InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
AI risk management and governance, so aligning your risk management policy means integrating AI-specific considerations alongside your existing risk framework. Here’s a structured approach:
1. Understand ISO 42001 Scope and Requirements
ISO 42001 sets standards for AI governance, risk management, and compliance across the AI lifecycle.
Key areas include:
Risk identification and assessment for AI systems.
Mitigation strategies for bias, errors, security, and ethical concerns.
Transparency, explainability, and accountability of AI models.
Compliance with legal and regulatory requirements (GDPR, EU AI Act, etc.).
2. Map Your Current Risk Policy
Identify where your existing policy addresses:
Risk assessment methodology
Roles and responsibilities
Monitoring and reporting
Incident response and corrective actions
Note gaps related to AI-specific risks, such as algorithmic bias, model explainability, or data provenance.
3. Integrate AI-Specific Risk Controls
AI Risk Identification: Add controls for data quality, model performance, and potential bias.
Risk Assessment: Include likelihood, impact, and regulatory consequences of AI failures.
Mitigation Strategies: Document methods like model testing, monitoring, human-in-the-loop review, or bias audits.
Governance & Accountability: Assign clear ownership for AI system oversight and compliance reporting.
4. Ensure Regulatory and Ethical Alignment
Map your AI systems against applicable standards:
EU AI Act (high-risk AI systems)
GDPR or HIPAA for data privacy
ISO 31000 for general risk management principles
Document how your policy addresses ethical AI principles, including fairness, transparency, and accountability.
5. Update Policy Language and Procedures
Add a dedicated “AI Risk Management” section to your policy.
Include:
Scope of AI systems covered
Risk assessment processes
Monitoring and reporting requirements
Training and awareness for stakeholders
Ensure alignment with ISO 42001 clauses (risk identification, evaluation, mitigation, monitoring).
6. Implement Monitoring and Continuous Improvement
Establish KPIs and metrics for AI risk monitoring.
Include regular audits and reviews to ensure AI systems remain compliant.
Integrate lessons learned into updates of the policy and risk register.
7. Documentation and Evidence
Keep records of:
AI risk assessments
Mitigation plans
Compliance checks
Incident responses
This will support ISO 42001 certification or internal audits.
Rising AI Risks Demand Structured Assessment As generative AI use spreads rapidly within organizations, informal tool adoption is creating governance blind spots. Although many have moved past initial panic, daily emergence of new AI tools continues to raise security and compliance concerns.
Discovery Is the Foundation A critical first step is discovering the AI tools being used across the organization—including those introduced outside IT’s visibility. Without automated inventory, you can’t secure or govern what you don’t know exists.
Integration Mapping Is Essential Next, map which AI tools are integrated into core business systems. Review OAuth grants, APIs and app connections to identify potential data leakage pathways. Ask: what data is shared, who approved it, and how are identities protected?
Supply‑Chain & Vendor Exposure Don’t overlook the AI used by SaaS vendors in your ecosystem. Many rely on third-party AI providers—necessitating detailed scrutiny of vendor AI supply chains, sub-processors, and third- or fourth-party data flow.
Governance Framework Alignment To structure assessments, organizations should anchor AI risk work within recognized frameworks like NIST AI RMF, ISO 42001, EU AI Act, and ISO 27001/SOC 2. This helps ensure consistency and traceability.
Security Controls & Monitoring Risk evaluation should include access controls (e.g. RBAC), data encryption, audit logs, and consistent vendor security reviews. Continuous monitoring helps detect anomalies in AI usage.
Human‑Centric Governance AI risk management isn’t just technical—it’s behavioral. Real-time nudges, policy just-in-time guidance, and education help users avoid risky behavior before it occurs. Nudge Security emphasizes user-friendly interventions.
Continuous Feedback & Iteration Governance must be dynamic. Policies, tool inventories, and risk assessments need regular updates as tools evolve, use cases change, and new regulations emerge.
Make the Case with Visibility Platforms like Nudge Security offer SaaS and AI discovery, tracking supply‑chain exposure, and enabling just‑in‑time governance nudges that guide secure user behavior without slowing innovation.
Mitigating Technical Threats Governance also requires awareness of specific AI threats—like prompt injection, adversarial manipulation, supply‑chain exploitation, or agentic‑AI misuse—all of which require both automated guardrails and red‑teaming strategies.
10 Best Questions to Ask When Evaluating an AI Vendor
What automated discovery mechanisms do you support to detect both known and unknown AI tools in use across the organization?
Can you map integrations between your AI platform and core systems or SaaS tools, including OAuth grants and third-party processors?
Do you publish an AI Bill of Materials (AIBOM) that details underlying AI models and third‑party suppliers or sub‑processors?
How do you support alignment with frameworks like NIST AI RMF, ISO 42001, or the EU AI Act during risk assessments?
What data protection measures do you implement—such as encryption, RBAC, retention controls, and audit logging?
How do you help organizations govern shadow AI usage at scale, including user Nudges or real-time policy enforcement?
Do you provide continuous monitoring and alerting for anomalous or potentially risky AI usage patterns?
What defenses do you offer against specific AI threats, such as prompt injection, model adversarial attacks, or agentic AI exploitation?
Have you been independently assessed or certified against any AI or security standards—SOC 2, ISO 27001, ISO 42001 or AI-specific audits?
How do you support vendor governance—e.g., tracking whether third- and fourth‑party SaaS providers in your ecosystem are using AI in ways that might impact our risk profile?
AI is enhancing both offensive and defensive cyber capabilities. Hackers use AI for automated phishing, malware generation, and evading detection. On the other side, defenders use AI for threat detection, behavioral analysis, and faster response. Standards like ISO/IEC 27001, ISO/IEC 42001, NIST AI RMF, and the EU AI Act promote secure AI development, risk-based controls, AI governance and transparency—helping to reduce the misuse of AI in cyberattacks. Regulations enforce accountability, transparency, trustworthiness especially for high-risk systems, and create a framework for safe AI innovation.
Regulations enforce accountability and support safe AI innovation in several key ways:
Defined Risk Categories: Laws like the EU AI Act classify AI systems by risk level (e.g., unacceptable, high, limited, minimal), requiring stricter controls for high-risk applications. This ensures appropriate safeguards are in place based on potential harm.
Mandatory Compliance Requirements: Standards such as ISO/IEC 42001 or NIST AI RMF help organizations implement risk management frameworks, conduct impact assessments, and maintain documentation. Regulators can audit these artifacts to ensure responsible use.
Transparency and Explainability: Many regulations require that AI systems—especially those used in sensitive areas like finance, health, or law—be explainable and auditable, which builds trust and deters misuse.
Human Oversight: Regulations often mandate human-in-the-loop or human-on-the-loop controls to prevent fully autonomous decision-making in critical scenarios, minimizing the risk of AI causing unintended harm.
Accountability for Outcomes: By assigning responsibility to providers, deployers, or users of AI systems, regulations like EU AI Act make it clear who is liable for breaches, misuse, or failures, discouraging reckless or opaque deployments.
Security and Robustness Requirements: Regulations often require AI to be tested against adversarial attacks and ensure resilience against manipulation, helping mitigate risks from malicious actors.
Innovation Sandboxes: Some regulatory frameworks allow for “sandboxes” where AI systems can be tested under regulatory supervision. This encourages innovation while managing risk.
In short, regulations don’t just restrict—they guide safe development, reduce uncertainty, and encourage trust in AI systems, which is essential for long-term innovation.
Yes, for a solid starting point in safe AI development and building trust, I recommend:
Focuses on establishing a management system specifically for AI, covering risk management, governance, and ethical considerations.
Helps organizations integrate AI safety into existing processes.
NIST AI Risk Management Framework (AI RMF)
Provides a practical, flexible approach to identifying and managing AI risks throughout the system lifecycle.
Emphasizes trustworthiness, transparency, and accountability.
EU Artificial Intelligence Act (Draft Regulation)
Sets clear legal requirements for AI systems based on risk levels.
Encourages transparency, robustness, and human oversight, especially for high-risk AI applications.
Starting with ISO/IEC 42001 or the NIST AI RMF is great for internal governance and risk management, while the EU AI Act is important if you operate in or with the European market due to its legal enforceability.
Together, these standards and regulations provide a comprehensive foundation to develop AI responsibly, foster trust with users, and enable innovation within safe boundaries.
Most risk assessments fail to support real decisions. Learn how to turn risk management into a strategic advantage, not just a compliance task.
1. In many organizations, risk assessments are treated as checklist exercises—completed to meet compliance requirements, not to drive action. They often lack relevance to current business decisions and serve more as formalities than strategic tools.
2. When no real decision is being considered, a risk assessment becomes little more than paperwork. It consumes time, effort, and even credibility without providing meaningful value to the business. In such cases, risk teams risk becoming disconnected from the core priorities of the organization.
3. This disconnect is reflected in recent research. According to PwC’s 2023 Global Risk Survey, while 73% of executives agree that risk management is critical to strategic decisions, only 22% believe it is effectively influencing those decisions. Gartner’s 2023 survey also found that over half of organizations see risk functions as too siloed to support enterprise-wide decisions.
4. Even more concerning is the finding from NC State’s ERM Initiative: over 60% of risk assessments are performed without a clear decision-making context. This means that most risk work happens in a vacuum, far removed from the actual choices business leaders are making.
5. Risk management should not be a separate track from business—it should be a core driver of decision-making under uncertainty. Its value lies in making trade-offs explicit, identifying blind spots, and empowering leaders to act with clarity and confidence.
6. Before launching into a new risk register update or a 100 plus page report, organizations should ask a sharper business related question: What business decision are we trying to support with this assessment? When risk is framed this way, it becomes a strategic advantage, not an overhead cost.
7. By shifting focus from managing risks to enabling better decisions, risk management becomes a force multiplier for strategy, innovation, and resilience. It helps business leaders act not just with caution—but with confidence.
Conclusion A well-executed risk assessment helps businesses prioritize what matters, allocate resources wisely, and protect value while pursuing growth. To be effective, risk assessments must be decision-driven, timely, and integrated into business conversations. Don’t treat them as routine reports—use them as decision tools that connect uncertainty to action.
1. Invisible, Over‑Privileged Agents Help Net Security highlights how AI agents—autonomous software acting on behalf of users—are increasingly embedded in enterprise systems without proper oversight. They often receive excessive permissions, operate unnoticed, and remain outside traditional identity governance controls
2. Critical Risks in Healthcare Arun Shrestha from BeyondID emphasizes the healthcare sector’s vulnerability. AI agents there handle Protected Health Information (PHI) and system access, increasing risks to patient privacy, safety, and regulatory compliance (e.g., HIPAA)
3. Identity Blind Spots Research shows many firms lack clarity about which AI agents have access to critical systems. AI agents can impersonate users or take unauthorized actions—yet these “non‑human identities” are seldom treated as significant security threats.
4. Growing Threat from Impersonation TechRepublic’s data indicates only roughly 30% of US organizations map AI agent access, and 37% express concern over agents posing as users. In healthcare, up to 61% report experiencing attacks involving AI agents
5. Five Mitigation Steps Shrestha outlines five key defenses: (1) inventory AI agents, (2) enforce least privilege, (3) monitor their actions, (4) integrate them into identity governance processes, and (5) establish human oversight—ensuring no agent operates unchecked.
6. Broader Context This video builds on earlier insights about securing agentic AI, such as monitoring, prompt‑injection protection, and privilege scoping. The core call: treat AI agents like any high-risk insider.
📝 Feedback (7th paragraph): This adeptly brings attention to a critical and often overlooked risk: AI agents as non‑human insiders. The healthcare case strengthens the urgency, yet adding quantitative data—such as what percentage of enterprises currently enforce least privilege on agents—would provide stronger impact. Explaining how to align these steps with existing frameworks like ISO 27001 or NIST would add practical value. Overall, it raises awareness and offers actionable controls, but would benefit from deeper technical guidance and benchmarks to empower concrete implementation.
“Whether you’re a technology professional, policymaker, academic, or simply a curious reader, this book will arm you with the knowledge to navigate the complex intersection of AI, security, and society.”
Overview: DISC WinerySecure™ is a tailored cybersecurity and compliance service for small and mid-sized wineries. These businesses are increasingly reliant on digital systems (POS, ecommerce, wine clubs), yet often lack dedicated security staff. Our solution is cost-effective, easy to adopt, and customized to the wine industry.
Wineries may not seem like obvious cyber targets, but they hold valuable data—customer and employee details like social security numbers, payment info, and birthdates—that cybercriminals can exploit for identity theft and sell on the dark web. Even business financials are at risk.
Target Clients:
We care for the planet and your data
Wineries invest in luxury branding
Wineries considering mergers and acquisitions.
Wineries with 50–1000 employees
Using POS, wine club software, ecommerce, or logistics systems
Limited or no in-house IT/security expertise
🍷 Cyber & Compliance Protection for Wineries
Helping Napa & Sonoma Wineries Stay Secure, Compliant, and Trusted
🛡️ Why Wineries Are at Risk
Wineries today handle more sensitive data than ever—credit cards, wine club memberships, ecommerce sales, shipping details, and supplier records. Yet many rely on legacy systems, lack dedicated IT teams, and operate in a complex regulatory environment.
Cybercriminals know this. Wineries have become easy, high-value targets.
✅ Our Services
We offer fractional vCISO and compliance consulting tailored for small and mid-sized wineries:
🔒 Cybersecurity Risk Assessment – Discover hidden vulnerabilities in your systems, Wi-Fi, and employee habits.
📜 CCPA/CPRA Privacy Compliance – Ensure you’re protecting your customers’ personal data the California way.
🧪 Phishing & Ransomware Defense – Train your team to spot threats and test your defenses before attackers do.
🧰 Security Maturity Roadmap – Practical, phased improvements aligned with your business goals and brand.
🧾 Simple Risk Scorecard – A 10-page report you can share with investors, insurers, or partners.
🎯 Who This Is For
Family-run or boutique wineries with direct-to-consumer operations
Wineries investing in digital growth, but unsure how secure it is
Teams managing POS, ecommerce, club CRMs, M&A and vendor integrations
💡 Why It Matters
🏷️ Protect your brand reputation—especially with affluent wine club customers
💸 Avoid fines and lawsuits from privacy violations or breaches
🛍️ Boost customer confidence—safety sells
📉 Reduce downtime, ransomware risk, and compliance headaches
📞 Let’s Talk
Get a free 30-minute consultation or try our $49 Self-Assessment + 10-Page Risk Scorecard to see where you stand.
They’re the quiet ones—the ones that will silently gut your continuity strategy while leadership watches the wrong fire.
1️⃣ Shadow SaaS Is Out of Control Business units are adopting tools without IT oversight—no security, no backups, no DR. It works… until it doesn’t. Then it becomes your problem.
2️⃣ RTOs Are Fiction, Not Strategy “30 hours” looks good—until the CEO demands answers three hours in. If your recovery needs a miracle, it’s not a plan. It’s a pending failure.
3️⃣ Resilience Theater Is Everywhere Policies? Written. Boxes? Checked. But when the real incident hits, no one knows what to do. You’ve got documentation, not readiness.
4️⃣ Hidden Dependencies Will Break You APIs, scripts, microservices—no SLAs, no visibility, no accountability. They fail quietly. Business halts. And no one saw it coming.
5️⃣ Continuity Teams Have Quiet Quit Resilience professionals are exhausted, underfunded, and unheard. Their silence isn’t safety—it’s burnout. And it’s dangerous.
🔶 Resilience doesn’t fail loudly. It erodes quietly. CISOs and leadership teams: It’s time to stop watching the wrong fire.
ISO 27001 is an internationally recognized standard for establishing an Information Security Management System (ISMS) that protects an organization’s information assets. The standard lays out a structured, systematic approach to information security: it explicitly defines requirements that cover people, processes, and technology, and it is built on a risk-based management process. In other words, ISO 27001 requires an organization to identify its critical data and assets, assess the risks to them, and implement controls to mitigate those risks. As the AuditBoard blog explains, ISO 27001 “provid[es] a systematic approach to managing sensitive company information, and ensuring its confidentiality, integrity, and availability,” and “employ[s] a risk-based management process”​. By achieving ISO 27001 certification, a company demonstrates its commitment to security best practices and gains “improved risk management” capabilities​. In practice, this means ISO 27001 embeds risk reduction into the company’s daily operations: the organization is continually considering where its vulnerabilities lie and how to address them. This alignment of policy and process with identified risks helps prevent incidents that could lead to breaches or financial losses (outcomes the blog warns are costly for non-compliant companies​).
A core principle of ISO 27001 is systematic risk assessment. The standard mandates that organizations catalog information assets and regularly evaluate threats and vulnerabilities to those assets. This formal risk assessment process – often codified as a risk register – forces management to confront what could go wrong, estimate the likelihood and impact of each threat, and then select controls to lower that risk. The AuditBoard article highlights that effective compliance “starts with a deep understanding of your organization’s unique risk profile” through “comprehensive risk assessments that identify, analyze, and prioritize potential security threats and vulnerabilities”​. By building this into the ISMS, ISO 27001 ensures that controls are not applied haphazardly but are directly tied to the organization’s actual threat landscape. In short, ISO 27001’s risk-based approach means the organization is proactively scanning for problems, rather than only reacting after a breach occurs. This systematic identification and treatment of risks measurably lowers the chance that a threat will go unnoticed and turn into a serious incident.
Another key principle of ISO 27001 is continual improvement of the security program. ISO 27001 is inherently iterative: it follows the Plan–Do–Check–Act cycle, which requires the organization to plan security controls, implement them, monitor and review their effectiveness, and act on the findings to improve. In practice, this means an ISO 27001–certified organization must regularly review and update its security policies and controls to keep pace with new threats. The AuditBoard blog emphasizes this proactive stance: it notes that maintaining compliance “encourages businesses to regularly review and update their security policies, practices, and systems,” allowing the organization to adapt to evolving threats and maintain “long-term resilience”​. Furthermore, ISO 27001 requires ongoing monitoring and measurement of the ISMS. Automated monitoring tools, for example, can detect anomalies or intrusions in real time. The blog underlines that such continuous monitoring “strengthens an organization’s security posture” by enabling a quick response to new risks​. By continuously detecting issues and feeding back lessons learned, an ISO 27001 ISMS avoids stagnation: it evolves as the threat landscape evolves. This dedication to continual assessment and enhancement means that security controls are always improving, which keeps residual risk as low as possible over time.
ISO 27001 also enforces organizational accountability for security. It requires that top management be directly involved in the ISMS: leaders must establish a clear security policy, assign roles and responsibilities, and ensure adequate resources are available for security. Every risk and control must have an owner. The AuditBoard article reinforces this by stressing the importance of a cross-functional security team and collaboration among IT, legal, HR, and business units​. In an ISO 27001 context, this means everyone from the CISO to line managers shares responsibility for protecting data. Accountability is further ensured through documentation: ISO 27001 demands thorough records of all security processes. The blog points out that maintaining “comprehensive records of risk assessments, security controls, training activities, and incident response efforts” provides clear evidence of compliance and highlights where improvements are needed​. This audit trail makes the organization’s security posture transparent to auditors and stakeholders. In effect, ISO 27001 turns vague good intentions into concrete, assigned tasks and documented procedures, so that it is always possible to trace who did what, and to hold the organization accountable for gaps or successes alike.
By combining these elements – structured risk analysis, continuous improvement, and built-in accountability – ISO 27001 compliance significantly reduces overall organizational risk. The AuditBoard blog summarizes the core idea of compliance in cybersecurity as a security framework that can withstand emerging threats, noting that adherence to standards “ensures that organizations protect their data and build trust by demonstrating their commitment to information security”​. In practical terms, this means a company with an ISO 27001 ISMS is far better equipped to prevent the “significant consequences” of non-compliance – such as data breaches, financial losses, and reputational damage​. By embedding a risk-based approach into daily routines and maintaining a culture of vigilance and responsibility, ISO 27001 helps an organization identify issues early and handle them before they become disasters. Ultimately, this strong, systematic compliance posture not only shields sensitive information, but also saves the company from costly incidents – improving its bottom line and competitive standing (as noted, certification can confer a competitive edge and “improved risk management”​). In summary, ISO 27001 reduces risk by making effective information security practices a formal, organization-wide process that is continuously managed and improved.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
Conduct gap assessments to identify compliance challenges and control maturity
Deliver straightforward, practical steps for remediation with assigned responsibility
Ensure ongoing guidance to support continued compliance with standard
Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
​The RSA Conference Executive Security Action Forum (ESAF) report, How Top CISOs Are Transforming Third-Party Risk Management, presents insights from Fortune 1000 Chief Information Security Officers (CISOs) on evolving strategies to manage third-party cyber risks. The report underscores the inadequacy of traditional risk management approaches and highlights innovative practices adopted by leading organizations.​
1. Escalating Third-Party Risks
The report begins by emphasizing the increasing threat posed by third-party relationships. A survey revealed that 87% of Fortune 1000 companies experienced significant cyber incidents originating from third parties within a year. This statistic underscores the urgency for organizations to reassess their third-party risk management strategies.​
2. Limitations of Traditional Approaches
Traditional methods, such as self-assessment questionnaires and cybersecurity ratings, are criticized for their ineffectiveness. These approaches often lack context, fail to reduce actual risk, and do not foster resilience against cyber threats. The report advocates for a shift towards more proactive and context-aware strategies.​
3. Innovative Strategies by Leading CISOs
In response to these challenges, top CISOs are implementing bold new approaches. These include establishing prioritized security requirements, setting clear deadlines for control implementations, incorporating enforcement clauses in contracts, and assisting third parties in acquiring necessary security technologies and services. Such measures aim to enhance the overall security posture of both the organization and its partners.​
4. Emphasizing Business Leadership and Resilience
The report highlights the importance of involving business leaders in managing cyber risks. By integrating cybersecurity considerations into business decisions and fostering a culture of resilience, organizations can better prepare for and respond to third-party incidents. This holistic approach ensures that cybersecurity is not siloed but is a shared responsibility across the enterprise.​
5. Case Studies Demonstrating Effective Practices
Six cross-sector case studies are presented, showcasing how organizations in industries like defense, healthcare, insurance, manufacturing, and technology are successfully transforming their third-party risk management. These real-world examples provide valuable insights into the practical application of the recommended strategies and their positive outcomes.​
6. The Role of Technology and Security Vendors
The report calls upon technology and security vendors to play a pivotal role in minimizing complexities and reducing costs associated with third-party risk management. By collaborating with organizations, vendors can develop solutions that are more aligned with the evolving cybersecurity landscape and the specific needs of businesses.​
7. Industry Collaboration for Systemic Change
Recognizing that third-party risk is a widespread issue, the report advocates for industry-wide collaboration. Establishing common standards, sharing best practices, and engaging in joint initiatives can lead to systemic changes that enhance the security of the broader ecosystem. Such collective efforts are essential for addressing the complexities of modern cyber threats.​
8. Moving Forward with Proactive Measures
The ESAF report concludes by encouraging organizations to adopt proactive measures in managing third-party risks. By moving beyond traditional methods and embracing innovative, collaborative, and resilient strategies, businesses can better safeguard themselves against the evolving threat landscape. The insights provided serve as a roadmap for organizations aiming to strengthen their cybersecurity frameworks in partnership with their third parties.​
​The document “Step-by-Step Explanation of ISO 27001/ISO 27005 Risk Management” by Advisera Expert Solutions offers a comprehensive guide to implementing effective information security risk management in alignment with ISO 27001 and ISO 27005 standards. It aims to demystify the process, providing practical steps for organizations to identify, assess, and treat information security risks efficiently.​ Advisera
1. Introduction to Risk Management
Risk management is essential for organizations to maintain competitiveness and achieve objectives. It involves identifying, evaluating, and treating risks, particularly those related to information security. The document emphasizes that while risk management can be complex, it doesn’t have to be unnecessarily complicated. By adopting structured methodologies, organizations can manage risks effectively without excessive complexity.​
2. Six Basic Steps of ISO 27001 Risk Assessment and Treatment
The risk management process is broken down into six fundamental steps:​
Risk Assessment Methodology: Establishing consistent rules for conducting risk assessments across the organization.
Risk Assessment Implementation: Identifying potential problems, analyzing, and evaluating risks to determine which need treatment.
Risk Treatment Implementation: Developing cost-effective strategies to mitigate identified risks.
ISMS Risk Assessment Report: Documenting all activities undertaken during the risk assessment process.
Statement of Applicability: Summarizing the results of risk treatment and serving as a key document for auditors.
Risk Treatment Plan: Outlining the implementation of controls, including responsibilities, timelines, and budgets.​
Management approval is crucial for the Risk Treatment Plan to ensure the necessary resources and commitment for implementation.​
3. Crafting the Risk Assessment Methodology
Developing a clear risk assessment methodology is vital. This involves defining how risks will be identified, analyzed, and evaluated. The methodology should ensure consistency and objectivity, allowing for repeatable and comparable assessments. It should also align with the organization’s context, considering its specific needs and risk appetite.​
4. Identifying Risks: Assets, Threats, and Vulnerabilities
Effective risk identification requires understanding the organization’s assets, potential threats, and vulnerabilities. This step involves creating an inventory of information assets and analyzing how they could be compromised. By mapping threats and vulnerabilities to assets, organizations can pinpoint specific risks that need to be addressed.​
5. Assessing Consequences and Likelihood
Once risks are identified, assessing their potential impact and the likelihood of occurrence is essential. This evaluation helps prioritize risks based on their severity and probability, guiding the organization in focusing its resources on the most significant threats. Both qualitative and quantitative methods can be employed to assess risks effectively.​
6. Implementing Risk Treatment Strategies
After assessing risks, organizations must decide on appropriate treatment strategies. Options include avoiding, transferring, mitigating, or accepting risks. Selecting suitable controls from ISO 27001 Annex A and integrating them into the Risk Treatment Plan ensures that identified risks are managed appropriately. The plan should detail the implementation process, including responsible parties and timelines.​
7. Importance of Documentation and Continuous Improvement
Documentation plays a critical role in the risk management process. The ISMS Risk Assessment Report and Statement of Applicability provide evidence of the organization’s risk management activities and decisions. These documents are essential for audits and ongoing monitoring. Furthermore, risk management should be a continuous process, with regular reviews and updates to adapt to changing threats and organizational contexts.​
By following these structured steps, organizations can establish a robust risk management framework that aligns with ISO 27001 and ISO 27005 standards, enhancing their information security posture and resilience.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
Conduct gap assessments to identify compliance challenges and control maturity
Deliver straightforward, practical steps for remediation with assigned responsibility
Ensure ongoing guidance to support continued compliance with standard
Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
Cyber security risk management is a critical aspect of data security, underpinning various frameworks and regulations such as GDPR, NIST CSF, and ISO 27001. The process begins by establishing a common vocabulary to ensure clear communication across the organization. Risk in this context typically refers to potential negative outcomes for the organization, with the goal of identifying and mitigating these risks while considering time and cost implications.
When assessing risks, two key factors are considered: likelihood and impact. These need to be clearly defined and quantified to ensure consistent interpretation throughout the organization. Risk levels are often categorized as low, medium, or high, with corresponding color-coding for easy visualization. A low risk might be something the organization can tolerate, while a high risk could have catastrophic consequences requiring immediate action.
Impact categories can include financial, strategic, customer-related, employee-related, regulatory, operational, and reputational aspects. Not all categories apply to every organization, and some may overlap. Defining the values for these categories is crucial for establishing a common language and meeting ISO 27001 requirements for consistent risk assessments.
Financial impact is typically the easiest to define, using currency figures or percentages of annual turnover. Non-financial impacts, such as operational or reputational, require more nuanced definitions. For example, operational impact might be measured by the duration of business disruption, while reputational impact could be assessed based on the level of media interest.
Likelihood categories are usually defined on a scale from “very unlikely” to “very likely,” with clear descriptions of what each category means. These can be based on expected frequency of occurrence, such as annually, monthly, weekly, or daily. Estimating likelihood can be based on past experiences within the organization or industry-wide occurrences.
Using multiple impact categories is important because security is everyone’s responsibility, and different departments may need to assess impact in different terms. For instance, a chemical manufacturer might need to define impact levels in terms of employee health and safety, while other departments might focus on financial or operational impacts.
A risk heat map, which combines likelihood and impact levels, is a useful tool for visualizing risk severity. The highest risk area (typically colored red) represents what would be catastrophic for the organization, regardless of the specific impact category. This approach allows for a comprehensive view of risks across different aspects of the business, enabling more effective risk management strategies.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
The best approach for SMBs to start the cybersecurity risk management process involves the following steps:
Understand Your Risks:
Conduct a basic risk assessment to identify critical assets, potential threats, and vulnerabilities.
Prioritize risks based on their potential impact and likelihood.
Set Clear Goals:
Define your cybersecurity objectives, such as protecting customer data, complying with regulations, or avoiding downtime.
Develop a Security Policy:
Create a simple, easy-to-follow cybersecurity policy that outlines acceptable use, password management, and data handling practices.
Start with the Basics:
Implement basic cybersecurity measures like using firewalls, antivirus software, and regular system updates.
Use strong passwords and enable multi-factor authentication (MFA).
Train Your Employees:
Provide ongoing security awareness training to help employees recognize phishing, social engineering, and other threats.
Back Up Your Data:
Regularly back up critical data and store it in a secure, offsite location.
Test your backup and recovery process to ensure it works effectively.
Monitor and Respond:
Set up basic monitoring to detect suspicious activity (e.g., failed login attempts).
Establish an incident response plan to know what to do in case of an attack.
Leverage External Resources:
Work with a trusted Managed Security Service Provider (MSSP) or consultant to cover any expertise gaps.
Consider using frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls for guidance.
Start Small and Scale Up:
Focus on quick wins that provide maximum risk reduction with minimal effort.
Gradually invest in more advanced tools and processes as your cybersecurity maturity grows.
Regularly Review and Update:
Reassess risks, policies, and controls periodically to stay ahead of evolving threats.
This structured approach helps SMBs build a solid foundation without overwhelming resources or budgets.
You can’t eliminate risk entirely, but you can minimize it. If a cyberattack occurs, here are three key steps to take:
Plan Ahead: Create a detailed incident response plan now, involving all key departments (e.g., technical, legal, financial, marketing). Practice it through tabletop exercises to prepare for unexpected scenarios. The better your preparation, the less chaos you’ll face during an attack.
Contact Your Cyber Insurance Company: Reach out to your cyber insurance provider immediately. They can coordinate response teams, provide legal and regulatory support, handle public relations, negotiate ransoms, assist with technical recovery, and help strengthen security post-incident. Follow their guidance to avoid unnecessary expenses.
Return to Normal Operations: Once the active threat is contained, declare the incident over and shift your team back to regular duties. Fix vulnerabilities and train staff but avoid staying in “response mode” indefinitely, as it can lead to burnout, distraction, and reduced productivity.
Preparation and thoughtful responses are key to minimizing damage and ensuring a smoother recovery from cyber incidents.
Additional steps to help minimize information security risks:
1. Conduct Regular Risk Assessments
Identify vulnerabilities in your systems, applications, and processes.
Prioritize risks based on their likelihood and potential impact.
Address gaps with appropriate controls or mitigations.
2. Implement Strong Access Controls
Use multi-factor authentication (MFA) for all critical systems and applications.
Follow the principle of least privilege (grant access only to those who truly need it).
Regularly review and revoke unused or outdated access permissions.
3. Keep Systems and Software Up-to-Date
Patch operating systems, software, and firmware as soon as updates are released.
Use automated tools to manage and deploy patches consistently.
4. Train Employees on Security Best Practices
Conduct regular security awareness training, covering topics like phishing, password hygiene, and recognizing suspicious activity.
Simulate phishing attacks to test and improve employee vigilance.
5. Use Endpoint Detection and Response (EDR) Solutions
Deploy advanced tools to monitor, detect, and respond to threats on all devices.
Set up alerts for abnormal behavior or unauthorized access attempts.
6. Encrypt Sensitive Data
Use strong encryption protocols for data at rest and in transit.
Ensure proper key management practices are followed.
7. Establish Network Segmentation
Separate critical systems and sensitive data from less critical networks.
Limit lateral movement in case of a breach.
8. Implement Robust Backup Strategies
Maintain regular, secure backups of all critical data.
Store backups offline or in isolated environments to protect against ransomware.
Test recovery processes to ensure backups are functional and up-to-date.
9. Monitor Systems Continuously
Use Security Information and Event Management (SIEM) tools for real-time monitoring and alerts.
Proactively look for signs of intrusion or anomalies.
10. Develop an Incident Reporting Culture
Encourage employees to report security issues or suspicious activities immediately.
Avoid a blame culture so employees feel safe coming forward.
11. Engage in Threat Intelligence Sharing
Join industry groups or forums to stay informed about new threats and vulnerabilities.
Leverage shared intelligence to strengthen your defenses.
12. Test Your Defenses Regularly
Conduct regular penetration testing to identify and fix exploitable weaknesses.
Perform red team exercises to simulate real-world attacks and refine your response capabilities.
By integrating these steps into your cybersecurity strategy, you’ll strengthen your defenses and reduce the likelihood of an incident.
Feel free to reach out if you have any additional questions or feedback.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
“The SOA can easily be produced by examining the risk assessment to identify the necessary controls and risk treatment plan to identify those that are planned to be implemented. Only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.”
This paragraph from ISO 27005 explains the relationship between the Statement of Applicability (SoA) and the risk assessment process in an ISO 27001-based Information Security Management System (ISMS). Here’s a breakdown of the key points:
SoA Derivation from Risk Assessment
The SoA must be based on the risk assessment and risk treatment plan.
It should only include controls that were identified as necessary during the risk assessment.
Organizations cannot arbitrarily add controls to the SoA without a corresponding risk justification.
Consistency with Risk Treatment Plan
The SoA must align with the selected risk treatment options.
This ensures that the controls listed in the SoA effectively address the identified risks.
Justification for Controls
The SoA can state that all controls were chosen because they are necessary for risk treatment.
No separate or additional justification is needed for each individual control beyond its necessity in treating risks.
Why This Matters:
Ensures a risk-driven approach to control selection.
Prevents the arbitrary inclusion of unnecessary controls, which could lead to inefficiencies.
Helps in audits and compliance by clearly showing the link between risks, treatments, and controls.
Practical Example of SoA and Risk Assessment Linkage
Scenario:
A company conducts a risk assessment as part of its ISO 27001 implementation and identifies the following risk:
Risk: Unauthorized access to sensitive customer data due to weak authentication mechanisms.
Risk Level: High
Risk Treatment Plan: Implement multi-factor authentication (MFA) to reduce the risk to an acceptable level.
How This Affects the SoA:
Control Selection:
The company refers to Annex A of ISO 27001 and identifies Control A.9.4.1 (Use of Secure Authentication Mechanisms) as necessary to mitigate the risk.
This control is added to the SoA because the risk assessment identified it as necessary.
Justification in the SoA:
The SoA will list A.9.4.1 – Secure Authentication Mechanisms as an included control.
The justification can be: “This control has been identified as necessary in the risk assessment to mitigate the risk of unauthorized access to customer data.”
No additional justification is needed because the link to the risk assessment is sufficient.
What Cannot Be Done:
The company cannot arbitrarily add a control, such as A.14.2.9 (Protection of Test Data), unless it was identified as necessary in the risk assessment.
Adding controls without risk justification would violate ISO 27005’s requirement for consistency.
Key Takeaways:
Every control in the SoA must be traceable to a risk.
The SoA cannot contain controls that were not justified in the risk assessment.
Justification for controls can be standardized, reducing documentation overhead.
This approach ensures that the ISMS remains risk-based, justifiable, and auditable.
The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.
An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.
The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.
Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.
For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.
Best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.
In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.
The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.
Clause 6.1.1 is often misunderstood and frequently overlooked. It requires organizations to assess risks and opportunities specifically related to the Information Security Management System (ISMS)—focusing not on information security itself, but on the ISMS’s effectiveness. This is distinct from the information security risk assessment activities outlined in 6.1.2 and 6.1.3, which require different methods and considerations.
In practice, it’s rare for organizations to assess ISMS-specific risks and opportunities (per 6.1.1), and certification auditors seldom address this requirement.
To clarify, it’s proposed that the information security risk assessment activities (6.1.2 and 6.1.3) be moved to clause 8. This aligns with the structure of other management system standards (e.g., ISO 22301 for Business Continuity Planning). Additionally, a note similar to ISO 22301’s should be included:
“Risks in this sub clause relate to information security, while risks and opportunities related to the effectiveness of the management system are addressed in 6.1.1.”
Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.
The “Risk Assessment analysis” covers key areas of risk assessment in information security:
Risk Assessment Process: The core steps include identifying assets, analyzing risks, and evaluating the value and impact of each risk. This process helps determine necessary controls and treatments to mitigate or accept risks.
Types of Risk:
Asset-Based Risk: Focuses on assessing risks to tangible assets like data or hardware.
Scenario-Based Risk: Evaluates hypothetical risk scenarios, such as potential data breaches.
Risk Analysis:
Impact Analysis: Measures the financial, operational, and reputational impact of risks, assigning scores from 1 (very low) to 5 (very high).
Likelihood Analysis: Assesses how likely a risk event is to occur, also on a scale from 1 to 5.
Risk Response Options:
Tolerate (accept risk),
Treat (mitigate risk),
Transfer (share risk, e.g., via insurance),
Terminate (avoid risk by ceasing the risky activity).
Residual Risk and Risk Appetite: After treatments are applied, residual risk remains. Organizations determine their acceptable level of risk, known as risk appetite, to guide their response strategies.
These structured steps ensure consistent, repeatable risk management across information assets, aligning with standards like ISO 27001.
The Risk Assessment Process involves systematically identifying and evaluating potential risks to assets. This includes:
Identifying Assets: Recognizing valuable information assets, such as data or physical equipment.
Risk Analysis: Analyzing the potential threats and vulnerabilities related to these assets to assess the level of risk they pose.
Evaluating Impact and Likelihood: Measuring the potential impact of each risk and estimating how likely each risk is to occur.
Implementing Controls: Deciding on control measures to mitigate, transfer, accept, or avoid each risk, based on organizational risk tolerance.
To streamline this process, organizations often use risk assessment tools. These tools assist by automating data collection, calculating risk levels, and supporting decision-making on risk treatments, ultimately making the assessment more consistent, thorough, and efficient.
CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable.
Manage all your cybersecurity and data privacy obligations
Accelerate certification and supercharge project effectiveness
Get immediate visibility of critical data and key performance indicators
Stay ahead of regulatory changes with our scalable compliance solution
Reduce errors and improve completeness of risk management processes
Identify and treat data security risks before they become critical concerns
Reduce data security risks with agility and efficiency
Quickly identify and treat data security risks before they become critical concerns with the intuitive, easy-to-use risk manager tool
Keep track of data security compliance requirements and the security controls you have in place in conjunction with critical laws and information security frameworks
Demonstrate compliance with ISO 27001, the leading information security management standard, with powerful built-in reports
The software includes control sets from ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27032, NIST, CSA CCM, the PCI DSS, SOC 2, and the CPRA
Need expert guidance? Book a free 30-minute consultation with a Risk assessment specialist.
The ISO 27001 risk management guide provides a structured methodology for managing information security risks aligned with ISO standards. It first covers setting risk criteria, helping organizations define their risk appetite and identify high-priority assets and vulnerabilities. Risk assessment follows, where risks are quantified based on their likelihood and impact, allowing for prioritization.
The guide emphasizes the importance of treatment planning, advising on risk responses: avoidance, transfer, mitigation, or acceptance, with decisions documented for compliance. Documentation ensures transparency and traceability, forming a record of risk decisions.
A key component is regular review, where organizations reassess risks as threats change, supporting ISO 27001’s principle of continuous improvement. This cyclical approach helps keep the risk management framework adaptable and responsive to evolving security needs.
Additionally, the guide underscores the role of management, recommending their involvement in review and support of risk processes. Management buy-in ensures that security efforts align with strategic goals, encouraging organization-wide commitment.
In summary, the guide helps organizations maintain a robust, adaptive risk management system that meets ISO 27001 standards, enabling proactive risk control. For more detail, you can access the document here.
There is a misconception among security professionals: the belief that all information security risks will result in significant business risks. This perspective is misleading because not every information security incident has a severe impact on an organization’s bottom line. Business decision-makers can become desensitized to security alerts if they are inundated with generalized statements, leading them to ignore real risks. Thus, it is essential for security experts to present nuanced, precise analyses that distinguish between minor and significant threats to maintain credibility and ensure their assessments are taken seriously.
There are two types of risks:
Information Security Risk: This occurs when a threat (e.g., a virus) encounters a vulnerability (e.g., lack of antivirus protection), potentially compromising confidentiality, availability, or integrity of information. Depending on the severity, it can range from a minor issue, like a temporary power outage, to a critical breach, such as theft of sensitive data.
Business Risk: This affects the organization’s financial stability, compelling decision-makers to act. It can manifest as lost revenue, increased costs (e.g., penalties), or reputational damage, especially if regulatory fines are involved.
Not all information security risks translate directly to business risks. For example, ISO27001 emphasizes calculating the Annual Loss Expectation (ALE) and suggests that risks should only be addressed if their ALE exceeds the organization’s acceptable threshold.
Example:
Small Business Data Breach: A small Apple repair company faced internal sabotage when a disgruntled employee reformatted all administrative systems, erasing customer records. The company managed to recover by restoring data from backups and keeping customer communication open. Despite the breach’s severity, the company retained its customers, and the incident was contained. This case underscores the importance of adequate data management and disaster recovery planning.
Several factors to consider when assessing the relationship between information security and business risk:
Business Model: Certain businesses can withstand breaches with minimal financial impact, while others (e.g., payment processors) face more significant risks.
Legal Impact: Fines and legal costs can sometimes outweigh the direct costs of a breach. Organizations must assess regulatory requirements and contractual obligations to understand potential legal implications.
Direct Financial Impact: While breaches can lead to financial loss, this is sometimes treated as a routine cost of doing business, akin to paying for regular IT services.
Affected Stakeholders: It is crucial to identify which parties will bear the brunt of the damage. In some cases, third parties, like investors, may suffer more than the organization experiencing the breach.
Ultimately, information security risks must be evaluated within the broader business context. A comprehensive understanding of the company’s environment, stakeholders, and industry will help in prioritizing actions and reducing overall breach costs.
Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.
He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.
To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.
Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.
For more information on Andrew Pattison interview, you can visit here
