How to produce a risk treatment plan
The risk treatment plan is one of the mandatory documents that must be produced as part of a certified ISO 27001 ISMS (information security management system). It provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those ... Read More
Risk terminology: Understanding assets, threats and vulnerabilities
Whether you’re addressing cyber security on your own, following ISO 27001 or using the guidance outlined in the GDPR (General Data Protection Regulation), the process begins by assessing the risks you face. You might have a broad idea of what a risk is, but did you know there’s a specific ... Read More
GDPR data mapping tutorial: tips, tricks and techniques
A data flow map is a diagram that shows how sensitive information moves between one part of your organisation and another. For example, you might collect user information through a survey, which is then funnelled into a database used by your marketing team. If the data subject becomes a customer, ... Read More
ISO 27001 Risk Owner vs Asset Owner: What’s the Difference?
Anyone familiar with ISO 27001 will be familiar with the concept of asset owners. They are a long-established part of the Standard, ensuring that organisations know who is responsible for managing information security weaknesses. In the latest version of ISO 27001, the requirements added the concept of risk owners. This ... Read More
ISO 27001: Understanding the needs and expectations of interested parties
Clause 4.2 of ISO 27001 details the needs and expectations of interested parties. An interested party is essentially a stakeholder – an individual or a group of people affected by your organisation’s information security activities. To identify your interested parties, ask yourself who is important for your organisation, who is ... Read More
How to choose the right strategy for ISO 27001 risk management
ISO 27001 is designed to help organisations identify the right approach to take when managing risks. You can’t apply defences to every threat you face, because that would be impractical and prohibitively expensive, so you need to determine when mitigation is the right strategy and when other risks can be ... Read More
How to write an information security risk assessment methodology
The purpose of an information security risk assessment is to prioritise threats so that you can allocate time and resources appropriately. To do that, you need a way of calculating the severity of these threats; that’s where the information security risk assessment methodology comes in. A methodology enables organisations to ... Read More
Managing Risks According to Clause 6 of ISO 27001
Clause 6 of ISO 27001 covers the actions that organisations must take to address information security risks. It’s one of the most important parts of the Standard, because everything else you do to meet the Standard’s requirements informs or revolves around this step. Asset identification, the risk assessment and risk treatment all ... Read More
Monthly cyber security review: December 2019
We’re back with another round-up of some of the most notable information security stories of the past month. In this edition, we discuss a hospital employee who abused their power to contact patients, an update on last year’s Ticketmaster data breach and an upsetting incident at a Scottish high school ... Read More
Monthly cyber security review: November 2019
As we enter December, many organisations slow down as they turn their attention to Christmas. Office parties, secret Santas and discussions of when it’s acceptable to put the tree up start to take precedence over work, as employees kill time hoping not to start any big projects that could ruin ... Read More