Categories
For Infosec professionals

Difference – ISO 27001:2005 and ISO 27001:2013 – Part 2 – Context

This is the second part to the series about the differences between ISO 27001:2005 and ISO 27001:2013. This post talks about the information security ‘context’ and how to establish it for an organisation.

Categories
For Infosec professionals

If you don’t have anything important to say, don’t say anything – Information Security Metrics

If you don’t have anything worthwhile to say, don’t say anything. (Could be one of the reasons why this blog has been silent for a while now…) After infosec metrics became fashionable, a lot has been said about how to measure the effectiveness of your security program. ISO 27001:2013 made it worse – not only […]

Categories
For Infosec professionals

The Product-Process chasm – and how to bridge it

Have you implemented a firewall? An IPS? An AV? An IAM solution? A DLP? A DRM? An APT solution? A gateway proxy? An MDM solution? An SIEM? Chances are that you have answered “Yes” to at least two questions. (If not, please leave the information security industry right away and do something else. Really. Anything […]

Categories
Cybersecurity Humour For Infosec professionals

The Info-Sec Idiots Guide

    “Can you get us a security certificate in a week’s time?” If you have been in the infosec consulting business long enough, you will, for sure, have come across this sentence. In this post, I want to vent my frustration and tell you the answers that I actually want to give – not […]

Categories
For Infosec professionals Infosec for everyone

The HeartBleed FAQ

The dust seems to be settling over the Heartbleed storm. Questions have been asked and answered. The experts and the newbies have voiced their opinions. This, I feel, is a good moment to answer those little questions that we have always been meaning to ask, but feared being thought of as stupid. Here is my attempt […]

Categories
Cybersecurity Humour For Infosec professionals

Terrorist Outfit Seeks ISO 27001:2013 certification

I generally write long and boring stuff about obscure standards and esoteric practices. Sometimes, I do get bored of this and want to write some fiction. I tried to be Sir Arthur Conan Doyle here. This post is my attempt at faking a news report! TORA BORA: An infamous terrorist outfit has decided to implement […]

Categories
For Infosec professionals

ISO 27001-2013. What’s Different – Part 1

When the ISO 27001:2013 was released, I did a quick write up about it here. Now that I have had some time to spend with the standard (get to know it better!), I am writing a more detailed comparison. This comparison will follow the typical comparison that I did for the BS25999 vs. ISO 22301. […]

Categories
For Infosec professionals

The truth about the information security industry

The information security industry is in doldrums. If it is not, it probably should be. For the past decade, there has been no change in the basic way we operate. For an industry that is reasonably new and supposedly at the cutting edge of technology, it has not done anything different. Don’t get me wrong […]

Categories
Cybersecurity Humour For Infosec professionals

The case of the missing PDCA cycle

‘My dear Watson!’ exclaimed Holmes. “You are no doubt wondering about how they work in Japan.” I looked up in surprise. I was indeed pondering about the work culture in Japan. “Have you started performing black magic, then, Holmes? There can be no other explanation to this” I spake with wide eyes. “How can you […]

Categories
For Infosec professionals

Questioning Security Paradigms

Verizon has released its annual report on data breach investigation for 2013. The data breach report is a barometer of sorts for the infosec industry. Organised survey’s about incidents and data breaches are few and far between in the the infosec world. It is surprising, however, that the industry tends to ignore key findings of […]