The InfoSec Blog

Control objectives – Why they are important

Posted by Anton Aylward

http://blog.iso27001standard.com/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Let us leave aside the poor blog layout, Dejan's picture 'above the fold' taking up to much screen real estate. In actuality he's not that ego-driven.

What's important in this article is the issue of making OBJECTIVES clear and and communicating (i.e. putting them in your Statement of Objective, what ISO27K calls the SoA) and keeping them up to date.

Dejan Kosutic uses ISO27K to make the point that there are high level objectives, what might be called strategy[1], and the low level objectives[2]. Call that the tactical or the operational level. Differentiating between the two is important. They should not be confused. The high level, the POLICY OBJECTIVES should be the driver.

Yes there may be a lot of fiddly-bits of technology and the need for the geeks to operate it at the lower level. And if you don't get the lower level right to an adequate degree, you are not meeting the higher objectives.

Tagged as: , , , , , , , , , , , , , , Continue reading

Surely compliance is binary?

Posted by Anton Aylward

Call me a dinosaur (that's OK, since its the weekend and dressed down to work in the garden) but ...

Surely COMPLIANCE is a binary measure, not a "level of" issue.
You are either in compliance or you are not.
As in you are either deal or alive.

Tagged as: , , , , Continue reading
   

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

Popular Pages

Categories

Archives

Calendar of Posts

May 2017
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Meta

Security Links