.
  • Blockchain-Based Security Solutions: Explore the use of blockchain technology to enhance security. This could involve using blockchain for identity verification, secure data storage, and tamper-proof audit trails.
  • Threat Intelligence and Monitoring: Leverage threat intelligence feeds and security information and event management (SIEM) systems to proactively identify and respond to potential threats. This allows for early detection of suspicious activity and enables timely intervention.

Improved Contractor Management:

  • Background Checks and Vetting: Conduct thorough background checks and vetting processes for all contractors, particularly those with access to sensitive data. This should include verifying their identity, credentials, and past employment history.
  • Contractual Obligations: Clearly define security responsibilities and liabilities in contracts with contractors. Include clauses outlining penalties for data breaches and non-compliance with security policies.
  • Regular Monitoring and Oversight: Implement robust monitoring and oversight mechanisms to track contractor activity and ensure compliance with security protocols. This could involve regular audits, access reviews, and performance evaluations.
  • Secure Communication Channels: Ensure that all communication with contractors is conducted through secure channels, such as encrypted email and messaging systems.

Regulatory Compliance:

  • Adherence to Data Protection Regulations: Strictly adhere to relevant data protection regulations, such as GDPR and CCPA, to ensure compliance with legal requirements and protect customer data.

By implementing these countermeasures, organizations can significantly reduce their risk of experiencing similar breaches and protect sensitive customer data.

The Ultimate Guide to Staying Safe from Cryptocurrency Scams and Hacks

From Cartels to Crypto: The digitalisation of money laundering

Lazarus APT Laundered Over $900 Million Worth of Cryptocurrency

Attackers hit software firm Retool to get to crypto companies and assets

7 Rules Of Risk Management For Cryptocurrency Users

Hackers use Rilide browser extension to bypass 2FA, steal crypto

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: Coinbase, cryptocurrency


May 13 2025

AI is Powerful—But Risky. ISO/IEC 42001 Can Help You Govern It

Category: Information Security,ISO 27kdisc7 @ 2:56 pm

Managing AI Risks: A Strategic Imperative – responsibility and disruption must
coexist

Artificial Intelligence (AI) is transforming sectors across the board—from healthcare and finance to manufacturing and logistics. While its potential to drive innovation and efficiency is clear, AI also introduces complex risks that can impact fairness, transparency, security, and compliance. To ensure these technologies are used responsibly, organizations must implement structured governance mechanisms to manage AI-related risks proactively.

Understanding the Key Risks

Unchecked AI systems can lead to serious problems. Biases embedded in training data can produce discriminatory outcomes. Many models function as opaque ā€œblack boxes,ā€ making their decisions difficult to explain or audit. Security threats like adversarial attacks and data poisoning also pose real dangers. Additionally, with evolving regulations like the EU AI Act, non-compliance could result in significant penalties and reputational harm. Perhaps most critically, failure to demonstrate transparency and accountability can erode public trust, undermining long-term adoption and success.

ISO/IEC 42001: A Framework for Responsible AI

To address these challenges, ISO/IEC 42001—the first international AI management system standard—offers a structured, auditable framework. Published in 2023, it helps organizations govern AI responsibly, much like ISO 27001 does for information security. It supports a risk-based approach that accounts for ethical, legal, and societal expectations.

Key Components of ISO/IEC 42001

  • Contextual Risk Assessment: Tailors risk management to the organization’s specific environment, mission, and stakeholders.
  • Defined Governance Roles: Assigns clear responsibilities for managing AI systems.
  • Life Cycle Risk Management: Addresses AI risks across development, deployment, and ongoing monitoring.
  • Ethics and Transparency: Encourages fairness, explainability, and human oversight.
  • Continuous Improvement: Promotes regular reviews and updates to stay aligned with technological and regulatory changes.

Benefits of Certification

Pursuing ISO 42001 certification helps organizations preempt security, operational, and legal risks. It also enhances credibility with customers, partners, and regulators by demonstrating a commitment to responsible AI. Moreover, as regulations tighten, ISO 42001 provides a compliance-ready foundation. The standard is scalable, making it practical for both startups and large enterprises, and it can offer a competitive edge during audits, procurement processes, and stakeholder evaluations.

Practical Steps to Get Started

To begin implementing ISO 42001:

  • Inventory your existing AI systems and assess their risk profiles.
  • Identify governance and policy gaps against the standard’s requirements.
  • Develop policies focused on fairness, transparency, and accountability.
  • Train teams on responsible AI practices and ethical considerations.

Final Recommendation

AI is no longer optional—it’s embedded in modern business. But its power demands responsibility. Adopting ISO/IEC 42001 enables organizations to build AI systems that are secure, ethical, and aligned with regulatory expectations. Managing AI risk effectively isn’t just about compliance—it’s about building systems people can trust.

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

The 12–24 Month Timeline Is Logical

Planning AI compliance within the next 12–24 months reflects:

  • The time needed to inventory AI use, assess risk, and integrate policies
  • The emerging maturity of frameworks like ISO 42001, NIST AI RMF, and others
  • The expectation that vendors will demand AI assurance from partners by 2026

Companies not planning to do anything (the 6%) are likely in less regulated sectors or unaware of the pace of change. But even that 6% will feel pressure from insurers, regulators, and B2B customers.

Here are the Top 7 GenAI Security Practices that organizations should adopt to protect their data, users, and reputation when deploying generative AI tools:


1. Data Input Sanitization

  • Why: Prevent leakage of sensitive or confidential data into prompts.
  • How: Strip personally identifiable information (PII), secrets, and proprietary info before sending input to GenAI models.


2. Model Output Filtering

  • Why: Avoid toxic, biased, or misleading content from being released to end users.
  • How: Use automated post-processing filters and human review where necessary to validate output.


3. Access Controls & Authentication

  • Why: Prevent unauthorized use of GenAI systems, especially those integrated with sensitive internal data.
  • How: Enforce least privilege access, strong authentication (MFA), and audit logs for traceability.


4. Prompt Injection Defense

  • Why: Attackers can manipulate model behavior through cleverly crafted prompts.
  • How: Sanitize user input, use system-level guardrails, and test for injection vulnerabilities during development.


5. Data Provenance & Logging

  • Why: Maintain accountability for both input and output for auditing, compliance, and incident response.
  • How: Log inputs, model configurations, and outputs with timestamps and user attribution.


6. Secure Model Hosting & APIs

  • Why: Prevent model theft, abuse, or tampering via insecure infrastructure.
  • How: Use secure APIs (HTTPS, rate limiting), encrypt models at rest/in transit, and monitor for anomalies.


7. Regular Testing and Red-Teaming

  • Why: Proactively identify weaknesses before adversaries exploit them.
  • How: Conduct adversarial testing, red-teaming exercises, and use third-party GenAI security assessment tools.

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier post on the AI topic

Feel free to get in touch if you have any questions about the ISO 42001 Internal audit or certification process.

NIST: AI/ML Security Still Falls Short

Trust Me – ISO 42001 AI Management System

AI Management System Certification According to the ISO/IEC 42001 Standard

 Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

ā€œAI Regulation: Global Challenges and Opportunitiesā€

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: AIMS, Governance, ISO 42001


May 09 2025

How to Leverage Generative AI for ISO 27001 Implementation

Category: Information Security,ISO 27kdisc7 @ 12:45 pm

DISC’s guide on implementing ISO 27001 using generative AI highlights how AI technologies can streamline the establishment and maintenance of an Information Security Management System (ISMS). By leveraging AI tools, organizations can automate various aspects of the ISO 27001 implementation process, enhancing efficiency and accuracy.

AI-powered platforms like DISC InfoSec ISO27k Chatbot serve as intelligent knowledge bases, providing instant answers to queries related to ISO 27001 requirements, control implementations, and documentation. These tools assist in drafting necessary documents such as the Risk assessment and Statement of Applicability, and offer guidance on implementing Annex A controls. Additionally, AI can may facilitate training and awareness programs by generating tailored educational materials, ensuring that all employees are informed about information security practices.

The integration of AI into ISO 27001 implementation not only accelerates the process but also reduces the likelihood of errors, ensuring a more robust and compliant ISMS. By automating routine tasks and providing expert guidance, AI enables organizations to focus on strategic decision-making and continuous improvement in their information security management.

Hey I’m the digital assistance of DISC InfoSec for ISO 27k implementation.

I will try to answer your question. If I don’t know the answer, I will connect you with one my support agents.

Please click the link below to type your query regarding ISO 27001 (ISMS) implementation

ISO27k Chat bot

If the GenAI chatbot doesn’t provide the answer you’re looking for, what would you expect it to do next?

If you don’t receive a satisfactory answer, please don’t hesitate to reach out to us — we’ll use your feedback to help retrain and improve the bot.

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

ISO 27001’s Outdated SoA Rule: Time to Move On

ISO 27001 Compliance: Reduce Risks and Drive Business Value

ISO 27001:2022 Risk Management Steps


How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.

Here’s how we help:

  • Conduct gap assessments to identify compliance challenges and control maturity
  • Deliver straightforward, practical steps for remediation with assigned responsibility
  • Ensure ongoing guidance to support continued compliance with standard
  • Confirm your security posture through risk assessments and penetration testing

Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.

ISO 27001 certification validates that your ISMS meets recognized security standards and builds trust with customers by demonstrating a strong commitment to protecting information.

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: GenAI, iso 27001


May 07 2025

Aligning Cybersecurity With Business Objectives Through Targeted Pen Testing

Category: Information Securitydisc7 @ 9:28 am

1. Understanding Objective-Based Penetration Testing
Objective-based penetration testing focuses on assessing an organization’s security by simulating real-world attack scenarios with specific goals in mind. Unlike traditional methods that might broadly scan for vulnerabilities, this approach targets particular objectives, such as accessing sensitive data or compromising critical systems, providing a more realistic evaluation of security posture.

2. The Importance of Realistic Threat Simulation
By emulating tactics used by actual threat actors, objective-based tests reveal how well an organization’s defenses can withstand targeted attacks. This method uncovers not just technical vulnerabilities but also weaknesses in processes and human factors, offering a comprehensive view of potential security gaps.

3. Enhancing Incident Response Preparedness
These targeted assessments help organizations evaluate and improve their incident response strategies. By observing how teams react to simulated breaches, companies can identify deficiencies in their response plans and training, leading to more effective real-world reactions to security incidents.

4. Aligning Security Measures with Business Objectives
Objective-based testing ensures that security evaluations are aligned with the organization’s specific goals and risk appetite. This alignment allows for more relevant and actionable insights, enabling businesses to prioritize security investments that protect their most critical assets.

5. Identifying Hidden Vulnerabilities
This approach is particularly effective at uncovering complex vulnerabilities that might be missed by standard testing methods. By focusing on achieving specific objectives, testers can identify intricate attack paths and chained exploits that pose significant risks.

6. Supporting Compliance and Regulatory Requirements
Objective-based penetration testing can aid in meeting various compliance standards by demonstrating a proactive approach to identifying and mitigating security risks. It provides documented evidence of security assessments tailored to the organization’s unique environment and threats.

7. Strengthening Overall Security Posture
By adopting objective-based penetration testing, organizations can gain deeper insights into their security strengths and weaknesses. This knowledge enables them to implement targeted improvements, enhance their resilience against cyber threats, and better protect their critical assets.

Penetration Testing Demystified: A Hands-on Introduction and Practical Guide: Your Keys to Security Tools and Techniques

Resilience at Risk: Overlooked Threats Every Leadership Team Should Know

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services


May 07 2025

Resilience at Risk: Overlooked Threats Every Leadership Team Should Know

They’re the quiet ones—the ones that will silently gut your continuity strategy while leadership watches the wrong fire.


1️⃣ Shadow SaaS Is Out of Control
Business units are adopting tools without IT oversight—no security, no backups, no DR.
It works… until it doesn’t. Then it becomes your problem.


2️⃣ RTOs Are Fiction, Not Strategy
“30 hours” looks good—until the CEO demands answers three hours in.
If your recovery needs a miracle, it’s not a plan. It’s a pending failure.


3️⃣ Resilience Theater Is Everywhere
Policies? Written. Boxes? Checked.
But when the real incident hits, no one knows what to do. You’ve got documentation, not readiness.


4️⃣ Hidden Dependencies Will Break You
APIs, scripts, microservices—no SLAs, no visibility, no accountability.
They fail quietly. Business halts. And no one saw it coming.


5️⃣ Continuity Teams Have Quiet Quit
Resilience professionals are exhausted, underfunded, and unheard.
Their silence isn’t safety—it’s burnout. And it’s dangerous.


🔶 Resilience doesn’t fail loudly. It erodes quietly.
CISOs and leadership teams: It’s time to stop watching the wrong fire.

Security and resilience. Business continuity management systems. Requirements

Cyber Resilience – Defence-in-depth principles

Becoming Resilient – The Definitive Guide to ISO 22301 Implementation: The Plain English, Step-by-Step Handbook for Business Continuity Practitioners

ISO 22301:2019 and business continuity management – Understand how to plan, implement and enhance a business continuity management system (BCMS)

ISO 22301 Free to read

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: Cyber Resilience


May 06 2025

The CISOs You’re Overlooking Are the Ones Who Need You Most

Category: Information Securitydisc7 @ 2:16 pm

Coming off the back of RSA and I’m a little disheartened by some of the posts I’m seeing from startup founders about the countless meetings they’ve had with CISOs representing the fortune 500.

I get it. Landing an f500 customer does wonders for your brand, growth, funding, etc. But you do realize there is life beyond the f500 right? Or does your arrogance prevent you from acknowledging the thousands of companies, and CISOs within, who don’t have a glamour brand attached to their name?

If anything, those companies and CISOs are the ones who need you most. They are the ones operating with tight budgets, small teams, less resources, and huge levels of vulnerability. They need partners, and are turning to the startup ecosystem more and more in the hope of finding innovative tools that reduce their need for resources, and who cares more about building a long relationship vs a transaction.

Not taking anything away from the vendors whose products are attractive to the biggest brands on the planet. And certainly not taking anything away from the CISOs in f500 companies. But don’t neglect the greater CISO community. Treat everyone the same. Because once you’ve depleted your f500 targets, these are the CISOs you will turn to for continued growth.

Getting a “yes” from a Fortune 500 may sound like a dream for a startup—but it can quickly become a curse. Long contract negotiations, increased insurance requirements, premature scaling, and the need to support complex legacy environments can drain your team and resources. You’ll face challenges you weren’t prepared for and may alienate smaller customers who don’t relate to enterprise-scale use cases.

Contract Drafting and Negotiation for Entrepreneurs and Business Professionals

Mastering Effective Influencing Skills for Win-Win Outcomes – A practical guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services


May 04 2025

ISO 27001’s Outdated SoA Rule: Time to Move On

Category: Information Security,ISO 27kdisc7 @ 11:54 am

  1. Current Requirement in ISO 27001
    ISO 27001 currently mandates that the SoA must include justifications for both the inclusion and exclusion of each Annex A control. This requirement is often interpreted to mean that organizations must provide individual reasoning for every control listed or omitted.
  2. Guidance from ISO 27005:2022
    ISO 27005:2022 clarifies that only controls identified through risk assessment and treatment planning should be included in the SoA. These controls are selected because they help reduce risk to acceptable levels. The guidance explicitly states that no further justification is necessary for their inclusion.
  3. Exclusion Justification Also Redundant
    By extension, the only valid reason for excluding a control is that it was not identified as necessary in the risk treatment plan. If a control does not mitigate any identified risk, there is no need for it to appear in the SoA, and thus, no detailed justification is required.
  4. Controls Must Be Risk-Driven
    Controls exist to manage or modify risks. Including or excluding them must be directly based on whether they are necessary for risk treatment. Requiring extra justification, separate from the risk assessment, is logically inconsistent with the function of controls within an ISMS.
  5. Recommendation to Remove the Justification Requirement
    Given this risk-based logic, the recommendation is to eliminate the need for detailed justifications of inclusions or exclusions in the SoA. This requirement appears to be an error or legacy clause in ISO 27001 that contradicts more recent guidance.
  6. Alignment with ISO 27005 and Future ISO 27003
    This position aligns with ISO 27005:2022, which supports a simplified, risk-driven approach to the SoA. It is anticipated that the upcoming ISO 27003 update will reinforce this same guidance, helping to resolve the inconsistency across standards.
  7. Practical Experience Supports the Change
    Despite popular belief, individualized justifications are not essential. The author has implemented many ISO 27001-certified ISMSs over the past decade without providing such justifications—and all achieved certification successfully.
  8. Simplified SOA Approach Recommended
    The SOA should only list necessary controls derived from the risk assessment, with no additional rationale needed for inclusion or exclusion. Controls not identified as necessary should simply not be listed, and the SOA should remain tightly aligned with the risk treatment plan.

Source: ISO27001 suggested change 13

ISO 27001 Compliance: Reduce Risks and Drive Business Value

ISO 27001:2022 Risk Management Steps


How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.

Here’s how we help:

  • Conduct gap assessments to identify compliance challenges and control maturity
  • Deliver straightforward, practical steps for remediation with assigned responsibility
  • Ensure ongoing guidance to support continued compliance with standard
  • Confirm your security posture through risk assessments and penetration testing

Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.

ISO 27001 certification validates that your ISMS meets recognized security standards and builds trust with customers by demonstrating a strong commitment to protecting information.

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, ISO 27001 2022, SoA, Statement of Applicability


May 01 2025

ISO 27001 Compliance: Reduce Risks and Drive Business Value

ISO 27001 is an internationally recognized standard for establishing an Information Security Management System (ISMS) that protects an organization’s information assets. The standard lays out a structured, systematic approach to information security: it explicitly defines requirements that cover people, processes, and technology, and it is built on a risk-based management process. In other words, ISO 27001 requires an organization to identify its critical data and assets, assess the risks to them, and implement controls to mitigate those risks. As the AuditBoard blog explains, ISO 27001 ā€œprovid[es] a systematic approach to managing sensitive company information, and ensuring its confidentiality, integrity, and availability,ā€ and ā€œemploy[s] a risk-based management processā€ā€‹. By achieving ISO 27001 certification, a company demonstrates its commitment to security best practices and gains ā€œimproved risk managementā€ capabilities​. In practice, this means ISO 27001 embeds risk reduction into the company’s daily operations: the organization is continually considering where its vulnerabilities lie and how to address them. This alignment of policy and process with identified risks helps prevent incidents that could lead to breaches or financial losses (outcomes the blog warns are costly for non-compliant companies​).

A core principle of ISO 27001 is systematic risk assessment. The standard mandates that organizations catalog information assets and regularly evaluate threats and vulnerabilities to those assets. This formal risk assessment process – often codified as a risk register – forces management to confront what could go wrong, estimate the likelihood and impact of each threat, and then select controls to lower that risk. The AuditBoard article highlights that effective compliance ā€œstarts with a deep understanding of your organization’s unique risk profileā€ through ā€œcomprehensive risk assessments that identify, analyze, and prioritize potential security threats and vulnerabilitiesā€ā€‹. By building this into the ISMS, ISO 27001 ensures that controls are not applied haphazardly but are directly tied to the organization’s actual threat landscape. In short, ISO 27001’s risk-based approach means the organization is proactively scanning for problems, rather than only reacting after a breach occurs. This systematic identification and treatment of risks measurably lowers the chance that a threat will go unnoticed and turn into a serious incident.

Another key principle of ISO 27001 is continual improvement of the security program. ISO 27001 is inherently iterative: it follows the Plan–Do–Check–Act cycle, which requires the organization to plan security controls, implement them, monitor and review their effectiveness, and act on the findings to improve. In practice, this means an ISO 27001–certified organization must regularly review and update its security policies and controls to keep pace with new threats. The AuditBoard blog emphasizes this proactive stance: it notes that maintaining compliance ā€œencourages businesses to regularly review and update their security policies, practices, and systems,ā€ allowing the organization to adapt to evolving threats and maintain ā€œlong-term resilienceā€ā€‹. Furthermore, ISO 27001 requires ongoing monitoring and measurement of the ISMS. Automated monitoring tools, for example, can detect anomalies or intrusions in real time. The blog underlines that such continuous monitoring ā€œstrengthens an organization’s security postureā€ by enabling a quick response to new risks​. By continuously detecting issues and feeding back lessons learned, an ISO 27001 ISMS avoids stagnation: it evolves as the threat landscape evolves. This dedication to continual assessment and enhancement means that security controls are always improving, which keeps residual risk as low as possible over time.

ISO 27001 also enforces organizational accountability for security. It requires that top management be directly involved in the ISMS: leaders must establish a clear security policy, assign roles and responsibilities, and ensure adequate resources are available for security. Every risk and control must have an owner. The AuditBoard article reinforces this by stressing the importance of a cross-functional security team and collaboration among IT, legal, HR, and business units​. In an ISO 27001 context, this means everyone from the CISO to line managers shares responsibility for protecting data. Accountability is further ensured through documentation: ISO 27001 demands thorough records of all security processes. The blog points out that maintaining ā€œcomprehensive records of risk assessments, security controls, training activities, and incident response effortsā€ provides clear evidence of compliance and highlights where improvements are needed​. This audit trail makes the organization’s security posture transparent to auditors and stakeholders. In effect, ISO 27001 turns vague good intentions into concrete, assigned tasks and documented procedures, so that it is always possible to trace who did what, and to hold the organization accountable for gaps or successes alike.

By combining these elements – structured risk analysis, continuous improvement, and built-in accountability – ISO 27001 compliance significantly reduces overall organizational risk. The AuditBoard blog summarizes the core idea of compliance in cybersecurity as a security framework that can withstand emerging threats, noting that adherence to standards ā€œensures that organizations protect their data and build trust by demonstrating their commitment to information securityā€ā€‹. In practical terms, this means a company with an ISO 27001 ISMS is far better equipped to prevent the ā€œsignificant consequencesā€ of non-compliance – such as data breaches, financial losses, and reputational damage​. By embedding a risk-based approach into daily routines and maintaining a culture of vigilance and responsibility, ISO 27001 helps an organization identify issues early and handle them before they become disasters. Ultimately, this strong, systematic compliance posture not only shields sensitive information, but also saves the company from costly incidents – improving its bottom line and competitive standing (as noted, certification can confer a competitive edge and ā€œimproved risk managementā€ā€‹). In summary, ISO 27001 reduces risk by making effective information security practices a formal, organization-wide process that is continuously managed and improved.

Source and full article here

ISO 27001:2022 Risk Management Steps


How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.

Here’s how we help:

  • Conduct gap assessments to identify compliance challenges and control maturity
  • Deliver straightforward, practical steps for remediation with assigned responsibility
  • Ensure ongoing guidance to support continued compliance with standard
  • Confirm your security posture through risk assessments and penetration testing

Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Information Security Management System, iso 27001, iso 27002, ISO/IEC 27001


May 01 2025

How CISO’s are transforming the Third-Party Risk Management

​The RSA Conference Executive Security Action Forum (ESAF) report, How Top CISOs Are Transforming Third-Party Risk Management, presents insights from Fortune 1000 Chief Information Security Officers (CISOs) on evolving strategies to manage third-party cyber risks. The report underscores the inadequacy of traditional risk management approaches and highlights innovative practices adopted by leading organizations.​

1. Escalating Third-Party Risks

The report begins by emphasizing the increasing threat posed by third-party relationships. A survey revealed that 87% of Fortune 1000 companies experienced significant cyber incidents originating from third parties within a year. This statistic underscores the urgency for organizations to reassess their third-party risk management strategies.​

2. Limitations of Traditional Approaches

Traditional methods, such as self-assessment questionnaires and cybersecurity ratings, are criticized for their ineffectiveness. These approaches often lack context, fail to reduce actual risk, and do not foster resilience against cyber threats. The report advocates for a shift towards more proactive and context-aware strategies.​

3. Innovative Strategies by Leading CISOs

In response to these challenges, top CISOs are implementing bold new approaches. These include establishing prioritized security requirements, setting clear deadlines for control implementations, incorporating enforcement clauses in contracts, and assisting third parties in acquiring necessary security technologies and services. Such measures aim to enhance the overall security posture of both the organization and its partners.​

4. Emphasizing Business Leadership and Resilience

The report highlights the importance of involving business leaders in managing cyber risks. By integrating cybersecurity considerations into business decisions and fostering a culture of resilience, organizations can better prepare for and respond to third-party incidents. This holistic approach ensures that cybersecurity is not siloed but is a shared responsibility across the enterprise.​

5. Case Studies Demonstrating Effective Practices

Six cross-sector case studies are presented, showcasing how organizations in industries like defense, healthcare, insurance, manufacturing, and technology are successfully transforming their third-party risk management. These real-world examples provide valuable insights into the practical application of the recommended strategies and their positive outcomes.​

6. The Role of Technology and Security Vendors

The report calls upon technology and security vendors to play a pivotal role in minimizing complexities and reducing costs associated with third-party risk management. By collaborating with organizations, vendors can develop solutions that are more aligned with the evolving cybersecurity landscape and the specific needs of businesses.​

7. Industry Collaboration for Systemic Change

Recognizing that third-party risk is a widespread issue, the report advocates for industry-wide collaboration. Establishing common standards, sharing best practices, and engaging in joint initiatives can lead to systemic changes that enhance the security of the broader ecosystem. Such collective efforts are essential for addressing the complexities of modern cyber threats.​

8. Moving Forward with Proactive Measures

The ESAF report concludes by encouraging organizations to adopt proactive measures in managing third-party risks. By moving beyond traditional methods and embracing innovative, collaborative, and resilient strategies, businesses can better safeguard themselves against the evolving threat landscape. The insights provided serve as a roadmap for organizations aiming to strengthen their cybersecurity frameworks in partnership with their third parties.​

Sources and full article here

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

Navigating Supply Chain Cyber RiskĀ 

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Third-party risk management


Apr 30 2025

Inside Cyber Warfare: Mapping the Cyber Underworld

Category: Cyber War,Information Security,Information Warfaredisc7 @ 1:09 pm

​Ben Rothke’s review of Inside Cyber Warfare: Mapping the Cyber Underworld by Jeffrey Carr offers a sobering examination of the modern landscape of cyber conflict. The book delves into the evolving nature of cyber threats, highlighting how state-sponsored actors and criminal organizations exploit digital vulnerabilities to achieve their objectives. Carr’s analysis underscores the complexity and pervasiveness of cyber warfare in today’s interconnected world.​

Carr emphasizes that cyber warfare is not confined to isolated incidents but is a continuous and multifaceted threat. He illustrates how nations leverage cyber capabilities for espionage, sabotage, and influence operations. The book provides detailed accounts of various cyber attacks, shedding light on the tactics and motivations behind them. Carr’s insights reveal the strategic importance of cyber operations in modern geopolitical conflicts.​

One of the critical themes in Carr’s work is the attribution challenge in cyber attacks. Determining the origin of an attack is often fraught with uncertainty, complicating responses and accountability. Carr discusses the implications of this ambiguity, particularly in the context of international law and norms. The difficulty in attributing attacks hampers efforts to deter malicious actors and enforce consequences.​

Carr also explores the role of non-state actors in cyber warfare. He examines how terrorist groups, hacktivists, and criminal syndicates exploit cyberspace for their agendas. The book delves into the methods these groups use, from defacing websites to orchestrating complex cyber heists. Carr’s analysis highlights the democratization of cyber capabilities and the resulting proliferation of threats.​

The book doesn’t shy away from discussing the vulnerabilities within critical infrastructure. Carr outlines how essential services like power grids, water supplies, and transportation systems are susceptible to cyber attacks. He stresses the potential for catastrophic consequences if these systems are compromised, urging for robust security measures and contingency planning.​

Carr’s narrative also touches on the psychological and societal impacts of cyber warfare. He examines how disinformation campaigns and cyber propaganda can erode public trust and destabilize societies. The book provides examples of how such tactics have been employed to influence elections and sow discord, emphasizing the need for resilience against information warfare.​

In conclusion, Inside Cyber Warfare serves as a comprehensive guide to understanding the complexities of cyber conflict. Carr’s work is a call to action for policymakers, security professionals, and the public to recognize the gravity of cyber threats. The book advocates for international cooperation, robust cybersecurity frameworks, and public awareness to mitigate the risks posed by cyber warfare.​

Sources

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Cyber Warfare


Apr 29 2025

RSA 2025 spotlighted 10 innovative cybersecurity tools

Category: cyber security,Information Security,Security Toolsdisc7 @ 2:29 pm

RSA 2025 spotlighted 10 innovative cybersecurity tools, including AI-driven email threat detection, phishing simulation agents, and autonomous security workflows. Vendors focused on securing AI models, improving visibility into non-human identities, and protecting APIs and AI agents from abuse. Tools for crowdsourced red teaming, binary-level vulnerability analysis, and real-time software architecture mapping also featured prominently. The trend is clear: automation, identity governance, and proactive threat exposure are front and center in the next generation of cybersecurity solutions.

Here’s a concise summary of CRN’s article on hot tools announced at RSA 2025:

1. AI in Security Operations
Palo Alto Networks and CrowdStrike showcased advanced AI tools. Palo Alto’s Cortex XSIAM 3.0 introduced smarter email threat detection and noise-reducing vulnerability management. CrowdStrike launched agentic AI tools for automated security responses and workflow generation.

2. Smarter Phishing and Data Analysis
Abnormal AI introduced two autonomous agents — one for personalized phishing training and another for digesting security data into actionable insights, streamlining analysis for cybersecurity teams.

3. Safe AI Model Training and Governance
Netskope enhanced its DSPM with features to prevent sensitive data from being used in LLM training, along with improved AI policy enforcement and risk assessments.

4. Identity and Threat Detection Innovations
Huntress expanded its Managed ITDR to tackle rogue apps and shadow workflows. Silverfort boosted non-human identity protections across cloud services, offering unified identity visibility.

5. New Approaches to Red Teaming and API Security
Bugcrowd launched crowdsourced red teaming for real-world attack simulation. Wallarm introduced protection for AI agents themselves, guarding against prompt injection and other AI-specific threats.

6. Supply Chain and Application Insights
NetRise’s ZeroLens tool detects undisclosed software flaws through binary analysis. Apiiro offered a visual graph tool for real-time understanding of software architecture and risk exposure.


🔗 Full article on CRN

RSAC™ 2025 Conference – RSAC Official Blog

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: innovative cybersecurity tools, RSA 2025


Apr 29 2025

ISO 27001:2022 Risk Management Steps

​The document “Step-by-Step Explanation of ISO 27001/ISO 27005 Risk Management” by Advisera Expert Solutions offers a comprehensive guide to implementing effective information security risk management in alignment with ISO 27001 and ISO 27005 standards. It aims to demystify the process, providing practical steps for organizations to identify, assess, and treat information security risks efficiently.​ Advisera

1. Introduction to Risk Management

Risk management is essential for organizations to maintain competitiveness and achieve objectives. It involves identifying, evaluating, and treating risks, particularly those related to information security. The document emphasizes that while risk management can be complex, it doesn’t have to be unnecessarily complicated. By adopting structured methodologies, organizations can manage risks effectively without excessive complexity.​

2. Six Basic Steps of ISO 27001 Risk Assessment and Treatment

The risk management process is broken down into six fundamental steps:​

  1. Risk Assessment Methodology: Establishing consistent rules for conducting risk assessments across the organization.
  2. Risk Assessment Implementation: Identifying potential problems, analyzing, and evaluating risks to determine which need treatment.
  3. Risk Treatment Implementation: Developing cost-effective strategies to mitigate identified risks.
  4. ISMS Risk Assessment Report: Documenting all activities undertaken during the risk assessment process.
  5. Statement of Applicability: Summarizing the results of risk treatment and serving as a key document for auditors.
  6. Risk Treatment Plan: Outlining the implementation of controls, including responsibilities, timelines, and budgets.​

Management approval is crucial for the Risk Treatment Plan to ensure the necessary resources and commitment for implementation.​

3. Crafting the Risk Assessment Methodology

Developing a clear risk assessment methodology is vital. This involves defining how risks will be identified, analyzed, and evaluated. The methodology should ensure consistency and objectivity, allowing for repeatable and comparable assessments. It should also align with the organization’s context, considering its specific needs and risk appetite.​

4. Identifying Risks: Assets, Threats, and Vulnerabilities

Effective risk identification requires understanding the organization’s assets, potential threats, and vulnerabilities. This step involves creating an inventory of information assets and analyzing how they could be compromised. By mapping threats and vulnerabilities to assets, organizations can pinpoint specific risks that need to be addressed.​

5. Assessing Consequences and Likelihood

Once risks are identified, assessing their potential impact and the likelihood of occurrence is essential. This evaluation helps prioritize risks based on their severity and probability, guiding the organization in focusing its resources on the most significant threats. Both qualitative and quantitative methods can be employed to assess risks effectively.​

6. Implementing Risk Treatment Strategies

After assessing risks, organizations must decide on appropriate treatment strategies. Options include avoiding, transferring, mitigating, or accepting risks. Selecting suitable controls from ISO 27001 Annex A and integrating them into the Risk Treatment Plan ensures that identified risks are managed appropriately. The plan should detail the implementation process, including responsible parties and timelines.​

7. Importance of Documentation and Continuous Improvement

Documentation plays a critical role in the risk management process. The ISMS Risk Assessment Report and Statement of Applicability provide evidence of the organization’s risk management activities and decisions. These documents are essential for audits and ongoing monitoring. Furthermore, risk management should be a continuous process, with regular reviews and updates to adapt to changing threats and organizational contexts.​

By following these structured steps, organizations can establish a robust risk management framework that aligns with ISO 27001 and ISO 27005 standards, enhancing their information security posture and resilience.

Information Security Risk Management for ISO 27001/ISO 27002

How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.

Here’s how we help:

  • Conduct gap assessments to identify compliance challenges and control maturity
  • Deliver straightforward, practical steps for remediation with assigned responsibility
  • Ensure ongoing guidance to support continued compliance with standard
  • Confirm your security posture through risk assessments and penetration testing

Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, iso 27005, Risk Assessment, Risk management


Apr 24 2025

How to Send DKIM-Signed, 100% Legit Phishing Emails — Straight from Google That Bypass Everything

Category: Email Security,Information Security,Phishingdisc7 @ 1:01 pm

​A recent revelation by security researcher Nick Johnson highlights a sophisticated phishing technique that exploits Google’s own services—specifically OAuth and Google Sites—to send DKIM-signed phishing emails that appear entirely legitimate. This method allows attackers to craft emails that seem to originate from “no-reply@google.com,” effectively bypassing traditional email security measures and deceiving recipients into divulging sensitive information.​

The attack begins with the creation of a malicious Google OAuth application. Attackers manipulate the app’s name field to include deceptive messages, such as fake security alerts, by inserting numerous spaces or line breaks to obscure the true nature of the content. This crafted app name then autofills into legitimate-looking emails sent by Google, lending an air of authenticity to the phishing attempt.​

Subsequently, the attackers leverage Google Sites to host convincing phishing pages that mimic official Google interfaces. These pages are designed to harvest user credentials under the guise of legitimate Google services. Because the emails are sent through Google’s infrastructure and are DKIM-signed, they often evade spam filters and other security checks, making them particularly dangerous.​

This method is especially concerning because it exploits the inherent trust users place in Google’s services. By utilizing Google’s own platforms to disseminate phishing emails and host malicious content, attackers can effectively bypass many of the safeguards that users and organizations rely on to protect against such threats.​

The implications of this technique are far-reaching. It underscores the need for heightened vigilance and more robust security measures, as traditional defenses like DKIM and SPF may not be sufficient to detect and block such sophisticated attacks. Organizations must recognize that even trusted platforms can be manipulated to serve malicious purposes.​

To counteract these threats, several measures can be implemented:

  • User Education: Regular training to help users recognize phishing attempts, even those that appear to come from trusted sources.​
  • Two-Factor Authentication (2FA): Encouraging or mandating the use of 2FA can add an additional layer of security, making it more difficult for attackers to gain unauthorized access.​
  • Monitoring and Alerts: Implementing systems that monitor for unusual OAuth app creations or sign-in activities can help detect and respond to suspicious behavior promptly.​
  • Email Filtering Enhancements: Updating email filters to scrutinize not just the sender’s address but also the content and context of the message can improve detection rates.​
  • Collaboration with Service Providers: Working closely with platforms like Google to report and address vulnerabilities can lead to quicker resolutions and improved security for all users.​

By adopting a multi-faceted approach that combines user awareness, technical safeguards, and proactive collaboration, organizations can better defend against these advanced phishing techniques.

For further details, access the articleĀ here

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: DKIM-Signed


Apr 09 2025

How to differentiate between Emulation and Simulation in cyber world

Category: cyber security,Information Securitydisc7 @ 10:48 am

Emulation

🔧 Definition: Reproduces the exact behavior of one system on a different system.
🎯 Goal: Act like the real system, often for compatibility.
📦 Example: Running an old video game console on your PC using an emulator.

Key Traits:

  • Mimics both hardware and software behavior.
  • Used when accuracy is critical (e.g., legacy system support).
  • Slower but more faithful to original system.

Simulation

🧪 Definition: Models a system’s behavior to study or predict how it operates.
🎯 Goal: Understand or analyze system behavior, not necessarily replicate it exactly.
📊 Example: Simulating weather patterns or network traffic.

Key Traits:

  • Abstracts certain behaviors for analysis.
  • Focused on performance, outcomes, or patterns.
  • Often used in design, training, or testing.

👥 Analogy:

  • Emulation is like impersonating someone exactly—their voice, walk, habits.
  • Simulation is like creating a role-play of their behavior to study how they might act.

🔍 Emulation vs. Simulation: Side-by-Side Comparison

FeatureEmulationSimulation
PurposeReplicate exact behavior of a systemModel system behavior to understand, test, or predict outcomes
AccuracyVery high – mimics original system closelyApproximate – focuses on behavior, not exact replication
Use CaseCompatibility, legacy system testingAnalysis, design, forecasting, training
SpeedSlower due to detailed replicationFaster due to abstraction
System BehaviorIncludes full hardware/software behaviorModels only necessary parts of the system
Cybersecurity ExampleEmulating malware in a sandbox to observe behaviorSimulating a DDoS attack to test how a network would respond
IT ExampleEmulating an older OS to run legacy appsSimulating network performance under high load
Tools/TechQEMU, Bochs, BlueStacks, VirtualBox (with emulation settings)NS3, GNS3, Packet Tracer, Simulink

The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: Emulation vs Simulation


Apr 05 2025

Why ISO 27001 Is Worth It: A Practical Look at Costs and Benefits

Category: Information Securitydisc7 @ 3:00 pm

Investing in ISO 27001: Risk Reduction, Competitive Edge, and Cost Savings

​Implementing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard offers organizations a structured approach to managing information security risks. This system enhances the organization’s ability to handle information security incidents effectively, thereby reducing potential losses and associated costs. By systematically addressing information risks, the ISMS ensures that security measures are aligned with the organization’s specific needs and risk profile.

The adoption of an ISMS leads to a more consistent and comprehensive identification and mitigation of threats and vulnerabilities. This proactive stance not only strengthens existing security controls but also fosters a culture of continuous improvement and awareness among employees. As a result, the organization becomes more resilient and adaptable in the face of evolving cyber threats and uncertainties.

Standardizing information security practices through ISO/IEC 27001 ensures consistency both internally and externally. Internally, it provides a uniform framework across various departments and functions, facilitating coordinated efforts in managing information security. Externally, adherence to internationally recognized standards enhances the organization’s credibility and can lead to competitive advantages in the global market.

The ISMS serves as a solid foundation upon which additional security measures can be built as needed. This scalability allows organizations to tailor their security posture to address specific threats and protect particularly valuable or sensitive information assets effectively. By focusing resources on critical areas, organizations can achieve cost efficiencies while maintaining robust security.

Implementing an ISMS also facilitates better risk communication and understanding among stakeholders. Managers and staff become more familiar with information security concepts, leading to increased competence and a proactive approach to risk management. This heightened awareness contributes to a stronger security culture within the organization.

While there are costs associated with establishing and maintaining an ISMS, many of these expenses would be incurred regardless, as information security is a business imperative. The additional costs specific to the ISMS primarily relate to the initial implementation project, adjustments to governance structures, and optional certification processes. These investments are offset by the long-term benefits of reduced incident-related losses and improved compliance.

Organizations may also experience indirect benefits such as potential reductions in insurance premiums due to the implementation of robust security controls. By demonstrating a commitment to information security through an ISMS, organizations can negotiate more favorable terms with insurers, leading to cost savings.

In summary, adopting an ISMS based on ISO/IEC 27001 standards provides organizations with a systematic and effective framework for managing information security risks. The approach enhances resilience, ensures consistency, and can lead to significant cost savings over time. By embedding information security into the organizational culture, companies can protect their assets more effectively and maintain a competitive edge in today’s digital landscape.

Learn how to turn the Flywheel of ISMS in motion:

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

ISO 27001: 2022 Information Security Management System Guide (ISO 27000 Information Security Management)

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

ISO 27001 Risk Assessment Process – Summary

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

Managing Artificial Intelligence Threats with ISO 27001

Implementing and auditing 93 controls to reduce information security risks

The Real Reasons Companies Get ISO 27001 Certified 

Compliance per Category ISO 27002 2022

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27001/2 latest titles

ISO 27k Chat bot

DISC InfoSec is currently conducting market research in the InfoSec space and would greatly value your insights. As a thank you, we’re offering a free 30-minute security consultation to learn how to turn the Flywheel of ISMS in motion:—no strings attached. This offer is only available for the next week before April 11th 2025, so if you’re open to a quick chat, let’s lock in a time ASAP.
Thanks,
https://www.deurainfosec.com/
info@deurainfosec.com

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services


Mar 28 2025

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Category: Information Security,Internal Audit,ISO 27kdisc7 @ 2:44 pm

​”Preparing for an ISO Audit: Tips and Best Practices” is a comprehensive guide by AuditCo, published in February 2025, aimed at assisting organizations in effectively preparing for ISO audits. The article outlines several key strategies:​

  1. Understanding ISO Standards: It emphasizes the importance of familiarizing oneself with the specific ISO standards relevant to the organization.​
  2. Conducting a Pre-Audit: The guide recommends performing a self-assessment to identify and address areas of non-compliance before the official audit.​
  3. Organizing Documentation: Ensuring that all pertinent documents, such as policies and records, are well-organized and easily accessible is highlighted as a crucial step.​
  4. Training Employees: Providing staff with training on the audit process and their respective roles is advised to facilitate a smoother audit experience.​
  5. Engaging with Auditors: Establishing open communication with auditors to clarify expectations and address concerns is also recommended.

Additionally, the article suggests best practices like creating an audit checklist, involving top management to demonstrate commitment to compliance, monitoring corrective actions for identified non-conformities, and implementing improvements post-audit to enhance the management system.​

For a detailed exploration of these strategies, you can read the full article

 Full Preparation Plan for an ISO Audit

1.  Understand the ISO Standard :

– Familiarize yourself with the specific ISO standard relevant to your organization (e.g., ISO 27001 for Information Security, ISO 9001 for quality management, ISO 14001 for environmental management, ISO 45001 for occupational health and safety).

– Study the standard requirements and guidelines to fully grasp what is expected.

2. Gap Analysis :

– Conduct a thorough gap analysis to compare your current processes and systems against the ISO standard requirements.

– Identify areas that need improvement and document these gaps.

3. Develop an Implementation Plan :

– Create a detailed plan to address the gaps identified in the gap analysis.

– Assign responsibilities to team members, set timelines, and allocate necessary resources.

4. Training and Awareness :

– Train your employees on the ISO standard requirements and the importance of compliance.

– Ensure that everyone understands their roles and responsibilities related to the ISO standards.

5. Document Control :

– Develop or update documentation to meet ISO requirements, including policies, procedures, work instructions, and records.

– Implement a document control system to manage and maintain these documents efficiently.

6. Internal Audits :

– Conduct internal audits to evaluate your readiness for the ISO audit.

– Identify non-conformities and take corrective actions to address them.

– Internal audits should closely mimic the external audit process.

7. Management Review :

– Hold a management review meeting to assess the effectiveness of your ISO management system.

– Ensure top management is involved and committed to the process.

8. Pre-Audit Assessment :

– If possible, conduct a pre-audit assessment with an external consultant to get an objective evaluation of your readiness.

– Use the feedback to make any necessary adjustments before the actual audit.

9. Audit Logistics :

– Coordinate with the external auditor to schedule the audit.

– Prepare all necessary documentation and ensure key personnel are available during the audit.

10. Continuous Improvement :

– ISO audits are not a one-time event. Implement a culture of continuous improvement to maintain compliance and enhance your management system.

– Regularly review and update your processes and systems to ensure ongoing compliance.

ISO 27001 INTERNAL AUDITS & DATA PROTECTION: STRENGTHENING COMPLIANCE & SECURITY: A Practical Guide to Conducting Internal Audits and Safeguarding Sensitive Data (ISO 27001:2022)

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: ISO 27001 Internal Audit, ISO Audit Plan


Mar 28 2025

Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857)

Category: Information Securitydisc7 @ 9:39 am

​Mozilla has addressed a critical security vulnerability, CVE-2025-2857, in its Firefox browser for Windows. This flaw, discovered in Firefox’s inter-process communication (IPC) code, allowed a compromised child process to cause the parent process to return an unintended powerful handle, leading to a sandbox escape. The issue was identified after Google’s recent patch of a similar Chrome vulnerability, CVE-2025-2783, exploited by state-sponsored attackers.

To mitigate this vulnerability, Mozilla released updates for Firefox version 136.0.4, Firefox Extended Support Release (ESR) versions 128.8.1, and 115.21.1 for Windows users. Given the potential severity of sandbox escape exploits, users are strongly encouraged to update their browsers promptly to protect against possible attacks.

The Tor Project, which builds its browser on a modified version of Firefox ESR, also released an emergency security update, version 14.0.8, for Windows users. Tor Browser users should update immediately to ensure their security and maintain anonymity online.

This discovery underscores the importance of continuous vigilance in software development and the necessity for developers to proactively assess their codebases, especially when similar platforms encounter security issues. Regular updates and prompt patching are vital in maintaining the security and integrity of software applications.​

Users are advised to enable automatic updates and stay informed about the latest security advisories from their software providers. Maintaining up-to-date software is a fundamental step in protecting against emerging threats and ensuring a secure computing environment.

For further details, access the article here

Tor – From the Dark Web to the Future of Privacy

Tor And The Deep Web 2024: The Complete Guide How to Stay Anonymous on the Dark Web

Tor and the Deep Web: Bitcoin, DarkNet & Cryptocurrency

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services


Mar 26 2025

How to Begin with Cybersecurity Risk Management

Cyber security risk management is a critical aspect of data security, underpinning various frameworks and regulations such as GDPR, NIST CSF, and ISO 27001. The process begins by establishing a common vocabulary to ensure clear communication across the organization. Risk in this context typically refers to potential negative outcomes for the organization, with the goal of identifying and mitigating these risks while considering time and cost implications.

When assessing risks, two key factors are considered: likelihood and impact. These need to be clearly defined and quantified to ensure consistent interpretation throughout the organization. Risk levels are often categorized as low, medium, or high, with corresponding color-coding for easy visualization. A low risk might be something the organization can tolerate, while a high risk could have catastrophic consequences requiring immediate action.

Impact categories can include financial, strategic, customer-related, employee-related, regulatory, operational, and reputational aspects. Not all categories apply to every organization, and some may overlap. Defining the values for these categories is crucial for establishing a common language and meeting ISO 27001 requirements for consistent risk assessments.

Financial impact is typically the easiest to define, using currency figures or percentages of annual turnover. Non-financial impacts, such as operational or reputational, require more nuanced definitions. For example, operational impact might be measured by the duration of business disruption, while reputational impact could be assessed based on the level of media interest.

Likelihood categories are usually defined on a scale from “very unlikely” to “very likely,” with clear descriptions of what each category means. These can be based on expected frequency of occurrence, such as annually, monthly, weekly, or daily. Estimating likelihood can be based on past experiences within the organization or industry-wide occurrences.

Using multiple impact categories is important because security is everyone’s responsibility, and different departments may need to assess impact in different terms. For instance, a chemical manufacturer might need to define impact levels in terms of employee health and safety, while other departments might focus on financial or operational impacts.

A risk heat map, which combines likelihood and impact levels, is a useful tool for visualizing risk severity. The highest risk area (typically colored red) represents what would be catastrophic for the organization, regardless of the specific impact category. This approach allows for a comprehensive view of risks across different aspects of the business, enabling more effective risk management strategies.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

The best approach for SMBs to start the cybersecurity risk management process involves the following steps:

Understand Your Risks:

  • Conduct a basic risk assessment to identify critical assets, potential threats, and vulnerabilities.
  • Prioritize risks based on their potential impact and likelihood.

Set Clear Goals:

  • Define your cybersecurity objectives, such as protecting customer data, complying with regulations, or avoiding downtime.

Develop a Security Policy:

  • Create a simple, easy-to-follow cybersecurity policy that outlines acceptable use, password management, and data handling practices.

Start with the Basics:

  • Implement basic cybersecurity measures like using firewalls, antivirus software, and regular system updates.
  • Use strong passwords and enable multi-factor authentication (MFA).

Train Your Employees:

  • Provide ongoing security awareness training to help employees recognize phishing, social engineering, and other threats.

Back Up Your Data:

  • Regularly back up critical data and store it in a secure, offsite location.
  • Test your backup and recovery process to ensure it works effectively.

Monitor and Respond:

  • Set up basic monitoring to detect suspicious activity (e.g., failed login attempts).
  • Establish an incident response plan to know what to do in case of an attack.

Leverage External Resources:

  • Work with a trusted Managed Security Service Provider (MSSP) or consultant to cover any expertise gaps.
  • Consider using frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls for guidance.

Start Small and Scale Up:

  • Focus on quick wins that provide maximum risk reduction with minimal effort.
  • Gradually invest in more advanced tools and processes as your cybersecurity maturity grows.

Regularly Review and Update:

  • Reassess risks, policies, and controls periodically to stay ahead of evolving threats.

This structured approach helps SMBs build a solid foundation without overwhelming resources or budgets.

Cybersecurity Risk Management for Small Businesses

Building a Cyber Risk Management Program: Evolving Security for the Digital Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Building a Cyber Risk Management Program, Cybersecurity Risk Management


Next Page »