Taking a “Business Process” Approach to ISO 27001
We often hear how larger-scale information security initiatives like ISO 27001 certification need to be “ingrained in the company culture,” and how you need “tone from the top” or support from...
View ArticleWhy “Check-the-Box” Policies are a VERY Bad Idea
It sometimes happens in the course of supporting clients during ISO 27001 certification projects or other information security assessments that we uncover “check-the-box” documents. For example, these...
View ArticleHow to Re-Energize Your ISO 27001 Efforts
Recently I conducted a surveillance audit for a SaaS provider that has been ISO 27001 certified for over three years. I logged five nonconformities… so something was off. Their information security...
View ArticleLeveraging Metrics to Address the “Business” of Information Security
In my work I find that many CISOs are in a Catch-22 position with the businesses they protect. Often CISOs are judged on the number of security breaches or other incidents that are reported on their...
View ArticleInformation Security Policy Documentation: Simple is Better
Organizations seeking ISO 27001 certification sometimes choose to “err on the side of caution” and document “everything.” Usually this is because they don’t have a solid understanding of what ISO 27001...
View Article
