One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1495752 |
| Date de publication | 2019-11-07 10:31:27 (vue: 2020-01-03 15:00:04) |
| Titre | NBlog Nov 6 - insight into ISO27k editing |
| Texte | Today I find myself poring through ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there's plenty of good content, I can't help but notice a few rough edges, such as this:“Conducting a methodical assessment of the risks associated with the organization's information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2]. First off, here and elsewhere the '27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn't reach consensus on that. Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations that may affect the sense in places. The term is, or probably should be, deprecated. Secondly, the first sentence is long and confusing – badly constructed and (perhaps) grammatically incorrect. “Vulnerabilities to” is incomplete: vulnerabilities to what? Shouldn't that be “vulnerabilities in” anyway? Threats get mentioned twice for no obvious reason, overemphasizing that aspect. “Likelihood” is a vague and problematic word with no precise equivalent in some languages - it too should probably be deprecated. The final clause as worded could be interpreted to mean that the process is only concerned with potential impacts on information assets, whereas incidents can cause direct and/or indirect/consequential impacts on systems, organizations, business relationships, compliance status, reputations and brands, commercial prospects, profits, individuals, partners, society at large and so forth, not all of which are information assets (as commonly interpreted, anyway!). Thirdly, do “the organization's information assets” include personal information? Some might argue that personal information belongs to the person concerned – the data subject – not the organiza |
| Envoyé | Oui |
| Condensat | if even it my now readers shouldn some sure the threats “likelihood” “vulnerabilities 1/sc 27000 27000:2018 27002 about accept actually affect all alone although ambiguous among anal analysing analysis and/or any anything anyway appreciate are argue aspect assessment assets assets” asset” associated awareness badly being belongs benefits body brands business but can case cause causing changes clause comment comments commercial committee commonly compliance concern concerned conflicts confusing consensus constructed content controls cost could couldn critical data deeply defined deprecated differing direct don draft each easy edges editing effort elsewhere enough: entirely equivalent existing expected expenditure explicitly fair figure final find first fit forth get gets good got grammatically has help here holds hundreds ideally imagine impact impacts imposed incident incidents include incomplete: incorrect indirect/consequential individuals information insight international interpretations interpreted involved involves in” iso/iec iso27k issue its january jtc justify laboriously languages large lastly law/regulation lawyers left legal legislation less let level likelihood long longer looking mandated materializing matter may mean meaning mentioned methodical might misleading more much myself nblog neatly net new normally not notice nov obvious off only organization organizations out overemphasizing pages painstaking part partners perceived performs perhaps person personal places plenty point poring possibility posters potential potentially precise premise probably problematic process produced profession profits project proportionate proposing prospects punctuation quotable reach reason relationships relevant replacement reputations respected review risk risks rough say says second secondly security sense sentence seriously should since slogs snippets society some standard standards status subject such suggest systems team term terms text than that themselves there think thirdly this:“conducting threat threats through time today too total to” twice typically unreasonably usable use used uses vague value: vulnerabilities way well what whereas which will without wonder word worded you “information “the “vulnerabilities |
| Tags | Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.