Apr 14 2020

ISO 31000 and ISO 22301 available now for free to read

Category: ISO 27kDISC @ 4:14 pm

Because of the COVID-19 crisis, ISO enabled free access to ISO 22301, ISO 22395, ISO 22320, ISO 22316, and ISO 31000 standards – find the links here.

Source: ISO 31000 and ISO 22301 available now for free to read

ISO standards:

 

Subscribe to DISC InfoSec blog by Email

Dec 19 2019

ISO/IEC 27701 2019 Standard and Toolkit

Category: GDPR,Information Privacy,ISO 27kDISC @ 12:35 pm

ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).

Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.

SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS

Key features:

* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data


ISO 27701 Gap Analysis Tool


Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.


What does the tool do?

  • Contains a set of sample audit questions
  • Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
  • Provides a clear, colour-coded report on the state of compliance
  • The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.


    • The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.



    ISO 27701 The New Privacy Extension for ISO 27001
    httpv://www.youtube.com/watch?v=-NUfTDXlv30

    Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
    httpv://www.youtube.com/watch?v=ilw4UmMSlU4

    General Data Protection Regulation (GDPR) | The California Consumer Privacy Act (CCPA)

    Subscribe to DISC InfoSec blog by Email

    Tags: CCPA, gdpr, iso 27001, iso 27002, ISO 27701, ISO27701, PIMS

    Dec 07 2019

    NIST CyberSecurity Framework and ISO 27001

    Category: Information Security,ISO 27k,NIST CSFDISC @ 6:54 pm

    NIST CyberSecurity Framework and ISO 27001

    [pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/12/NIST_ISO_Green_Paper_NEW_V3___Final_Edits.pdf”]

    How to get started with the NIST Cybersecurity Framework (CSF) – Includes Preso

    Written Information Security Program (WISP) – ISO 27002, NIST Cybersecurity Framework & NIST 800-53
    httpv://www.youtube.com/watch?v=B8QjwD6f4rc

    What is ISO 27001?
    httpv://www.youtube.com/watch?v=AzSJyfjIFMw

    Virtual Session: NIST Cybersecurity Framework Explained
    httpv://www.youtube.com/watch?v=nFUyCrSnR68





    Enter your email address:

    Delivered by FeedBurner

    Tags: iso 27001, NIST CSF, NIST RMF

    Oct 14 2019

    The best practice guide for an effective infoSec function

    Category: cyber security,Information Security,ISO 27k,NIST CSF,Risk AssessmentDISC @ 10:48 am

    Building ISMS

    The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through what’s needed to build an effective information security management system (ISMS) within your organization.

    This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

     

    Practice Guide

    Open a PDF file The best practice guide for an effective infoSec function.

    How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
    httpv://www.youtube.com/watch?v=pDra0cy5WZI

    Beginners ultimate guide to ISO 27001 Information Security Management Systems
    httpv://www.youtube.com/watch?v=LytISQyhQVE

    Conducting a cybersecurity risk assessment


    Subscribe to DISC InfoSec blog by Email

    Tags: isms

    Apr 02 2019

    Understanding the differences between ISO 27001 and ISO 27002

    Category: ISO 27kDISC @ 9:38 am

    Understanding the differences between ISO 27001 and ISO 27002

     Luke Irwin  2nd April 2019

    Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

    However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

    Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

     

    What is ISO 27001?

    ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

    The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance, which is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale ISO 27001 implementation project.

    To meet these requirements, organisations must:

    • Assemble a project team and initiate the project;
    • Conduct a gap analysis;
    • Scope the ISMS;
    • Initiate high-level policy development;
    • Perform a risk assessment;
    • Select and apply controls;
    • Develop risk documentation;
    • Conduct staff awareness training;
    • Assess, review and conduct an internal audit; and
    • Opt for a certification audit.


    What is ISO 27002?

    ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

    These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

    This is because the Standard explains how each control works, what its objective is, and how you can implement it.

     

    The differences between ISO 27001 and ISO 27002

    There are three main differences between ISO 27001 and ISO 27001:

    • Detail

    If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

    Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

    • Certification

    You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

    • Applicability

    A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

    ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

    When you should use each standard

    ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

    If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

    Learn the basics of information security

    You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

    This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.


    Apr 01 2019

    Just Having A Security Product Doesn’t Make You Secure

    Category: Information Security,ISO 27kDISC @ 5:31 pm

    Every day, big companies are still getting breached despite their security products. F-Secure’s Mikko Hypponen warns that companies that say ‘use our technology and you will not have a breach’ actually make it much harder for clients to think about and be ready for a breach.

    Source: Just Having A Security Product Doesn’t Make You Secure


    Mar 04 2019

    Probably the best-selling ISO27001 Toolkit in the world

    Category: ISO 27kDISC @ 2:11 pm

    IT Governance Ltd, the world’s one-stop shop for ISO27001 information, books, toolkits, training and consultancy for ISO27001 Information Security Management, has now sold 1,034 copies of its ISO27001 ISMS Documentation Toolkit.

    “We estimate that between 5% and 10% of all ISO27001-certified organisations worldwide have drawn on the comprehensive, best practice templates contained in our ISO27001 Toolkit,” commented Alan Calder, CEO of IT Governance.

  • The ISO27001 Documentation Toolkit
  • ISO 27001 Implementation


    • Enter your email address:

    Delivered by FeedBurner

    Mar 03 2019

    ISO27002 2013 ISMS Controls Gap Analysis Tool (Download)

    Category: ISO 27kDISC @ 10:28 pm

    ISO27002: 2013 compliant! This tool has a very specific, high-level purpose in any ISMS project, which is to quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

    Use this self-assessment tool to quickly and clearly identify the extent to which your organization has implemented the controls and addressed the control objectives in ISO 27002.

    Special offer: Get two gap analysis tools for the price of one!

    Complete your gap analysis with the ISO 27002:2013 ISMS Controls Gap Analysis Tool.

    Buy the ISO 27001:2013 ISMS Gap Analysis Tool and get this tool for free!

    Use the following code at the checkout when you buy the ISO 27001:2013 ISMS Gap Analysis Tool and the ISO 27002:2013 ISMS Controls Gap Analysis Tool will automatically be added to your shopping cart: B1G1GAP*


    Feb 05 2019

    ISO 27001 ISMS Documentation Toolkit Bolt-on

    Category: ISO 27kDISC @ 8:37 am

    Combine with the ISO 9001:2015 QMS Documentation Toolkit and/or the ISO 14001:2015 EMS Documentation Toolkit to create an ISO 27001- compliant integrated management system (IMS).

  • ISO 27001 ISMS Documentation Toolkit Bolt-on


    • DISC InfoSec 🔒 securing the business 🔒 Cyber Security Awareness

    DISC InfoSec blog

    ↑ Grab this Headline Animator


    Tags: EMS, IMS, isms, ISO27001, QMS

    Sep 16 2018

    Download ISO27k standards

    Category: ISO 27kDISC @ 7:23 pm

     

     

    Download ISO27000 family of information security standards today!

    • ISO27001 2013 ISMS Requirement (Download now)

    • ISO27002 2013 Code of Practice for ISM (Download now)

    ISO 27001 Do It Yourself Package (Download)

     

    ISO 27001 Training Courses –  Browse the ISO 27001 training courses

    ISO 27001 Training Courses

     

     ISO 27001 Risk Assessment and Gap Assessment


    Tags: ISO 27001 2013, ISO 27001 2013 Toolkit

    Aug 23 2018

    Nine Steps to Successful implementation

    Category: ISO 27kDISC @ 1:32 pm

    Achieving and maintaining accredited certification to ISO 27001 can be complicated, especially for those who are new to the Standard.

    Aligned with the latest iteration of ISO 27001:2013, the North American edition of Nine Steps to Success – An ISO 27001 Implementation Overview is ideal for anyone tackling ISO 27001 for the first time.

    In nine critical steps, the guide covers each element of the ISO 27001 project in simple, non-technical language.

    Get step-by-step guidance on successful ISO 27001 implementation from an industry leader.

    Implementation Overview, North American edition
    This must-have guide from ISO 27001 expert Alan Calder helps you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success:

    Details the key steps of an ISO 27001 project from inception to certification
    Explains each element of the ISO 27001 project in simple, non-technical language
    An ideal guide for anyone tackling ISO 27001 implementation for the first time


    Feb 11 2018

    Pinpoint your current cyber security gaps

    Category: ISO 27kDISC @ 9:07 pm

    A comprehensive information security management system (as defined by the requirements contained in ISO 27001) details the steps required for the effective management of information security (and cyber security) risks.

    An ISO 27001 gap analysis is a sensible starting point for assessing the gaps in your information security regime.

    Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

     

    • A high-level review of the efficacy of your policies, procedures, processes and controls
    • Interviews with key managers
    • Assistance defining the scope of a proposed information security management system (ISMS)
    • A detailed compliance status report against the clauses and controls described in ISO 27001

     

    Description

    Our ISO27001 Gap Analysis will provide you with an informed assessment of:

    • Your compliance gaps against ISO 27001
    • The proposed scope of your information security management system (ISMS)
    • Your internal resource requirements; and
    • The potential timeline to achieve certification readiness.

     

    What to expect:

    An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

    Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

     

    The report includes:

    • The overall state and maturity of your information security arrangements
    • The specific gaps between these arrangements and the requirements of ISO 27001
    • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
    • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
    • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

     

    Please contact us for further information or to speak to an infosec expert.


    Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

    Nov 08 2017

    How ISO 27001 can help to achieve GDPR compliance

    Category: GDPR,ISO 27kDISC @ 2:44 pm

    gdpr

    By Julia Dutton

    Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

    Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

    Managing people, processes and technology

    ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

    By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

    What does the GDPR say?

    The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

    Let’s look at these items separately:

    Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

    One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

    Risk assessment

    ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

    Business continuity

    ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

    Testing and assessments

    Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

    The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

    Related articles:

    Read more about ISO 27001 and the GDPR >>>>
    GDPR Documentation Toolkit and gap assessment tool >>>>
    Understanding the GDPR: General Data Protection Regulation >>>>

     


    Oct 25 2017

    Conducting an asset-based risk assessment in ISO 27001:2013

    Category: ISO 27k,Risk AssessmentDISC @ 11:14 am

    Conducting an asset-based risk assessment in ISO 27001:2013 – Vigilant Software

    The nature of ISO27001 is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats. While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013.  ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.

    It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.

    Where do you start when you embark on an asset-based information security risk assessment?

    The first step would be to produce an asset register, which can be done through a series of interviews with asset owners. The ‘asset owner’ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.

    Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ‘risk owner’, which pushes up the responsibility for the risks to a higher level within the organisation. However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.

    Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.

    Risk assessment & impact determination

    Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks.  The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.

    It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.

    ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.

    vsRisk comes with an optional, pre-populated asset library.  Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.

    Sample risk assessment

    vsRisk™ provides key benefits for anyone undertaking an asset-based risk assessment.

    By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year.  The tool generates a set of 6 reports that can be exported and edited,  presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.


    Tags: Risk Assessment

    Aug 28 2017

    ISO27001 Gap Analysis

    Category: ISO 27kDISC @ 10:41 pm

     

    A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013.

    Get the true picture of your ISO 27001 compliance gap, and receive expert advice on how to scope your project and establish your project resource requirements.

    What to expect:

    An ISO 27001 specialist will interview key stakeholders  and perform an analysis of your existing information security arrangements and documentation.

    Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

    The report includes:

    • The overall state and maturity of your information security arrangements
    • The specific gaps between these arrangements and the requirements of ISO 27001
    • ISO 27001 2013 requirements
    • ISO 27002 2013 controls, categories and domains
    • Compliance report by ISO 27001 requirements
    • Compliance report by control ISO 27002 2013
    • Compliance report by category ISO 27002 2013
    • Compliance report by domain ISO 27002 2013

    DISC gap assessment includes three or six level rating (CMMI) matrix of your choice for each control, category and domain.

    Start your ISMS project with ISO27001 2013 Documentation Toolkit

    ISO/IEC 27001 2005 to 2013 Gap Analysis Tool (Download)

    Download ISO27000 family of information security standards today!

    • ISO27001 2013 ISMS Requirement (Download now)

    • ISO27002 2013 Code of Practice for ISM (Download now)

    Contact us for further information or visit DISC site for our ISO27k services


    Tags: ISO 27001 2013 Gap Assessment

    Aug 10 2017

    Security Management and Governance

    Category: GRC,Information Security,ISO 27kDISC @ 9:38 am
    • The textbook for the Open University’s postgraduate information security course.
    • The recommended textbook for all IBITGQ ISO 27001 courses.
    • Available in softcover or eBook format.



    Description

    Fully updated expert information security management and governance guidance based on the international standard for information security management, ISO 27001.

    As global threats to information security increase in frequency and severity, and organisations of all sizes, types and sectors face increased exposure to fast-evolving cyber threats, there has never been a greater need for robust information security management systems.

    Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 provides best-practice guidance for technical and non-technical managers looking to enhance their information security management systems and protect themselves against information security threats.

    This new edition of IT Governance: An International Guide to Data Security and ISO27001/ISO27002 has been fully updated to take account of current cyber security trends and advanced persistent threats, and reflects the latest regulatory and technological developments, including the 2013 updates to ISO 27001 and ISO 27002.

    Product overview

    Including coverage of key international markets, such as the UK, North America, the EU and the Asia-Pacific region, IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the definitive guide to implementing an effective information security management system (ISMS), as set out in the international standard ISO 27001.

    It covers all aspects of data protection/information security, including viruses, hackers, online fraud, privacy regulations, computer misuse and investigatory powers.

    Changes introduced in this edition include:

    • Full updates in line with the 2013 revisions to the ISO 27001 standard and ISO 27002 code of practice.
    • Full coverage of changes to data protection regulations in different jurisdictions and advice on compliance.
    • Guidance on the new continual improvement model that replaces the plan-do-check-act cycle that was mandated in the 2005 iteration of ISO 27001.
    • New developments in cyber risk and mitigation practices.
    • The latest technological developments that affect IT governance and security.
    • Guidance on the new information security risk assessment process.

    IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the recommended textbook for the Open University’s postgraduate information security course and the recommended text for all IBITGQ ISO 27001 courses.


    Apr 24 2017

    Why is ISO 27001 so important for US technology firms?

    Category: ISO 27kDISC @ 10:47 am

    by Rob Freeman

    At IT Governance, we have long known that compliance with the ISO 27001 information security management standard is essential for all US companies that wish to do business with the rest of the world. This requirement is fuelled by the ever growing threat of cybercrime and the increasing awareness of the data privacy rights of all individuals in target markets globally.

    Win international business

    To win and maintain international business, your firm needs to demonstrate that it takes cybersecurity and data privacy seriously, and fully complies with all of the relevant laws and regulations.

    This is particularly true for US technology companies, many of which deliver services and products using online web-based channels. Modern Internet marketing and sales methodology demands the acquisition of large databases of customers’ personal data. In return for purchasing goods and services, these customers expect that their data will be secured, stored, and used in an appropriate manner. From the big guys like Microsoft or Salesforce.com to the little guys trading internationally on Ebay, ensuring the data security and privacy of customers is just as important as delivering a great product.

    Although now a little dated, I can recommend that you view the August news release from InsideView, a CA-based market intelligence company, which announced “InsideView Expands ISO/IEC 27001:2013 Certification to Include ISO/IEC 27018”. This somewhat innocuous headline is hiding a really big message that is buried in the second paragraph:

    A global priority

    Protection of personal information has become a globally recognized priority. Emerging regulations and frameworks, such as European Union Data Protection Directive (GDPR) and the US Department of Commerce Privacy Shield, will require data processors to provide specific protections and rights of access regarding personal information.

    “This extension of our ISO 27001 information security management system to include the ISO 27018 controls for personal data shows that InsideView is leading the market in preparation for new privacy regulations,” said Jenny Cheng, Chief Product Officer at InsideView.

    If you are not aware of the importance of ISO 27001, I can recommend that you purchase and read this textbook: IT Governance – An International Guide to Data Security and ISO27001/ISO27002, Sixth Edition.

    Apr 21 2017

    vsRisk™ risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 8:42 am

    vsRisk Standalone 3.0 – Brand new vsRisk™ risk assessment software available now

    vsRisk is fully aligned with ISO 27001:2013 and helps you conduct an information security risk assessment quickly and easily. The upgrade includes three key changes to functionality: custom acceptance criteria, a risk assessment wizard and control set synchronization. This major release also enables users to export the asset database in order to populate an asset management system/register.

    Price: $745.00

    Buy now

    Tags: Risk Assessment

    Feb 17 2017

    Fragmented cybersecurity regulation threatens organizations

    Category: ISO 27k,IT GovernanceDISC @ 11:10 am

    Fragmented cybersecurity regulation threatens organizations

    Melanie Watson

    Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.

    Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.

    Forbes summarizes the issue:

    “Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”

    For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.

    Organizations also have the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST SP 800-53) for guidance on helping reduce cybersecurity risks, and many organizations are required by contract or by law to implement the framework.

    Complying with multiple cybersecurity regulations

    ISO 27001 Cybersecurity Documentation Toolkit

    Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.

    Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:

    • NIST SP 800-53
    • New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
    • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
    • ISO 27001, the internationally-recognized cybersecurity framework

    Comply with multiple cybersecurity regulations

    Pre-order now >>

    Top Rated ISO 27001 Books

    Jan 09 2017

    The new CISO role: The softer side

    Category: Information Security,ISO 27kDISC @ 12:17 pm

     

    English: Risk mitigation action points

    English: Risk mitigation action points (Photo credit: Wikipedia)

    By Tracy Shumaker

    In order for CISOs to stay relevant in their field today, they must add communication and soft skills to their list of capabilities. Traditionally, their role has been to take charge of IT security. Now CISOs oversee cybersecurity and risk management systems. They must manage teams and get leadership approval in order to successfully implement a system that aligns with overall business goals.

    Speak in a common business language

    The CISO will need to appoint both technical and non-technical individuals to support a risk management system, which requires communication in a language that everyone can relate to. Additionally, senior executives’ approval is required and this will involve presenting proposals in non-technical terms.
    Being able to communicate and having the soft skills to manage people is a challenge CISOs face. For CISOs to reach a larger audience, they need to clearly explain technical terms and acronyms that are second nature and translate the cybersecurity risks to the organization into simple business vocabulary.

    Get the tools to gain the skills

    IT Governance Publishing books are written in a business language that is easy to understand even for the non-technical person. Our books and guides can help you develop the softer skills needed to communicate in order to successfully execute any cybersecurity or risk management system.

    Develop your soft skills with these books >>

    Discover the best-practice cyber risk management system, ISO 27001

    This international standard sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they face in the most cost-effective and efficient way.

    Find more information about ISO 27001 here >>

    Top Rated CISO Books

    « Previous PageNext Page »