The InfoSec Blog

The InfoSec Blog

System Integrity: Context Is Everything

  • About The Author
  • Master Index
  • Presentations
  • System Integrity

Category: ISO27K

September 8, 2018

Policy Vs Procedure

When discussing ISO27000, my friend Gary Hinson wrote: The terms in the triangle or pyramid shape are generally listed in the reverse sequence, the…

July 2, 2016

Nobody wants to pay for security, including security companies

https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire In theory, consumers and businesses could punish Symantec for these oversights by contracting with other security vendors. In practice, there’s no guarantee that…

November 19, 2014

Should all applicable controls be mentioned in documenting an ISMS?

In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with…

May 30, 2013

Confusion over Physical Assets, Information Assets – Part Two

So I need to compile a list of ALL assets, information or otherwise, NO! That leads to tables and chairs and powerbars. OK so…

May 30, 2013

Confusion over Physical Assets, Information Assets in ISO-27000

I often explain that Information Security focuses on Information Assets. Some day, on the corporate balance sheet, there will be an entry which reads,…

May 14, 2013

Does ISO 27001 compliance need a data leakage prevention policy?

On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…

March 26, 2013

What is the goal behind calculating assets in ISO-27000?

My friend and colleague Gary Hinson said about asset valuation in ISO-27000 So, for instance, it’s hard to say exactly how much the HR…

February 17, 2013

Information Gathering and Risk Assessment

On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it…

October 2, 2012

How much Risk Assessment is needed?

In many of the InfoSec forums I subscribe to people regularly as  the “How long is a piece of string” question: How extensive a…

August 9, 2012

How to build an asset inventory for 27001

How do you know WHAT assets are  to be included in the ISO-27K Asset Inventory? This question and variants of the “What are assets…

June 29, 2012

Control objectives – Why they are important

http://blog.iso27001standard.com/2012/04/10/iso-27001-control-objectives-why-are-they-important/ Let us leave aside the poor blog layout, Dejan’s picture ‘above the fold’ taking up to much screen real estate. In actuality he’s…

March 31, 2012

Help on ISO-27000 SoA

This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000. The  SoA should outline the measures…

March 24, 2012

Surely compliance is binary?

Call me a dinosaur (that’s OK, since its the weekend and dressed down to work in the garden) but … Surely COMPLIANCE is a…

March 18, 2012

About ISO 27001 Risk Statement and Controls

On the ISO27000 Forum list, someone asked: I’m looking for Risk statement for each ISO 27k control; meaning “what is the risk of not…

November 13, 2011

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level?  I’m asking about a…

August 24, 2011

The real reasons for documentation – and how much

he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to. Of course management has…

July 2, 2011

The Question of Residual Risk value

People keep asking questions like If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value…

July 2, 2011

Risk Models that hide important information

Some people seem to be making life difficult for themselves with risk models such as “Impact * Probability” and as such have lead themselves…

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

Popular Pages

  • The Classical Risk Equation
  • Separation of Duties: Infosec, IT and Audit
  • “Cybercrime” is still Crime and “Cyberfraud” is still Fraud
  • Risk Analysis makes no sense … Does it?
  • Are *you* ready to give up yet?
  • Why InfoSec Positions go unfilled
  • Security
  • Risk
  • ISO27K
  • Rants and Raves

Categories

Archives

Calendar of Posts

April 2021
M T W T F S S
 1234
567891011
12131415161718
19202122232425
2627282930  
« Sep    

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Security Links

  • Schneier on Security
  • Gary Hinson
  • Martin McKeay
  • The Security Team
  • DHS Daily Report
  • SANS Security Alerts
  • Bruce Schneier
  • CERT-CC
  • MSDN- Security
  • Microsoft TechNet – Security
Copyright The InfoSec Blog. All rights reserved. | Powered by WordPress & Writers Blogily Theme