Dec 22 2025

Compliance Isn’t Security: Baseline Controls vs. Real-World Cyber Resilience

Category: Cyber resilience,Policies & Controls,Security Compliance,Security controlsdisc7 @ 9:56 am

“Compliance isn’t security” debate

1. The core claim: Many cybersecurity professionals assert that compliance isn’t security — meaning simply meeting the letter of a standard (e.g., ISO 27001, ISO 42001, PCI, HIPAA, NIS, GDPR, DORA, Cyber Essentials) doesn’t by itself guarantee that an organization can withstand, detect, or recover from real-world attacks. Compliance frameworks typically define minimum baselines rather than prove operational resilience.

2. Why people feel this way: Critics argue that compliance programs often become checkbox exercises, focusing on documentation and audit artifacts rather than actual protective capability. Organizations can score well on audits and still suffer breaches because compliance doesn’t necessarily measure effectiveness of controls in practice.

3. Compliance vs security definitions: Compliance is essentially a benchmark against a standard — an organization either meets or fails certain requirements. Security, by contrast, is about managing risk dynamically and defending systems against evolving threats and adversaries. These two missions are related but fundamentally different in objectives and measurement.

4. The “baseline floor” perspective: Some practitioners push back on the notion that compliance has no value at all. They see compliance as providing a baseline floor of capabilities — a starting set of repeatable, measurable controls that help standardize expectations and reduce obvious, basic gaps that attackers exploit.

5. Compliance as structure: From this view, compliance frameworks give organizations a common language and structure to start measuring security efforts, track improvements over time, and communicate with boards, regulators, and insurers. Without structure, purely ad hoc security efforts can lack consistency and visibility.

6. The danger of complacency: The biggest practical risk isn’t compliance per se — it’s when organizations confuse passing an audit with being secure. Treating compliance as an end goal can create a false sense of safety, diverting resources from more effective defensive activities into chasing artifacts rather than outcomes.

7. Evolving threats vs static standards: Another common critique is that compliance frameworks often lag behind real-world threat evolution. Regulatory requirements typically update slowly, whereas attackers innovate constantly. As a result, meeting compliance may not sufficiently address emergent or advanced threats.

8. Complementary roles: Many experienced practitioners conclude that the healthiest view is neither compliance alone nor security alone. Compliance ensures visibility, documentation, and minimum control presence. Security builds on that baseline with active risk management, threat detection, and response mechanisms — which are necessary for meaningful protection.

9. Practical takeaway: In practice, compliance can serve as a foundation or enabler for security, but it should not be mistaken for security itself. Strong security programs often use compliance as a scaffolding — then extend beyond it with continuous improvement, automation, detection, response, and risk-based prioritization.

My Opinion

The statement “compliance isn’t security” is useful as a warning against complacency but overly simplistic if taken on its own. Compliance is not the security program; it’s often the starting point. Compliance frameworks help establish maturity, measure baseline controls, and satisfy regulatory or contractual requirements — all of which are valuable in risk management. However, true security requires active defense, continuous adaptation, and operational effectiveness that goes well beyond checkbox compliance. In short: compliance supports security, but it does not replace it — and treating it as an end goal can create blind spots that attackers will exploit.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Compliance ist't security

Mar 07 2025

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Category: ISO 27k,Risk Assessment,Security controls,Security Risk Assessmentdisc7 @ 6:59 am

“The SOA can easily be produced by examining the risk assessment to identify the necessary controls and risk treatment plan to identify those that are planned to be implemented. Only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.”

This paragraph from ISO 27005 explains the relationship between the Statement of Applicability (SoA) and the risk assessment process in an ISO 27001-based Information Security Management System (ISMS). Here’s a breakdown of the key points:

  1. SoA Derivation from Risk Assessment
    • The SoA must be based on the risk assessment and risk treatment plan.
    • It should only include controls that were identified as necessary during the risk assessment.
    • Organizations cannot arbitrarily add controls to the SoA without a corresponding risk justification.
  2. Consistency with Risk Treatment Plan
    • The SoA must align with the selected risk treatment options.
    • This ensures that the controls listed in the SoA effectively address the identified risks.
  3. Justification for Controls
    • The SoA can state that all controls were chosen because they are necessary for risk treatment.
    • No separate or additional justification is needed for each individual control beyond its necessity in treating risks.

Why This Matters:

  • Ensures a risk-driven approach to control selection.
  • Prevents the arbitrary inclusion of unnecessary controls, which could lead to inefficiencies.
  • Helps in audits and compliance by clearly showing the link between risks, treatments, and controls.

Practical Example of SoA and Risk Assessment Linkage

Scenario:

A company conducts a risk assessment as part of its ISO 27001 implementation and identifies the following risk:

  • Risk: Unauthorized access to sensitive customer data due to weak authentication mechanisms.
  • Risk Level: High
  • Risk Treatment Plan: Implement multi-factor authentication (MFA) to reduce the risk to an acceptable level.

How This Affects the SoA:

  1. Control Selection:
    • The company refers to Annex A of ISO 27001 and identifies Control A.9.4.1 (Use of Secure Authentication Mechanisms) as necessary to mitigate the risk.
    • This control is added to the SoA because the risk assessment identified it as necessary.
  2. Justification in the SoA:
    • The SoA will list A.9.4.1 – Secure Authentication Mechanisms as an included control.
    • The justification can be:
      “This control has been identified as necessary in the risk assessment to mitigate the risk of unauthorized access to customer data.”
    • No additional justification is needed because the link to the risk assessment is sufficient.
  3. What Cannot Be Done:
    • The company cannot arbitrarily add a control, such as A.14.2.9 (Protection of Test Data), unless it was identified as necessary in the risk assessment.
    • Adding controls without risk justification would violate ISO 27005’s requirement for consistency.

Key Takeaways:

  • Every control in the SoA must be traceable to a risk.
  • The SoA cannot contain controls that were not justified in the risk assessment.
  • Justification for controls can be standardized, reducing documentation overhead.

This approach ensures that the ISMS remains risk-based, justifiable, and auditable.

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: #InfoSec, #RiskAssessment, AnnexA, Information Security Management System, isms, iso 27001, Risk management, security controls, SoA

Apr 10 2024

New SharePoint Technique Lets Hackers Bypass Security Measures

Category: Hacking,Security controlsdisc7 @ 9:36 am
New SharePoint Technique Lets Hackers Bypass Security Measures

Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.

Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.

Security researchers from Varonis Threat Labs discovered two SharePoint techniques.

Open-In-App Method

The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.

While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.

Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.

This subtle footprint can easily be overlooked, as it does not resemble a typical download event.

The exploitation of this method can be carried out manually or automated through a PowerShell script.

When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.

The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.

SkyDriveSync User-Agent

The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.

By masquerading as the sync client, attackers can download files or even entire SharePoint sites.

These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.

This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.

The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.

Microsoft’s Response And Security Patch Backlog

Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.

They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.

The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.

Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.

To combat these vulnerabilities, organizations are advised to implement additional detection strategies.

Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.

Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.

Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.

Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.

Permissions Management in SharePoint Online – A Practical Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: SharePoint

Dec 13 2023

Which cybersecurity controls are organizations struggling with?

Category: cyber security,Security controlsdisc7 @ 7:58 am
Which cybersecurity controls are organizations struggling with?

How well are organizations implementing cybersecurity controls within the Minimum Viable Secure Product (MVSP) framework? A recent examination conducted by Bitsight and Google indicates a mix of positive and negative outcomes, highlighting areas where enhancement is needed.

What is MVSP?

Minimum Viable Secure Product (MVSP) is a baseline security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational.

For the “Cybersecurity Control Insights: An Analysis of Organizational Performance” study, Bitsight and Google collaborated to create a methodology to measure organizational cybersecurity performance using Bitsight analytics across the MVSP framework.

The study analyzed the cybersecurity performance of nearly 100,000 organizations around the world across nine industries. Bitsight mapped its risk vectors to 16 of the MVSP controls and reported performance in 2023 and over time (most recently March 2023). Google validated the statistical approach employed in this analysis.

Are organizations meeting cybersecurity performance standards?

The study found that while every industry in 2023 has a high Pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents.

The findings indicate that organizations across all industries have several areas in which they must improve their vulnerability management program to reduce exposure to potential breaches.

Notably, 2023 Computer Software industry Fail rates for Dependency Patching and Time to Fix Vulnerabilities — which map to Bitsight analytics correlating to the likelihood of a breach — did not improve from 2020 rates as much as the macro average, leaving other industries vulnerable to third-party risk given their reliance on computer software.

But, organizations did have near-100% Pass rates for the following areas:

  • Data handling
  • Incident handling
  • Logging
  • Logical access

They also had high Pass rates for Customer training (contributing to a safer third-party digital ecosystem) and Training (organizations are taking training efforts seriously as human error can have serious consequences).

Organizations across all industries are struggling with controls critical to the health of an organization’s vulnerability management program, Bitsight found.

Eight MVSP controls that are important for vulnerability management – External Testing, Self-assessment, Vulnerability Prevention, Encryption, HTTPS-only, Security Headers, Dependency Patching, Time to Fix Vulnerabilities – have either high 2023 Fail rates, low Pass rates, or both, across all industries.

Finally, there has been a decline in use of security headers, including in the computer software industry.

“We expected CS to outperform in most respects but that is not what we observed. CS’s stagnation — and at times underperformance — may be attributed to many factors, including workforce challenges, rising asset inventories, lacking cybersecurity tools, and more,” the analysts noted.

Keeping up with threats

Business leaders around the world need to understand where their companies’ vulnerabilities lie and how they match up with others to better manage increasingly complex cyber risks and stakeholder demands. By understanding the pass and fail rates of MVSP controls organizations will be better armed with the knowledge to benchmark their security performance and improve their cybersecurity strategies to mitigate and reduce vulnerability.

“It is more important than ever for business leaders to be fully aware of the organization’s application security risk, and how they are performing compared to their peers,” said Chris John Riley, Staff Security Engineer, Google.

“If organizations want to build and maintain a mature security posture in today’s turbulent and fast moving environment, they need leaders that prioritize security management and a culture of constant improvement. Using frameworks like the MVSP, organizations can take the initial necessary steps to develop a strong security culture within their organizations.”

Security Controls Evaluation, Testing, and Assessment Handbook

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cybersecurity controls

Sep 10 2023

Security Controls and Vulnerability Management

Category: Information Security,Security controls,Security Tools,Security vulnerabilitiesdisc7 @ 9:29 am

IS27002 Control:-Vulnerability Management
Why penetration test is important for an organization.
Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards.
#informationsecurity #cyberdefense #cybersecurity
Cheat sheet for pentester
Image credit:-https://lnkd.in/eb2HRA3n

Hacking-Tool-cheatsheetDownload

Linux Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: vulnerability management

Jun 23 2022

How Is Hospital Critical Infrastructure Protected?

Category: Access Control,hipaa,Policies & Controls,Security controlsDISC @ 3:01 pm
How Is Hospital Critical Infrastructure Protected?

Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.

Table of Contents

  1. Hospitals as an important part of the critical infrastructure
  2. Hospitals need special protection to keep patients safe.
  3. Some Of the Specific Things That Can Be Done to Protect Hospitals Against Cyberattacks
  4. There are various practices and systems in place to protect critical infrastructure and hospitals.
  5. Is there anything hospital patients can do to reduce their risk?
  6. Conclusion

How-Is-Hospital-Critical-Infrastructure-Protected

Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Hospital Critical Infrastructure

May 17 2022

Weak Security Controls and Practices

Category: Security controlsDISC @ 9:46 pm

Weak-Security-Controls-and-Practices-1Download

Guide to Understanding Security Controls NIST SP-800 Rev 5

Security Controls Evaluation, Testing, and Assessment Handbook

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Weak Security Controls