One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 5259269 |
| Date de publication | 2022-06-19 09:54:39 (vue: 2022-06-18 23:06:22) |
| Titre | The Matrix, policy edition |
| Texte | Inspired by an insightful comment on LinkeDin from an SC 27 colleague on the other side of the world (thanks Lars!), I spent most of last week updating the SecAware security policy templates and ISO27k ISMS materials.The main change was to distinguish conformity from compliance - two similar terms that I admit I had been using loosely and often incorrectly for far too long. As I now understand them:Compliance refers to fulfilling binding (mandatory) legal, regulatory and contractual obligations; Conformity concerns fulfilling optional (discretionary) requirements in standards, agreements, codes of ethics etc. It's a fine distinction with implications for the associated information risks, given differing impacts: Noncompliance may lead to legal enforcement action (fines/penalties), other costly sanctions (such as more intrusive monitoring by the authorities and perhaps revocation of operating licenses) and business issues (such as reputational damage and brand devaluation, plus the costs of defending legal action). The consequences of nonconformity may be trivial or nothing at all if nobody even cares, but can also involve business issues such as inefficiencies, excess costs and so on, particularly if customers, business partners, the authorities or other stakeholders are seriously concerned at management's apparent disregard for good security practices.Certification of an organisation's ISMS, then, demonstrates its conformity with, not compliance to, ISO/IEC 27001 - well in most cases anyway, where management voluntarily chooses to adopt and conform to the standard. If they are obliged by some mandatory, legally-binding requirement (an applicable law or regulation, or perhaps terms in a formal contract with a supplier or customer, or perhaps a law or regulation), I guess they must comply. Putting that another way, nonconformity is an option. Noncompliance isn't.Anyway, having adjusted the terminology and tweaked the SecAware materials, I took the opportunity to prepare two new 'bulk deal' packages - a comprehensive suite of information security policy templates, and a full set of ISO27k ISMS materials. I'm hoping to persuade customers to spend invest a little more for greater returns. The SecAware policies, for instance, are explicitly designed to work best as a whole, an integrated and coherent suite as opposed to an eclectic collection of policies on various discrete topics. In recent years, I have developed a spreadsheet to track the mesh of relationships between policies: |
| Envoyé | Oui |
| Condensat | if it putting the 150 27001 about acceptable access action added adjusted admit adopt ago agreements all already also although another any anyway apparent applicable approach approaches architectural are areas aspects associated authorities back been being best better between bidirectional binding bit black blobs both brand btdt bulk business but can cares cases certification change checking chooses clear clearly clients cloud codes coherent colleague collection column commend comment common complex compliance comply comprehensive concern concerned concerns conflicting conform conformity confusing consequences construct contemplating contract contractual control convoluted corporate costly costs cover covered cryptography currently customer customers damage data database days deal decades defending demonstrates designed desk detail determining devaluation developed diagonal differing direction disclosure discrete discretionary disregard distinction distinguish document don each eclectic edition enforcement enough ensure entire entries especially etc ethics even example excess exerting explicitly far fine fines/penalties formal framework frankly from fulfilling full gap gaps getting given good governance greater guess had happens harder has have having headache hinson hoping house idea image impacts: implications important incorrectly indeed indicate inefficiencies information insightful inspired instance integrated intelligence interlock internet intrusive invest involve involves isms isn iso/iec iso27k issues its know lacks lars last law lead least leaving left legal legally licenses likewise linked linkedin little long loosely lot main maintain maintained management managing mandatory manual markedly masking/redaction materials matrix matters may mean mechanism merit mesh mirror monitoring more most must need new nightmare nobody noncompliance nonconformity not nothing now objective obligations; obliged often operating opportunity opposed option optional organisation other over overarching overlaps packages pages particularly partners perhaps personally perspective persuade plus points policies policies:yellow policy possible practice practices prepare pretty primary providers read recent refers regularly regulation regulatory related relationship relationships relevant represent reputational requirement requirements responsible resulting returns revocation right risk risks same sanctions say screen secaware security seriously service set side significant similar simple simplifies since single some something specific spend spent spreadsheet stakeholders standard standards strengthening suboptimal such suite supplier supporting surprisingly technically templates terminology terms thanks that them:compliance then these those though threat three tip too took tool topic topics touch track trivial trust tweaked two unambiguously understand unfocused unless unweildy updating use useful using various versa vice visual voluntarily way way: week well went what where which whole work works world worth would written years |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.