Oct 09 2024

Pragmatic ISO 27001 Risk Assessments

Category: ISO 27k,Risk Assessment,Security Risk Assessmentdisc7 @ 1:33 pm

Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.

He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.

To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.

Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.

For more information on Andrew Pattison interview, you can visit here

ISO 27k Chat bot

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: iso 27001, ISO 27001 Risk Assessment, ISO27k


Aug 30 2024

How to manage information in the cloud: Best practice frameworks

Category: Cloud computingdisc7 @ 10:13 am

It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment.

However, there are still concerns about using cloud services and determining the best approach for adoption. It’s important to acknowledge that adapting to emerging technologies can be challenging, particularly with the constantly expanding range of products and services. As a business improvement partner, DISC collaborates with clients to identify key drivers and develop best practice standards that enhance resilience.

What Influences Organizations to Store Information on the Cloud?

Organizations should align their business strategy and objectives to determine the most suitable approach to cloud computing. This could involve opting for public cloud services, a private cloud, or a hybrid cloud solution, depending on their resources and priorities.

Security concerns remain the leading barrier to cloud adoption, especially with public cloud solutions. In fact, 91% of organizations are very or moderately worried about the security of public cloud environments. These concerns are not limited to IT departments; 61% of IT professionals believe that cloud data security is also a significant concern for executives.

Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include:

  • Agility: you can respond more quickly and adapt to business changes
  • Scalable: cloud platforms are less restrictive on storage, size, number of users
  • Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc
  • Enhanced security: standards and certification can show robust security controls are in place
  • Adaptability: you can easily adjust cloud services to make sure they best suit your business needs
  • Continuity: organizations are using cloud services as a backup internal solution

Standards to help you Manage Information on the Cloud

Standards that focus on putting appropriate frameworks and controls in place to manage cloud security.

ISO/IEC 27001 international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system.

It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices.

ISO/IEC 27017 is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services.

It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients.

ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data.

All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. Request to learn more.

Adopt these standards today to ensure your organization effectively manages data in the cloud.

How to build a world class ISMS:

ISO 27001 serves as the foundation for ISO 27017, ISO 27018, and ISO 27701.

After conducting the risk assessment, it’s essential to compare the controls identified as necessary with those listed in Annex A to ensure no important controls were overlooked in managing the risks. This serves as a quality check for the risk assessment, not as a justification for using or not using any controls from Annex A. This process should be done for each risk identified in the assessment to see if there are opportunities to enhance it.

Any controls that you discover were unintentionally “omitted” from the risk assessment can come from any source (NIST, HIPAA, PCI, or CIS Critical Security Controls) and are not restricted to those in Annex A.

One should consider CIS Controls to strengthen one of the above frameworks when building your ISMS. CIS Controls is updated frequently than frameworks and are highly effective against the top five attack types found in industry threat data, effectively defending against 86% of the ATT&CK (sub)techniques in the MITRE ATT&CK framework.

Statement of Applicability (SoA) is typically developed after conducting a risk assessment in ISO 27001. The risk assessment identifies the information security risks that the organization faces and determines the appropriate controls needed to mitigate those risks.

In ISO 27001, the Statement of Applicability (SoA) is a key document that outlines which information security controls from Annex A ( or from (NIST, HIPAA, PCI, or CIS Critical Security Controls)) are applicable to an organization’s Information Security Management System (ISMS). The SoA provides a summary of the controls selected to address identified risks, justifies why each control is included or excluded, and details how each applicable control is implemented. It serves as a reference to demonstrate compliance with ISO 27001 requirements and helps in maintaining transparency and accountability in the ISMS.

The SoA is essential for internal stakeholders and external auditors to understand the rationale behind the organization’s approach to managing information security risks.

Cloud shared responsibilities:

Most companies appear to be operating in the hybrid or public cloud space, often without fully realizing it, and need to gain a better understanding of this environment.

Cloud shared responsibilities refer to the division of security and compliance responsibilities between a cloud service provider (CSP) and the customer. This model outlines who is responsible for specific aspects of cloud security, depending on the type of cloud service being used: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

The division of responsibilities varies based on the cloud service model:

  • IaaS: The CSP manages the basic infrastructure, but the customer is responsible for everything else, including operating systems, applications, and data.
  • PaaS: The CSP manages the infrastructure and platform, while the customer focuses on application development, data management, and user access.
  • SaaS: The CSP handles most security aspects, including applications and infrastructure, while the customer is primarily responsible for data security and user access management.

Understanding the shared responsibility model is crucial for ensuring that both the CSP and the customer are aware of their respective roles in maintaining cloud security, compliance and last but not the least managing risks in the cloud environment.

In summary, The shift to cloud computing is expected to influence over $1 trillion in IT spending over the next five years as companies increasingly adopt digital technologies to stay competitive. Despite the benefits of cloud computing—such as agility, scalability, cost savings, and enhanced security—many organizations face challenges, particularly around security concerns, which are a major barrier to cloud adoption. To navigate these challenges, businesses need to align their cloud strategies with their objectives, choosing between public, private, or hybrid cloud solutions. Additionally, implementing standards like ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 can help manage cloud security and compliance effectively by providing frameworks for managing information security risks and ensuring data protection. Understanding the shared responsibility model is also crucial for cloud security, as it defines the distinct roles of cloud service providers and customers in maintaining a secure cloud environment.

Latest Cloud Security titles

Previous posts on Cloud Computing

ISO27701 – Privacy information management system

Check out these previous ISO27k posts

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud computing benefits, Cloud computing frameworks, cloud computing security, cloud security, cloud security risks, Cloud shared responsibilities, isms, ISO27k, SoA


Oct 18 2022

Detailed explanation of 11 new security controls in ISO 27001:2022

Category: Information Security,ISO 27kDISC @ 9:00 am

If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.

In this article, I’ll focus on 11 new controls that are set to be introduced in ISO 27001. For general information about the changes, see this article: Most important facts about changes in ISO 27001/ISO 27002.

What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.

As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.

Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.

So, let’s review the 11 controls in more detail…

https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/?

Tags: ISO 270012022, ISO 27001:2022, ISO27k