Jan 21 2025

Revitalizing your cybersecurity program starts with building a strong case
for change

Category: CISO,Information Security,vCISOdisc7 @ 4:08 pm

The document highlights the comprehensive vCISO (virtual Chief Information Security Officer) services offered by DISC LLC to help organizations build and strengthen their security programs. Here’s a summarized rephrasing:

Key Services:

  • InfoSec Consultancy: Tailored solutions to protect businesses from cyber threats.
  • Security Risk Assessment: Identifying and mitigating vulnerabilities in IT infrastructures.
  • Cybersecurity Risk Management: Proactively managing and reducing cyber risks.
  • ISO 27001 Compliance: Assistance in achieving certification through robust risk management.
  • ISMS Risk Management: Developing resilient Information Security Management Systems.

Approach:

DISC LLC specializes in bridging the gap between an organization’s current security posture (“as-is”) and its desired future state (“to-be”) through:

  1. Gap assessments to evaluate maturity levels.
  2. Strategic roadmaps for transitioning to a higher level of maturity.
  3. Implementing essential policies, procedures, and defensive technologies.
  4. Continuous testing, validation, and long-term improvements.

Why Choose DISC LLC?

  • Expertise from seasoned InfoSec professionals.
  • Customized, business-aligned security strategies.
  • Proactive risk detection and mitigation.

Their services also include compliance readiness, managed detection & response (MDR), offensive control validation (penetration testing), and oversight of security tools. DISC LLC emphasizes continuous improvement and building a secure future.

For more details, contact DISC LLC or explore their resources.

The second page outlines DISC LLC’s approach to revitalizing cybersecurity programs through their vCISO services, focusing on gap assessments, strategy development, and continuous improvement. Here’s a concise summary and rephrased version:

Key Highlights:

  1. Assess Current State: Evaluate the “as-is” security maturity level and identify gaps compared to the desired “to-be” future state.
  2. Define Objectives: Build a strong case for enhancing cybersecurity and set a clear vision for the organization’s future security posture.
  3. Strategic Roadmap: Create a transition plan detailing the steps needed to achieve the target state, including technical, management, and operational controls.
  4. Implementation:
    • Recruit key personnel.
    • Deploy essential policies, procedures, and defensive technologies (e.g., XDR, logs).
    • Establish critical metrics for performance tracking.
  5. Continuous Improvement: Regular testing, validation, and strengthening of controls to reduce cyber risks and support long-term transformation.

Services Offered:

  • vCISO Services: Strategy and program leadership.
  • Gap Assessments: Identify and address security maturity gaps.
  • Compliance Readiness: Prepare for standards like ISO and NIST.
  • Managed Detection & Response (MDR): Proactive threat management.
  • Offensive Control Validation: Penetration testing services.

DISC LLC emphasizes building a secure future through tailored solutions, ongoing program enhancement, and leveraging advanced technologies. For more details, they encourage reaching out via their provided contact information.

CISO – Steering Through a Maze of Responsibilities

Contact us to explore how we can turn security challenges into strategic advantages.

https://www.deurainfosec.com/disc-infosec-home/vciso-services/

The CISO Playbook

We need to redefine and broaden the expectations of the CISO role

Defining the SOW and Legal Framework for a vCISO Engagement

The ripple effects of regulatory actions on CISO reporting

How CIOs, CTOs, and CISOs view cyber risks differently

Why CISOs face greater personal liability

What are the Common Security Challenges CISOs Face?

How vCISO Services Empower SMBs

How Professional Service Providers Can Add vCISO Service

Why Choose vCISO Services?

Enhance Your Security Framework with DISC LLC

5 key tasks for a vCISO to accomplish in the first three months

Expertise in Virtual CISO (vCISO) Services

In what situations would a vCISO or CISOaaS service be appropriate?

The Elemental Truth of vCISO Services: vCISO Guide for Small & Mid Sized Businesses

The Phantom CISO: Time to step out of the shadow

 vCISO Guide for Small & Mid Sized Businesses

DISC LLC is listed on Cynomi vCISO Directory

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Infosec consultancy, isms, iso 27001, Security Risk Assessment, vCISO


Nov 30 2024

10 key benefits of ISO 27001 Cert for SMBs

Category: ISO 27kdisc7 @ 9:19 am

Here are 10 key benefits of ISO 27001 certification for small and medium-sized businesses (SMBs)

  1. Enhanced Data Security: Protect sensitive information against breaches, reducing the risk of financial loss or reputational damage.
  2. Customer Trust: Demonstrate a commitment to safeguarding client data, boosting customer confidence and loyalty.
  3. Regulatory Compliance: Meet legal and regulatory requirements (e.g., GDPR, HIPAA), avoiding penalties and ensuring smooth operations.
  4. Competitive Advantage: Stand out in the marketplace by showcasing internationally recognized security standards.
  5. Improved Risk Management: Identify and mitigate risks proactively with structured risk assessments and controls.
  6. Operational Efficiency: Streamline security processes and eliminate redundancies, reducing inefficiencies and costs.
  7. Scalability: Adapt security measures to grow alongside your business, ensuring protection as operations expand.
  8. Incident Response: Prepare robust plans to detect, respond to, and recover from incidents quickly, minimizing downtime.
  9. Employee Awareness: Cultivate a security-conscious workforce through regular training and awareness programs.
  10. Partnership Opportunities: Meet vendor and partner requirements for security certifications, enabling new collaborations and business growth.

Overcoming Challenges

  • Resistance to Change: Highlight benefits to gain employee buy-in.
  • Resource Constraints: Use a phased approach to certification.
  • Integration Complexity: Leverage common principles with other frameworks like ISO 9001 for seamless integration.

The Way Forward
ISO 27001 isn’t just about protecting data—it’s about building trust, improving operations, and achieving competitive advantage. Start embedding its principles today for a stronger, more secure organization.

Being certified with ISO 27001 can bring numerous advantages for medium to enterprise level organizations:

  • Minimizes the risk of cyber-attacks on your company.
  • Facilitates the demonstration of compliance with various regulations and standards.
  • Lowers operational expenses by implementing only necessary controls.
  • Prevents damage to reputation and financial penalties.
  • Enhances customer retention through a compelling security narrative.
  • Attracts new business opportunities by confidently addressing security concerns.
  • Streamlines the process of completing security questionnaires, freeing up valuable time.
  • Cultivates a stronger security culture and awareness within the organization.
  • Reduces Cyber Liability Premiums by potentially over 200%

Contact us to explore how we can turn security challenges into strategic advantages.

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: isms, iso 27001 certification, SMB


Nov 27 2024

Penetration Testing and ISO 27001 – Securing ISMS

Category: ISO 27k,Pen Testdisc7 @ 9:06 am

The document highlights the integration of penetration testing within ISO 27001’s framework, emphasizing its critical role in identifying system vulnerabilities and maintaining security posture. It links pen testing to the standard’s risk management and continuous improvement principles, focusing on Annex A controls, such as Operations Security and Compliance.

It details the importance of scoping, balancing business needs with potential risks. The guide underscores embedding pen testing into broader risk assessment efforts to enhance resilience.

How does penetration testing fit into my ISO 27001 ISMS project?

There are three stages in your ISMS project when penetration testing can make a
significant contribution:

  1. As part of the risk assessment process, to uncover vulnerabilities in any
    Internet-facing IP addresses, web applications or internal devices and
    applications, and link them to identifiable threats.
  2. As part of the risk treatment plan, to ensure that security controls work
    as designed.
  3. As part of the ongoing performance evaluation and improvement
    processes, to ensure that controls continue to work as required and that
    new and emerging vulnerabilities are identified and dealt with.

ISO 27001 says that you must identify information security risks within the scope of
the ISMS (Clause 6.1.2.c). This involves identifying all assets and information systems
within scope of the ISMS, and then identifying the risks and vulnerabilities those
assets and systems are subject to.

A penetration test can help identify these risks and vulnerabilities. The results will
highlight detected issues and guide remedial action, and are a key input for your risk
assessment and treatment process. Once you understand the threats you face, you
can make an informed decision when selecting controls.

For further details, access the full document here.

Contact us to explore how we can turn security challenges into strategic advantages.

Penetration Testing : Step-By-Step Guide 

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: isms, iso 27001, Penetration Testing


Sep 24 2024

How to Conduct an ISO 27001 Internal Audit

Category: ISO 27kdisc7 @ 2:19 pm

The blog post provides a detailed guide on conducting an ISO 27001 audit, which is crucial for ensuring compliance with information security standards. It covers both internal and certification audits, explaining their purposes, the audit process, and steps such as setting the audit criteria, reviewing documentation, conducting a field review, and reporting findings. The article also emphasizes the importance of having an independent auditor and following up on corrective actions to ensure proper risk management.

In this blog

For more details, you can read the full post here.

ISO Internal Audit – A Plain English Guide: A Step-by-Step Handbook for Internal Auditors in Small Businesses

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

ISO/IEC 27001:2022, Third Edition: Information security, cybersecurity and privacy protection – Information security management systems

ISO/IEC 27002:2022, Third Edition: Information security, cybersecurity and privacy protection – Information security controls 

Checkout our previous ISO27k postsISO 27k Chat bot

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: isms, iso 27001, iso 27001 certification, ISO 27001 Internal Audit, iso 27002


Aug 30 2024

How to manage information in the cloud: Best practice frameworks

Category: Cloud computingdisc7 @ 10:13 am

It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment.

However, there are still concerns about using cloud services and determining the best approach for adoption. It’s important to acknowledge that adapting to emerging technologies can be challenging, particularly with the constantly expanding range of products and services. As a business improvement partner, DISC collaborates with clients to identify key drivers and develop best practice standards that enhance resilience.

What Influences Organizations to Store Information on the Cloud?

Organizations should align their business strategy and objectives to determine the most suitable approach to cloud computing. This could involve opting for public cloud services, a private cloud, or a hybrid cloud solution, depending on their resources and priorities.

Security concerns remain the leading barrier to cloud adoption, especially with public cloud solutions. In fact, 91% of organizations are very or moderately worried about the security of public cloud environments. These concerns are not limited to IT departments; 61% of IT professionals believe that cloud data security is also a significant concern for executives.

Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include:

  • Agility: you can respond more quickly and adapt to business changes
  • Scalable: cloud platforms are less restrictive on storage, size, number of users
  • Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc
  • Enhanced security: standards and certification can show robust security controls are in place
  • Adaptability: you can easily adjust cloud services to make sure they best suit your business needs
  • Continuity: organizations are using cloud services as a backup internal solution

Standards to help you Manage Information on the Cloud

Standards that focus on putting appropriate frameworks and controls in place to manage cloud security.

ISO/IEC 27001 international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system.

It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices.

ISO/IEC 27017 is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services.

It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients.

ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data.

All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. Request to learn more.

Adopt these standards today to ensure your organization effectively manages data in the cloud.

How to build a world class ISMS:

ISO 27001 serves as the foundation for ISO 27017, ISO 27018, and ISO 27701.

After conducting the risk assessment, it’s essential to compare the controls identified as necessary with those listed in Annex A to ensure no important controls were overlooked in managing the risks. This serves as a quality check for the risk assessment, not as a justification for using or not using any controls from Annex A. This process should be done for each risk identified in the assessment to see if there are opportunities to enhance it.

Any controls that you discover were unintentionally “omitted” from the risk assessment can come from any source (NIST, HIPAA, PCI, or CIS Critical Security Controls) and are not restricted to those in Annex A.

One should consider CIS Controls to strengthen one of the above frameworks when building your ISMS. CIS Controls is updated frequently than frameworks and are highly effective against the top five attack types found in industry threat data, effectively defending against 86% of the ATT&CK (sub)techniques in the MITRE ATT&CK framework.

Statement of Applicability (SoA) is typically developed after conducting a risk assessment in ISO 27001. The risk assessment identifies the information security risks that the organization faces and determines the appropriate controls needed to mitigate those risks.

In ISO 27001, the Statement of Applicability (SoA) is a key document that outlines which information security controls from Annex A ( or from (NIST, HIPAA, PCI, or CIS Critical Security Controls)) are applicable to an organization’s Information Security Management System (ISMS). The SoA provides a summary of the controls selected to address identified risks, justifies why each control is included or excluded, and details how each applicable control is implemented. It serves as a reference to demonstrate compliance with ISO 27001 requirements and helps in maintaining transparency and accountability in the ISMS.

The SoA is essential for internal stakeholders and external auditors to understand the rationale behind the organization’s approach to managing information security risks.

Cloud shared responsibilities:

Most companies appear to be operating in the hybrid or public cloud space, often without fully realizing it, and need to gain a better understanding of this environment.

Cloud shared responsibilities refer to the division of security and compliance responsibilities between a cloud service provider (CSP) and the customer. This model outlines who is responsible for specific aspects of cloud security, depending on the type of cloud service being used: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

The division of responsibilities varies based on the cloud service model:

  • IaaS: The CSP manages the basic infrastructure, but the customer is responsible for everything else, including operating systems, applications, and data.
  • PaaS: The CSP manages the infrastructure and platform, while the customer focuses on application development, data management, and user access.
  • SaaS: The CSP handles most security aspects, including applications and infrastructure, while the customer is primarily responsible for data security and user access management.

Understanding the shared responsibility model is crucial for ensuring that both the CSP and the customer are aware of their respective roles in maintaining cloud security, compliance and last but not the least managing risks in the cloud environment.

In summary, The shift to cloud computing is expected to influence over $1 trillion in IT spending over the next five years as companies increasingly adopt digital technologies to stay competitive. Despite the benefits of cloud computing—such as agility, scalability, cost savings, and enhanced security—many organizations face challenges, particularly around security concerns, which are a major barrier to cloud adoption. To navigate these challenges, businesses need to align their cloud strategies with their objectives, choosing between public, private, or hybrid cloud solutions. Additionally, implementing standards like ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 can help manage cloud security and compliance effectively by providing frameworks for managing information security risks and ensuring data protection. Understanding the shared responsibility model is also crucial for cloud security, as it defines the distinct roles of cloud service providers and customers in maintaining a secure cloud environment.

Latest Cloud Security titles

Previous posts on Cloud Computing

ISO27701 – Privacy information management system

Check out these previous ISO27k posts

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud computing benefits, Cloud computing frameworks, cloud computing security, cloud security, cloud security risks, Cloud shared responsibilities, isms, ISO27k, SoA


Oct 14 2023

Best implementers of InfoSec program

Category: CISO,Security program,vCISOdisc7 @ 11:48 am

Best implementers of InfoSec program (ISMS) are those who possess both management and leadership capabilities…

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

2020 Cybersecurity CANON Hall of Fame Winner

Todd Fitzgerald, co-author of the ground-breaking (ISC)2 CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.

CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.

The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.

Previous articles on the subject of Chief Information Security Officers (CISOs)

Previous articles on the subject of Virtual Chief Information Security Officers (vCISOs).

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: isms, security program


Jun 14 2022

Implementing an ISMS – The nine Steps approach

Category: ISO 27kDISC @ 1:59 pm

Nine Steps to Success – An ISO 27001 Implementation

Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: isms


Aug 26 2021

What is ISMS

Category: Information Security,ISO 27kDISC @ 10:25 pm

Implementing an ISMS

There are numerous ways of approaching the implementation of an ISMS.  The most common method to follow is a ‘Plan Do Check Act’ process.

ISO 27001 is the international security standard that details the requirements of an ISMS.

ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS. 

A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.

The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.

The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).

ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.

ISO 27001 Risk Assessment and Gap Assessment

Tags: Information Security Management System, isms


Oct 21 2019

6 Essential Pillars for InfoSec Prioritization

Category: Information SecurityDISC @ 11:22 am

It may be time to Think Differently in security.

Do you know which of your vulnerabilities are critical, those which can wait a day, vs ones that are just noise? Read this handy guide to get the 6 essential pillars for comprehensive InfoSec prioritization:



The Five Laws of Cybersecurity | Nick Espinosa | TEDxFondduLac
httpv://www.youtube.com/watch?v=_nVq7f26-Uo

Your 5 Year Path: Success in Infosec
httpv://www.youtube.com/watch?v=Uv-AfK7PkxU

Top 20 Security Controls for a More Secure Infrastructure


Subscribe to DISC InfoSec blog by Email




Tags: isms, Secure Infrastructure


Oct 14 2019

The best practice guide for an effective infoSec function

Building ISMS

The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through what’s needed to build an effective information security management system (ISMS) within your organization.

This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

 

Practice Guide

Open a PDF file The best practice guide for an effective infoSec function.

How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
httpv://www.youtube.com/watch?v=pDra0cy5WZI

Beginners ultimate guide to ISO 27001 Information Security Management Systems
httpv://www.youtube.com/watch?v=LytISQyhQVE

Conducting a cybersecurity risk assessment


Subscribe to DISC InfoSec blog by Email




Tags: isms


Feb 05 2019

ISO 27001 ISMS Documentation Toolkit Bolt-on

Category: ISO 27kDISC @ 8:37 am

Combine with the ISO 9001:2015 QMS Documentation Toolkit and/or the ISO 14001:2015 EMS Documentation Toolkit to create an ISO 27001- compliant integrated management system (IMS).

  • ISO 27001 ISMS Documentation Toolkit Bolt-on

  • DISC InfoSec blog

    ↑ Grab this Headline Animator





    Tags: EMS, IMS, isms, ISO27001, QMS


    Nov 14 2016

    Implementing an ISMS: where should you start?

    Category: ISO 27kDISC @ 9:56 am

    ISO27ktoolkit

    With the number of ISO 27001 certifications rising fast in the US, organizations will be looking to implement an ISO 27001-compliant information security management system (ISMS) quickly, before any of their competitors.

    However, the hardest part of achieving ISO 27001 certification is providing the documentation for the ISMS. Often – particularly in more complex and larger businesses – the documentation can be up to a thousand pages. Needless to say, this task can be lengthy, stressful and complicated.

    IT Governance Publishing’s (ITGP) ISO 27001 toolkits offer this documentation in pre-written templates, along with a selection of other tools to:

    • Help save you months of work as all the toolkits contain pre-written templates created by industry experts that meet ISO 27001:2013 compliance requirements.
    • Reduce costs and expenses as you tackle the project alone.
    • Save the hassle of creating and maintaining the documents yourself.
    • Accelerate your management system implementation by having all of the tools and resources you need at your disposal.
    • Ensure nothing is left out of your ISMS documentation.

    When an organization’s need help with their ISMS projects, they’re normally at a loss.

    The two major challenges they face are creating supporting documentation and performing a risk assessment.

    With wide range of fixed-price toolkits, these toolkits can provide you with the official ISO 27000 standards, implementation guidance, documentation templates, and risk assessment software to aid your project.

    • Do you know how to implement an ISMS?
    • What steps should you take?
    • How long will it take?





    Tags: isms, iso 27001 certification, iso 27002


    Nov 09 2014

    When to use tools for ISO 27001/ISO 22301 and when to avoid them

    Category: ISO 27kDISC @ 8:54 pm

    ISO 27001 2013

    If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

    So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

    Types of tools

    Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

    a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

    b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

    Pros and cons of automation tools

    Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

    However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

    There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

    Can you automate everything?

    One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

    Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

    What to watch out for when looking for documentation writing tools

    You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

    In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

    • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
    • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
    • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

    So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

    Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .




    Tags: Acceptable use policy, Access Control, BCMS, isms, ISO/IEC 27001, ISO22301, Risk Assessment


    Aug 22 2014

    Do it yourself solution for ISO27001 implementation

    Category: ISO 27kDISC @ 3:16 pm

    DoItYourself

    ISO 27001 Do It Yourself Package

    This is the do-it-yourself solution for ISO27001 implementation

    Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

    This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.

     

    This package does not include certification fees which are paid directly to the certification body.

     

    The ISO 27001 do-it-yourself package contains:

    • The ISO 27001:2013 Standard, which details the requirements against which you will be audited.
    • The ISO 27002:2013 Standard, which is the code of practice that provides supports for the implementation of information security controls for ISO27001.
    • The ISO 27000:2014 Standard, which contains the terms and definitions referenced in ISO27001.
    • IT Governance – An International Guide to Data Security and ISO27001/ISO27002, which details how to design, implement and deliver an Information Security Management System (ISMS) that complies with ISO27001.
    • Nine Steps to Success – An ISO 27001 Implementation Overview, which outlines the nine critical steps that mean the difference between ISO27001 project success and failure.

    The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

    Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool




    Tags: Corporate governance of information technology, data security, Information Security, Information Security Management System, International Organization for Standardization, isms, ISO/IEC 27001, Risk Assessment


    May 10 2014

    Information Security and ISO 27001-2013

    Category: ISO 27kDISC @ 9:38 pm

    ISO270012013

    The perfect introduction to the principles of information security management and ISO27001:2013

    Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.

    Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.

    This pocket guide will help you to:

    Make informed decisions

      By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.

    Ensure everyone is up to speed

      Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.

    Raise awareness among staff

      An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.

    Enhance your competitiveness

      Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.

    Download this pocket guide and learn how you can keep your information assets secure.

     

     




    Tags: Information Security, Information Security Management System, isms, ISO/IEC 27001, Policy


    Mar 30 2014

    The Protection of Personal Information Act (POPI) in South Africa – Benefits and Challenges

    POPI

    by Ilenia Vidili

    In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.

    Why is it so important for organizations to keep personal information safe?

    Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust.  The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.

    POPI’s challenges

    The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.

    PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.

    55

    Source: PwC “The journey to implementation”

    One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.

    How to prepare for POPI

    IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.




    Tags: Information Security Management System, isms, POPI, Protection of Personal information Act, South Africa


    Dec 04 2013

    ISO27001 2013 high level review for making the transition

    Category: ISO 27kDISC @ 3:06 pm

    ISO 27001 2013

    ISO 27001 2013 high level review for making the transition from ISO 27001 2005

    The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)

    It’s been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.

    0. Introduction
    1. Scope
    2. Normative references
    3. Terms and definitions
    4. Context of the organisation
    5. Leadership
    6. Planning
    7. Support
    8. Operation
    9. Performance evaluation
    10. Improvement

    The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.

    The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organization’s activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.

    There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.

    Annex A has also been restructured into fewer controls (114) and three new domains
    A.5. Information security policies
    A.6. Organisation of information security
    A.7. Human resources security
    A.8. Asset management
    A.9. Access control
    A.10. Cryptography – new
    A.11. Physical and environmental security
    A.12. Operations security – new
    A.13. Communications security
    A.14. System acquisition, development and maintenance
    A.15. Supplier relationships – new
    A.16. Information security incident management
    A.17. Information security aspects of business continuity management

    The Standard now covers what was previously referred to as ‘control of documents’ and ‘control of records’ under the description of ‘documented information’.

    There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as ‘documented information’ for itself. They are listed below

    The scope (4.3)
    The information security policy (5.2 e)
    The information security risk assessment process (6.1.2)
    The information security risk treatment process (6.1.3)
    Statement of Applicability (6.1.3 d)
    The information security objectives (6.2)
    Evidence of competence (7.2)
    That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
    The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
    The results of information security risk assessments (8.2)
    The results of information security risk treatment (8.3)
    Evidence of the information security performance monitoring and measurement results (9.1)
    Internal audit programme(s) and the audit results (9.2 g)
    Evidence of the results of management reviews (9.3)
    Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)

    Summary of new controls in ISO 27001 2013 Annex A

    A.6.1.5 – Information security in project management
    All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
    A.14.2.1 – Secure development policy
    Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
    14.2.6 – Secure development environment
    The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
    14.2.8 – System security testing
    The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
    15.1.3 – Information and communication technology supply chain
    This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
    16.1.4 – Assessment of and decision on information security events
    Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.

    Contact DISC for a Free Gap Assessment for any domain of your choice based on location

    Start your ISMS project with ISO27001 2013 Documentation Toolkit

    Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99  

      

     Download ISO27000 family of information security standards!
    • ISO 27001 2013 ISMS Requirement (Download now)
    ISO 27002 2013 Code of Practice for ISM (Download now)

     




    Tags: Information Security Management System, isms, ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, iso 27001 certification, ISO 27001 Lead Implementer


    Nov 27 2012

    New ISO27013 Standard helps integrate ISO27001 with ISO20000

    Category: ISO 27kDISC @ 2:27 pm

    IT Governance Ltd, the global leader in IT governance, risk management and compliance, has announced that the highly anticipated ISO27013:2012 Standard has been published and is now available to buy from the company’s online shop at ITG

    ISO27013:2012 focuses exclusively on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 – two of the world’s leading and highly regarded standards. ISO/IEC 27001 deals with information security management systems (ISMS) and practically provides organisations with provides a powerful framework for sharing best practice and guidance on protection form cybercrime. ISO/IEC 20000-1:2011 is the international IT Service Management standard which enables organisations to ensure that their IT service management processes are aligned with the needs of the business.

    The ISO27013:2012 Standard has been designed to help organisations implement both standards together, or implement one when one is already within the organisation. By doing this organisations can achieve increased customer satisfaction, competitive advantage, improved business operations and considerable cost-savings over time.

    Organisations can purchase the ISO/IEC 20000-2:2012  and ISO 27013 from IT Governance .




    Tags: Information Security Management System, International Organization for Standardization, isms, ISO 27013, ISO/IEC 20000, ISO/IEC 27001


    Jun 19 2012

    Achieve Best Practice & Win New Business with International IT Standards

    Category: cyber security,ISO 27kDISC @ 3:38 pm

    International IT Standards help organizations achieve best practice systems and management of their IT processes. Certification against standards can help organizations protect their critical assets, rebuff cyber attacks, help win new business and achieve compliance against regulatory requirements.

    ISO27001: Cyber Security Standard (Cheapest price on the web)
    ISO27001 helps businesses create a best in class Information Security Management System (ISMS), safeguarding its information assets, protecting its reputation
    .
    ISO22301: Business Continuity Standard (Published last Month)
    ISO22301 sets out the requirements for a Business Continuity Management System (BCMS) and helps organizations ensure they are prepared should an disruptive incident occur, and more importantly, continue trading and return to business as usual as quickly as possible

    ISO20000: IT Service Management Standard (Best Seller)
    ISO20000 enables IT organizations (whether in-house, outsourced or external) to ensure that their IT service management processes are aligned. This standard specifies the requirements for an service management system (SMS). This standard will help you develop, implement, establish an SMS.




    Tags: BCMS, isms, iso 27001, iso20000, ISO22301, SMS


    Mar 26 2012

    IT Governance helps SMEs protect themselves from cybercrime

    Category: ISO 27kDISC @ 1:45 pm

    Check out the ITG site for details

    IT Governance Ltd, the global provider of cyber security management solutions, has announced a value-add offer in March. Organisations that buy the No3 ISO27001 Comprehensive Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free, making double savings on resource and time.

    The No3 ISO27001 Comprehensive Toolkit contains highly practical books, document templates and risk assessment tool, also providing a 100% return on investment. It helps organisations tackle cybersecurity issues quickly and efficiently, whilst considerably improving their cybersecurity defences.

    The recent Symantec Threat Awareness Survey uncovered that over 50% of the 1,900 SME’s interviewed, thought that they were immune to cybercrime because they were too small.

    However, Symantec’s report found that since 2010 40% of all attacks were on SME’s. Ross Walker, Symantec director of small business for Symantec UK, commented “hackers are going after ‘low hanging fruits’ these are the companies who are less security aware and do not have the proper defences in place”.

    Alan Calder, CEO of IT Governance, says “The best way to build robust and effective cyber defences is by implementing ISO27001, the world’s cybersecurity standard. An ISO27001-compliant Information Security Management System (ISMS) promotes customer confidence, helps vendors win new business and improves organisational efficiency”.

    The easiest way to implement an ISO27001-compliant ISMS, especially for SMEs, is with the No 3 Comprehensive ISMS ISO27001 Toolkit. It provides organisations with all the tools they will need for the implementation of an information security management system (ISMS).

    The No 3 Comprehensive ISMS ISO27001 Toolkit includes copies of the three key standards (ISO27001, ISO27002 and ISO27005), the Risk Assessment Tool (vsRisk™), the Documentation Template Toolkit and manuals that describe in practical detail how each aspect of the ISMS should be tackled.

    One user of the Toolkit said: “Using the templates was the only way that we could deliver a first edition ISMS in under six months. Our deliverable was a work in progress, but miles ahead of where they would have been without the templates”.

    Organisations that buy the No 3 Comprehensive ISMS ISO27001 Toolkit before the end of March will receive the Cybersecurity Self Assessment Tool free. It enables any organisation to quickly assess and demonstrate which areas of the organisation are up to scratch and where more attention is required.

    Organisations can purchase the ISO27001 Comprehensive Toolkit here!




    Tags: Information Security Management System, isms, iso 27001, iso 27002, ISO 27004, iso 27005, iso 27006, iso27003


    Next Page »