Clear desk and clear screen policy – What does ISO 27001 require?

    Imagine this scene: an employee at his desk, in an open-plan office, is reviewing on his notebook some data to prepare a report about the last quarter financial results, or the pre-selling performance evaluation of the organization’s newest product. He receives a telephone call from his boss about a quick …

    Read More ...

    ISO 27001 vs. ITIL: Similarities and differences

    IT services are one of the main pathways for information to flow through organizations, their clients and partners, and as legal and contractual requirements are increasingly including information protection demands (the healthcare industry is an example), these services and their management practices must evolve to adapt to this new scenario. …

    Read More ...

    What to look for when hiring a security professional

    Besides proper procedures and technologies, counting on good professionals can make all the difference during implementation and operation of any process or project. The “Apollo 13” movie shows what skilled men can do when procedures and technology fail (remember the “mailbox” device). On the other hand, what are the chances …

    Read More ...

    Key performance indicators for an ISO 27001 ISMS

    Think about a medical exam. Our objective is for the physician to tell us that our health is ok and that we’ll live a long life, right? And how does the physician evaluate our health to determine if we are on track or not? By using several biological indicators, like …

    Read More ...

    How to protect against external and environmental threats according to ISO 27001 A.11.1.4

    Physical security plays a critical role in information protection, because even the best designed, implemented, and maintained technical and administrative controls, whether IT related or from some other area, are of little help if an event physically affects the environment or the assets on which those controls work. For example, …

    Read More ...

    How to set security requirements and test systems according to ISO 27001

    Security is something that everyone wants to have, but which no one ever wants to use. And this thought can bring a lot of problems. Unless a system’s purpose is security related (e.g., firewall, access system, etc.), users pay little attention to how security is embedded in a product, and …

    Read More ...

    Secure equipment and media disposal according to ISO 27001

    Think about the following scenarios: Printed documents (e.g., budget drafts, or client’s refused proposals) are no longer needed and used as scratch paper, or accumulated in waiting areas for removal. Defective equipment (e.g., CEO’s tablet, or project team’s notebooks) being discarded by maintenance staff, put directly in the trash, or sold as …

    Read More ...

    Using ITIL to implement ISO 27001 incident management

    Incident management is one of the key processes to ensure the effectiveness of any business operation. With more or less sophistication and maturity, practically any organization has practices in place to deal with undesired events, and some of these were so commonplace that they became industry good practices and the …

    Read More ...

    Requirements to implement network segregation according to ISO 27001 control A.13.1.3

    Think about a house, or office, with only one big space where you can arrange all your loved and precious things the way you think most appropriate. Tempting, isn’t it? The flexibility to use the space and ease of seeing everything right away seems like a big deal. Now, imagine …

    Read More ...

    ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS)

    What do diverse situations like the Battle of Trafalgar (1805), the Cooley–Tukey FFT algorithm (1965), and the multi-sided market competition have in common? They are all examples of big or complex problems divided into smaller and more manageable pieces to reach a winning solution. This is a strategy called “Divide …

    Read More ...

    How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1

    You have certainly already heard, or lived, this scenario: it is a normal day and the systems are working fine, when suddenly they slow down for no apparent reason or simply stop. User support starts to receive dozens of calls, and the IT staff works hard for hours to put …

    Read More ...

    How to perform monitoring and measurement in ISO 27001

    Performance monitoring and measurement are key actions in the maintenance and improvement of any system. (See this article for more information: Achieving continual improvement through the use of maturity models.) ISO 27001 recognizes their importance in clause 9.1 (Monitoring, measurement, analysis and evaluation), defining requirements to be observed when implementing such …

    Read More ...

    ISO 27001 Certification: What’s next after receiving the audit report?

    For those who already run a management system, like an ISMS based on ISO 27001, the certification audit event is already known: the auditor arrives, performs the audit opening, evaluates processes and records, states the result, and elaborates the audit report, closing this phase of the audit process. However, why did …

    Read More ...

    CISA vs. ISO 27001 Lead Auditor certification

    In a previous post, I talked about personal certifications helping the organization to comply with ISO 27001 clause 7.2 (see this post How personal certificates can help your company’s ISMS). In today’s post, I will show you two specific personal certifications (CISA and ISO 27001 Lead Auditor) and how they can …

    Read More ...