One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 4282237 |
| Date de publication | 2022-03-15 16:36:29 (vue: 2022-03-15 04:05:26) |
| Titre | The nine controls ISO/IEC 27002 missed |
| Texte |  Despite the excellent work done to restructure and update the standard, I still feel some commonplace 'good practice' information security controls are either Missing In Action or inadequately covered by ISO/IEC 27002:2022, these nine for example:Business continuity controls, covering resilience, recovery and contingency aspects in general, not just in the IT security or IT domains. ISO 22301 is an excellent reference here, enabling organisations to identify, rationally evaluate and sensibly treat both high probability x low impact and low probability x high impact information risks (the orange zone on probability impact graphics), not just the obvious double-highs (the reds and flashing crimsons!). Therefore, '27002 could usefully introduce/summarise the approach and refer readers to '22301 and other sources for the details.Availability and integrity controls supporting/enabling the exploitation of high-quality, up-to-date, trustworthy business information and opportunities for legitimate purposes within the constraints of applicable policies, laws, regulations etc., even when this means deliberately taking chances (accepting risks!) to secure business opportunities. Also, I'd like to see, somewhere in the ISO27k series, clearer advice on how to tackle the trade-off between control and utility: information that is too tightly secured loses its value, just as it does if inadequately secured ... and that in turn leads to the idea of at least mentioning financial and general business controls relating to information risk and security (e.g. budgeting, project investments, resourcing, cost accounting, incident and impact costing, valuing intangible assets, directing and motivating specialists: these are all import but tricky areas, so advice would help improve the effectiveness and efficiency of information security). [Some of this is covered, albeit quite academically rather than pragmatically, in ISO/IEC 27014 and '27016, and outside the ISO27k realm.]Health and safety controls protecting 'our most valuable assets', providing a supportive work environment that is conducive to getting the most out of our people, and ensuring the safety of our customers using our products. As with business continuity, H&S is pretty well covered by other standards plus laws and regs ... although, arguably, there's much more left to say, yet, on mental health (e.g. the long-term adverse health effects of excessive stress, both on and off the job), with significant implications for information risks |
| Envoyé | Oui |
| Condensat | 22301 27001 27002 27002:2022 27014 27016 :governance above academically accept accepting accounting accredited action activities; adequately adverse advice advisory affecting against agree albeit alert all almost already also alternatives although and/or annex another any applicable apply approach appropriate architecture are area areas arguably arrangements aspects assets assurance auditing availability avoid basics becoming below between both budgeting budgets business but catalogues certification certified chances change cite clearer cloud collusion com comment commonplace compliance comprehensive concepts conducive constrained constraints contingency continuity control controls cost costing could covered covering crimsons current customers date decide decisions delaying/refusing/being delegation deliberately described describes deserves designing despite details detect deter determine diagram directing discreet discretionary documented does domains done double effectiveness effects efficiency either email enabling encouraged encouraging engineering: ensuring environment etc ethics evaluate even example:business excellent excessive explaining explicitly exploitation facilitating fact feel financial flashing following framework fraud fraudulent free from full gary@isect general general: generic getting giving good graphics groups h&s have health help hence here high highs how however human idea identify identifying impact implications import importance improve inadequately inappropriate incident indicators; individuals information insiders instance intangible integral integrity interpret introduce introduce/summarise investments isms iso iso/iec iso27k issue it/networks/cloud: its itself job just laws leads least left legal legitimate like lines log logs long loses low maintain making manage management managers many marketing means mental mentioning methods mia mind missed missing mitigating monitoring/surveillance more most mostly motivating much necessarily need news nine not obvious off omission once opinion opportunities orange organisation organisations other out outlined outside outsiders/unknown outsourcing oversight oversight; own part particular parties partners parts people perhaps perpetrated plans plus policies popular potentially practice pragmatically pretty probability procedures;access process processes products professional project prone protecting providing provision purposes quality quite rather rationally readers realm receiving recovery reds refer reference registers regs regulations reinvent related relating relevant rely reporting reports resilience resourcing responsibilities restructure risk risks roles safety said say section secure secured securely security see select sensibly sensitive series services several should significant situation situations; some somewhere sources specialist specialists: specified staff standard standards strategic strategies stress structures such suggested suite supporting/enabling supportive system systems tackle taking targeted term than there therefore these third tightly too trade treat tricky trust trustworthy turn unable unique universally update use useful usefully users using utility: valuable value valuing various verify version very weak well what wheel when whichever whistleblowers wish within words work workload would yet your zone |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.