Jul 11 2020

Ten Steps to Reduce Your Cyber Risk

Category: Information Security,ISO 27kDISC @ 4:19 pm

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/07/Ten-Steps-to-Reduce-Your-Cyber-Risk.pdf” title=”Ten Steps to Reduce Your Cyber Risk”]



Reduce your cyber risk with ISO 27001

Contact DISC InfoSec if you have a question regarding ISO 27001 implementation.





Explore the subject of Cyber Attack

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

May 28 2020

ISO 27k reading list

Category: ISO 27kDISC @ 1:12 pm

ISO 27k booksĀ reading list

 

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses or buy aĀ ISO 27001 TOOLKITĀ to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own ā€“ a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Below is a list of books that can help ISO 27001 practitioners prepare forĀ ISO 27001 implementation.

 

Implementing the ISO 27001:2013 ISMS Standard

 

ISO-27001

Authored by an internationally recognized expert in the field, this expanded, timely second edition addresses all the critical information security management issues needed to help businesses protect their valuable assets. Professionals learn how to manage business risks, governance and compliance. This updated resource provides a clear guide to ISO/IEC 27000 security standards and their implementation, focusing on the recent ISO/IEC 27001.
Moreover, readers are presented with practical and logical information on standard accreditation and certification. From information security management system (ISMS) business context, operations, and risk, to leadership and support, this invaluable book is your one-stop resource on the ISO/IEC 27000 series of standards.

Implementing the ISO/IEC 27001:2013 ISMS Standard 2nd Edition

 

ISO 27001 controls ā€“ A guide to implementing and auditing

 

Ideal for information security managers, auditors, consultants and organisations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001.

The ISO 27001 controls ā€“ A guide to implementing and auditingĀ 

 

Ā ISO/IEC 27001 Master: Auditors & Implementers’ Guide

 

ISO/IEC 27001 Master is book written to meet the combined needs of Internal and External Auditors as well as Lead Implementers who simultaneously need the knowledge and skills of implementing the ISMS as well as the skill to perform the audits. Written in simple and straightforward English, the book can be used by beginners as well as advanced learners. Besides being a practitioner’s guide, candidates and students preparing for their ISO 27001 Certification Examinations can also make use the book which provides a step-by-step guide towards implementing the requirements of the ISO 27001 Standard.

The ISO/IEC 27001 Master: Auditors & Implementers

 

Secure & Simple ā€“ A Small-Business Guide to Implementing ISO 27001 On Your Own

 

InĀ Secure & SimpleĀ Dejan Kosutic, an author and experienced information security consultant, is giving away all his practical know-how on successful ISO 27001 implementation. Whether youā€™re new or experienced in the field, this book gives you everything you will ever need to implement ISO 27001 on your own.

Dejan provides examples of implementing the standard in small and medium-sized organizations (i.e. companies with up to 500 employees). It is written primarily for beginners in the field and for people with moderate knowledge of ISO 27001. Even if you do have experience with the standard, but feel that there are gaps in your knowledge, youā€™ll find this book very helpful.

Secure & SimpleĀ is the definitive guide for implementing and maintaining the most popular information security standard in the world. The author leads you, step-by-step, from an introduction to ISO 27001 to the moment your company passes the certification audit.

Secure & Simple ā€“ A Small-Business Guide to Implementing ISO 27001 On Your Own


ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.

An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ā€˜information security management system’ must be set up.
ISO 27001 Handbook: Implementing and auditing


ISO IEC 27001 Lead Implementer A Complete Guide – 2020 Edition

 

Are breaches of any criminal or civil law and statutory, regulatory or contractual obligations and of any security requirements avoided? Ensuring the integration of the ISMS requirements into its business processes? What is the certification process for ISO 27001? Do you have documented statements of the ISMS policy and objectives? Are there any outdated operating systems running on any machines in the current environment?

Defining, designing, creating, and implementing a process to solve a challenge or meet an objective is the most valuable role… In EVERY group, company, organization and department.

Unless you are talking a one-time, single-use project, there should be a process. Whether that process is managed and implemented by humans, AI, or a combination of the two, it needs to be designed by someone with a complex enough perspective to ask the right questions. Someone capable of asking the right questions and step back and say, ‘What are we really trying to accomplish here? And is there a different way to look at it?’

This Self-Assessment empowers people to do just that – whether their title is entrepreneur, manager, consultant, (Vice-)President, CxO etc… – they are the people who rule the future. They are the person who asks the right questions to make ISO IEC 27001 Lead Implementer investments work better.

This ISO IEC 27001 Lead Implementer All-Inclusive Self-Assessment enables You to be that person.

All the tools you need to an in-depth ISO IEC 27001 Lead Implementer Self-Assessment. Featuring 910 new and updated case-based questions, organized into seven core areas of process design, this Self-Assessment will help you identify areas in which ISO IEC 27001 Lead Implementer improvements can be made.

In using the questions you will be better able to:

– diagnose ISO IEC 27001 Lead Implementer projects, initiatives, organizations, businesses and processes using accepted diagnostic standards and practices

– implement evidence-based best practice strategies aligned with overall goals

– integrate recent advances in ISO IEC 27001 Lead Implementer and process design strategies into practice according to best practice guidelines

Using a Self-Assessment tool known as the ISO IEC 27001 Lead Implementer Scorecard, you will develop a clear picture of which ISO IEC 27001 Lead Implementer areas need attention.

Your purchase includes access details to the ISO IEC 27001 Lead Implementer self-assessment dashboard download which gives you your dynamically prioritized projects-ready tool and shows your organization exactly what to do next. You will receive the following contents with New and Updated specific criteria:

– The latest quick edition of the book in PDF

– The latest complete edition of the book in PDF, which criteria correspond to the criteria in…

– The Self-Assessment Excel Dashboard

– Example pre-filled Self-Assessment Excel Dashboard to get familiar with results generation

– In-depth and specific ISO IEC 27001 Lead Implementer Checklists

– Project management checklists and templates to assist with implementation

INCLUDES LIFETIME SELF ASSESSMENT UPDATES

Every self assessment comes with Lifetime Updates and Lifetime Free Updated Books. Lifetime Updates is an industry-first feature which allows you to receive verified self assessment updates, ensuring you always have the most accurate information at your fingertips.

Download a Security Risk Assessment Checklist paper!

Subscribe to DISC InfoSec blog by Email

Apr 14 2020

ISO 31000 and ISO 22301 available now for free to read

Category: ISO 27kDISC @ 4:14 pm

Because of the COVID-19 crisis, ISO enabled free access to ISO 22301, ISO 22395, ISO 22320, ISO 22316, and ISO 31000 standards ā€“ find the links here.

Source: ISO 31000 and ISO 22301 available now for free to read

ISO standards:

 

Subscribe to DISC InfoSec blog by Email

Dec 19 2019

ISO/IEC 27701 2019 Standard and Toolkit

Category: GDPR,Information Privacy,ISO 27kDISC @ 12:35 pm

ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).

Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.

SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS

Key features:

* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data


ISO 27701 Gap Analysis Tool


Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.


What does the tool do?

  • Contains a set of sample audit questions
  • Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
  • Provides a clear, colour-coded report on the state of compliance
  • The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.


    • The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.



    ISO 27701 The New Privacy Extension for ISO 27001
    httpv://www.youtube.com/watch?v=-NUfTDXlv30

    Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
    httpv://www.youtube.com/watch?v=ilw4UmMSlU4

    General Data Protection Regulation (GDPR) | The California Consumer Privacy Act (CCPA)

    Subscribe to DISC InfoSec blog by Email

    Tags: CCPA, gdpr, iso 27001, iso 27002, ISO 27701, ISO27701, PIMS

    Dec 07 2019

    NIST CyberSecurity Framework and ISO 27001

    Category: Information Security,ISO 27k,NIST CSFDISC @ 6:54 pm

    NIST CyberSecurity Framework and ISO 27001

    [pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/12/NIST_ISO_Green_Paper_NEW_V3___Final_Edits.pdf”]

    How to get started with the NIST Cybersecurity Framework (CSF) ā€“ Includes Preso

    Written Information Security Program (WISP) – ISO 27002, NIST Cybersecurity Framework & NIST 800-53
    httpv://www.youtube.com/watch?v=B8QjwD6f4rc

    What is ISO 27001?
    httpv://www.youtube.com/watch?v=AzSJyfjIFMw

    Virtual Session: NIST Cybersecurity Framework Explained
    httpv://www.youtube.com/watch?v=nFUyCrSnR68





    Enter your email address:

    Delivered by FeedBurner

    Tags: iso 27001, NIST CSF, NIST RMF

    Oct 14 2019

    The best practice guide for an effective infoSec function

    Category: cyber security,Information Security,ISO 27k,NIST CSF,Risk AssessmentDISC @ 10:48 am

    Building ISMS

    The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through whatā€™s needed to build an effective information security management system (ISMS) within your organization.

    This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

     

    Practice Guide

    Open a PDF file The best practice guide for an effective infoSec function.

    How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
    httpv://www.youtube.com/watch?v=pDra0cy5WZI

    Beginners ultimate guide to ISO 27001 Information Security Management Systems
    httpv://www.youtube.com/watch?v=LytISQyhQVE

    Conducting a cybersecurity risk assessment


    Subscribe to DISC InfoSec blog by Email

    Tags: isms

    Apr 02 2019

    Understanding the differences between ISO 27001 and ISO 27002

    Category: ISO 27kDISC @ 9:38 am

    Understanding the differences between ISO 27001 and ISO 27002

    Ā Luke IrwinĀ Ā 2nd April 2019

    Anyone with an interest in information security will have encounteredĀ ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

    However, you might not be as familiar with ISO 27002. Itā€™s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

    Although ISO 27001 is the more well-known standard ā€“ and the one that organisations certify to ā€“ neither can be considered in isolation. This blog explains why thatā€™s the case, helping you understand how each standard works and the differences between them.

     

    What is ISO 27001?

    ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

    The Standard contains theĀ implementation requirementsĀ for an ISMS. These are essentially an overview of everything you must do achieve compliance, which is particularly useful at the start of your project, or if youā€™re looking for general advice but canā€™t commit to a full-scale ISO 27001 implementation project.

    To meet these requirements, organisations must:

    • Assemble a project team and initiate the project;
    • Conduct a gap analysis;
    • Scope the ISMS;
    • Initiate high-level policy development;
    • Perform a risk assessment;
    • Select and apply controls;
    • Develop risk documentation;
    • Conduct staff awareness training;
    • Assess, review and conduct an internal audit; and
    • Opt for a certification audit.


    What is ISO 27002?

    ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

    These controls are listed in Annex A of ISO 27001, which is what youā€™ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

    This is because the Standard explains how each control works, what its objective is, and how you can implement it.

     

    The differences between ISO 27001 and ISO 27002

    There are three main differences between ISO 27001 and ISO 27001:

    • Detail

    If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

    Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

    • Certification

    You can certify to ISO 27001 but not to ISO 27002. Thatā€™s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

    • Applicability

    A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

    ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesnā€™t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

    When you should use each standard

    ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

    If youā€™re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once youā€™ve identified the controls that youā€™ll be implementing to learn more about how each one works.

    Learn the basics of information security

    You can find out more about how to implement a best-practice ISMS by enrolling on ourĀ ISO27001 Certified ISMS Foundation Training Course.

    This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. Youā€™ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.


    Apr 01 2019

    Just Having A Security Product Doesn’t Make You Secure

    Category: Information Security,ISO 27kDISC @ 5:31 pm

    Every day, big companies are still getting breached despite their security products. F-Secure’s Mikko Hypponen warns that companies that say ‘use our technology and you will not have a breach’ actually make it much harder for clients to think about and be ready for a breach.

    Source: Just Having A Security Product Doesn’t Make You Secure


    Mar 04 2019

    Probably the best-selling ISO27001 Toolkit in the world

    Category: ISO 27kDISC @ 2:11 pm

    IT Governance Ltd, the world’s one-stop shop for ISO27001 information, books, toolkits, training and consultancy for ISO27001 Information Security Management, has now sold 1,034 copies of its ISO27001 ISMS Documentation Toolkit.

    “We estimate that between 5% and 10% of all ISO27001-certified organisations worldwide have drawn on the comprehensive, best practice templates contained in our ISO27001 Toolkit,” commented Alan Calder, CEO of IT Governance.

  • The ISO27001 Documentation Toolkit
  • ISO 27001 Implementation


    • Enter your email address:

    Delivered by FeedBurner

    Mar 03 2019

    ISO27002 2013 ISMS Controls Gap Analysis Tool (Download)

    Category: ISO 27kDISC @ 10:28 pm

    ISO27002: 2013 compliant! This tool has a very specific, high-level purpose in any ISMS project, which is to quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

    Use this self-assessment tool to quickly and clearly identify the extent to which your organization has implemented the controls and addressed the control objectives in ISO 27002.

    Special offer: Get two gap analysis tools for the price of one!

    Complete your gap analysis with the ISO 27002:2013 ISMS Controls Gap Analysis Tool.

    Buy the ISO 27001:2013 ISMS Gap Analysis Tool and get this tool for free!

    Use the following code at the checkout when you buy the ISO 27001:2013 ISMS Gap Analysis Tool and the ISO 27002:2013 ISMS Controls Gap Analysis Tool will automatically be added to your shopping cart: B1G1GAP*


    Feb 05 2019

    ISO 27001 ISMS Documentation Toolkit Bolt-on

    Category: ISO 27kDISC @ 8:37 am

    Combine with the ISO 9001:2015 QMS Documentation Toolkit and/or the ISO 14001:2015 EMS Documentation Toolkit to create an ISO 27001- compliant integrated management system (IMS).

  • ISO 27001 ISMS Documentation Toolkit Bolt-on


    • DISC InfoSec 🔒 securing the business 🔒 Cyber Security Awareness

    DISC InfoSec blog

    ā†‘ Grab this Headline Animator


    Tags: EMS, IMS, isms, ISO27001, QMS

    Sep 16 2018

    Download ISO27k standards

    Category: ISO 27kDISC @ 7:23 pm

     

     

    DownloadĀ ISO27000 family of information security standardsĀ today!

    ā€¢Ā ISO27001 2013Ā ISMS Requirement (DownloadĀ now)

    ā€¢Ā ISO27002Ā 2013 Code of Practice for ISM (Download now)

    ISO 27001 Do It Yourself Package (Download)

     

    ISO 27001 Training Courses –Ā Ā Browse the ISO 27001 training courses

    ISO 27001 Training Courses

     

    Ā ISO 27001 Risk Assessment and Gap Assessment


    Tags: ISO 27001 2013, ISO 27001 2013 Toolkit

    Aug 23 2018

    Nine Steps to Successful implementation

    Category: ISO 27kDISC @ 1:32 pm

    Achieving and maintaining accredited certification to ISO 27001 can be complicated, especially for those who are new to the Standard.

    Aligned with the latest iteration of ISO 27001:2013, the North American edition ofĀ Nine Steps to Success ā€“ An ISO 27001 Implementation OverviewĀ is ideal for anyone tackling ISO 27001 for the first time.

    In nine critical steps, the guide covers each element of the ISO 27001 project in simple, non-technical language.

    Get step-by-step guidance on successful ISO 27001 implementation from an industry leader.

    Implementation Overview, North American edition
    This must-have guide from ISO 27001 expert Alan Calder helps you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success:

    Details the key steps of an ISO 27001 project from inception to certification
    Explains each element of the ISO 27001 project in simple, non-technical language
    An ideal guide for anyone tackling ISO 27001 implementation for the first time


    Feb 11 2018

    Pinpoint your current cyber security gaps

    Category: ISO 27kDISC @ 9:07 pm

    A comprehensive information security management system (as defined by the requirements contained in ISO 27001)Ā details the steps required for the effective management of information security (and cyber security)Ā risks.

    AnĀ ISO 27001 gap analysis is a sensible starting point forĀ assessingĀ the gaps in yourĀ information security regime.

    Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

     

    • A high-level review of the efficacy of your policies, procedures, processes and controls
    • Interviews with key managers
    • Assistance defining the scope of a proposedĀ information security management system (ISMS)
    • A detailed compliance status report against the clauses and controls described in ISO 27001

     

    Description

    Our ISO27001 Gap Analysis will provide you with an informed assessment of:

    • Your compliance gaps against ISO 27001
    • The proposed scope of your information security management system (ISMS)
    • Your internal resource requirements; and
    • The potential timeline to achieve certification readiness.

     

    What to expect:

    An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

    Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

     

    The report includes:

    • The overall state and maturity of your information security arrangements
    • The specific gaps between these arrangements and the requirements of ISO 27001
    • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
    • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
    • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

     

    Please contact us for further informationĀ or to speak to an infosec expert.


    Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

    Nov 08 2017

    How ISO 27001 can help to achieve GDPR compliance

    Category: GDPR,ISO 27kDISC @ 2:44 pm

    gdpr

    ByĀ Julia Dutton

    Organizations have until 25 May 2018 to comply with theĀ EU General Data Protection Regulation (GDPR).

    Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. TheĀ GDPRĀ encourages the use of certification schemes likeĀ ISO 27001Ā to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

    Managing people, processes and technology

    ISO 27001 is the international best practice standardĀ for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.Ā  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

    By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisationā€™s culture and strategy, and which is constantly monitored, updated and reviewed.Ā  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes ā€“ both in the environment and inside the organisation ā€“ to continually identify and reduce risks.

    What does the GDPR say?

    The GDPRĀ states clearly in Article 32 that ā€œthe controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.ā€

    Letā€™s look at these items separately:

    Encryption of dataĀ is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.Ā  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.Ā  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

    One of ISO 27001ā€™s core tenets is the importance of ensuring the ongoingĀ confidentiality, integrity and availabilityĀ of information.Ā  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

    Risk assessment

    ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisationā€™s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data.Ā The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

    Business continuity

    ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

    Testing and assessments

    Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the companyā€™s information.Ā Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

    The requirements to achieve compliance with ISO 27001 of course do not stop there.Ā  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.Ā  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

    Related articles:

    Read more about ISO 27001 and the GDPR >>>>
    GDPR Documentation Toolkit and gap assessment tool >>>>
    Understanding the GDPR: General Data Protection Regulation >>>>

     


    Oct 25 2017

    Conducting an asset-based risk assessment in ISO 27001:2013

    Category: ISO 27k,Risk AssessmentDISC @ 11:14 am

    Conducting an asset-based risk assessment in ISO 27001:2013 ā€“ Vigilant Software

    The nature of ISO27001Ā is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats.Ā While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013. Ā ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.

    It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.

    Where do you start when you embark on an asset-based information security risk assessment?

    The first step would be to produce an asset register, which can be done through a series of interviews with asset owners.Ā The ā€˜asset ownerā€™ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.

    Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ā€˜risk ownerā€™, which pushes up the responsibility for the risks to a higher level within the organisation.Ā However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.

    Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.

    Risk assessment & impact determination

    Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks. Ā The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.

    It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.

    ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.

    vsRisk comes with an optional, pre-populated asset library. Ā Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat.Ā See sample below. View options to purchase vsRisk now.

    Sample risk assessment

    vsRiskā„¢ provides key benefits for anyone undertaking an asset-based risk assessment.

    By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year. Ā The tool generates a set of 6 reports that can be exported and edited, Ā presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.


    Tags: Risk Assessment

    Aug 28 2017

    ISO27001 Gap Analysis

    Category: ISO 27kDISC @ 10:41 pm

     

    A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013.

    Get the true picture of your ISO 27001 compliance gap, and receive expert advice on how to scope your project and establish your project resource requirements.

    What to expect:

    An ISO 27001 specialist will interview key stakeholders Ā and perform an analysis of your existing information security arrangements and documentation.

    Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

    The report includes:

    • The overall state and maturity of your information security arrangements
    • The specific gaps between these arrangements and the requirements of ISO 27001
    • ISO 27001 2013 requirements
    • ISO 27002 2013 controls, categories and domains
    • Compliance report by ISO 27001 requirements
    • Compliance report by control ISO 27002 2013
    • Compliance report by category ISO 27002 2013
    • Compliance report by domain ISO 27002 2013

    DISC gap assessment includes three orĀ six level rating (CMMI)Ā matrix of your choice for each control, category and domain.

    Start your ISMS project withĀ ISO27001 2013 Documentation Toolkit

    ISO/IEC 27001 2005 to 2013 Gap Analysis Tool (Download)

    DownloadĀ ISO27000 family of information security standardsĀ today!

    ā€¢Ā ISO27001 2013Ā ISMS Requirement (DownloadĀ now)

    ā€¢Ā ISO27002Ā 2013 Code of Practice for ISM (Download now)

    Contact us for further information or visit DISC site for our ISO27k services


    Tags: ISO 27001 2013 Gap Assessment

    Aug 10 2017

    Security Management and Governance

    Category: GRC,Information Security,ISO 27kDISC @ 9:38 am
    • The textbook for the Open Universityā€™s postgraduate information security course.
    • The recommended textbook for all IBITGQ ISO 27001 courses.
    • Available in softcover or eBook format.



    Description

    Fully updated expert information security management and governance guidance based on the international standard for information security management, ISO 27001.

    As global threats to information security increase in frequency and severity, and organisations of all sizes, types and sectors face increased exposure to fast-evolving cyber threats, there has never been a greater need for robust information security management systems.

    Now in its sixth edition, the bestsellingĀ IT Governance: An International Guide to Data Security and ISO27001/ISO27002Ā provides best-practice guidance for technical and non-technical managers looking to enhance their information security management systems and protect themselves against information security threats.

    This new edition ofĀ IT Governance: An International Guide to Data Security and ISO27001/ISO27002Ā has been fully updated to take account of current cyber security trends and advanced persistent threats, and reflects the latest regulatory and technological developments, including the 2013 updates to ISO 27001 and ISO 27002.

    Product overview

    Including coverage of key international markets, such as the UK, North America, the EU and the Asia-Pacific region,Ā IT Governance: An International Guide to Data Security and ISO27001/ISO27002Ā is the definitive guide to implementing an effective information security management system (ISMS), as set out in the international standard ISO 27001.

    It covers all aspects of data protection/information security, including viruses, hackers, online fraud, privacy regulations, computer misuse and investigatory powers.

    Changes introduced in this edition include:

    • Full updates in line with the 2013 revisions to the ISO 27001 standard and ISO 27002 code of practice.
    • Full coverage of changes to data protection regulations in different jurisdictions and advice on compliance.
    • Guidance on the new continual improvement model that replaces the plan-do-check-act cycle that was mandated in the 2005 iteration of ISO 27001.
    • New developments in cyber risk and mitigation practices.
    • The latest technological developments that affect IT governance and security.
    • Guidance on the new information security risk assessment process.

    IT Governance: An International Guide to Data Security and ISO27001/ISO27002Ā is the recommended textbook for the Open Universityā€™s postgraduate information security course and the recommended text for all IBITGQ ISO 27001 courses.


    Apr 24 2017

    Why is ISO 27001 so important for US technology firms?

    Category: ISO 27kDISC @ 10:47 am

    by Rob Freeman

    At IT Governance, we have long known that compliance with the ISO 27001 information security management standard is essential for all US companies that wish to do business with the rest of the world. This requirement is fuelled by the ever growing threat of cybercrime and the increasing awareness of the data privacy rights of all individuals in target markets globally.

    Win international business

    To win and maintain international business, your firm needs to demonstrate that it takes cybersecurity and data privacy seriously, and fully complies with all of the relevant laws and regulations.

    This is particularly true for US technology companies, many of which deliver services and products using online web-based channels. Modern Internet marketing and sales methodology demands the acquisition of large databases of customersā€™ personal data. In return for purchasing goods and services, these customers expect that their data will be secured, stored, and used in an appropriate manner. From the big guys like Microsoft or Salesforce.com to the little guys trading internationally on Ebay, ensuring the data security and privacy of customers is just as important as delivering a great product.

    Although now a little dated, I can recommend that you view the August news release from InsideView, a CA-based market intelligence company, which announced ā€œInsideView Expands ISO/IEC 27001:2013 Certification to Include ISO/IEC 27018ā€. This somewhat innocuous headline is hiding a really big message that is buried in the second paragraph:

    A global priority

    Protection of personal information has become a globally recognized priority. Emerging regulations and frameworks, such as European Union Data Protection Directive (GDPR) and the US Department of Commerce Privacy Shield, will require data processors to provide specific protections and rights of access regarding personal information.

    ā€œThis extension of our ISO 27001 information security management system to include the ISO 27018 controls for personal data shows that InsideView is leading the market in preparation for new privacy regulations,ā€ said Jenny Cheng, Chief Product Officer at InsideView.

    If youĀ are not aware of the importance of ISO 27001, I can recommend that you purchase and read this textbook: IT Governance ā€“ An International Guide to Data Security and ISO27001/ISO27002, Sixth Edition.

    Apr 21 2017

    vsRiskā„¢ risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 8:42 am

    vsRisk Standalone 3.0Ā – Brand new vsRiskā„¢ risk assessment software available now

    vsRisk is fully aligned with ISO 27001:2013 and helps you conduct an information security risk assessment quickly and easily. The upgrade includes three key changes to functionality: custom acceptance criteria, a risk assessment wizard and control set synchronization. This major release also enables users to export the asset database in order to populate an asset management system/register.

    Price:Ā $745.00

    Buy now

    Tags: Risk Assessment

    « Previous PageNext Page »