Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ NBlog Aug 23 - ISMS comms plan

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š NBlog Aug 23 - ISMS comms plan


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com

Yesterday I started preparing anย ISMS communications plan to satisfyย ISO/IEC 27001:2013 clause 7.4, with a little help from the Web.

Naturally I started out with the standard itself. Clause 7.4 doesn't literally demand that organisations must have a "communications plan" as such, otherwise it would have been one of the mandatory documents included in SecAware ISMS Launchpad. Oh no, it's more circumspect: the standard says "the organization shall determine the need for internal and external communications relevant to the information security management system"ย ... and proceeds to outline - yes, you guessed it - a "communications plan".

ISO/IEC 27003:2017 confirms our assessment by stating explicitly:
"Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system".
In other words, a documented comms plan is discretionary - advised as good practice but not strictly demanded of every organisation for '27001 compliance certification.

Well anyway, let's do it! To comply withย the standard, what should typically be communicated in respect of the ISMS, when, to and by whom, and by what means?

ISO/IEC 27003 offers examples of the things that should be communicated:
  • Information security policies and procedures, plus changes thereto;
  • [The organisation's] Information [risk and] security objectives;
  • Knowledge on information security risks;ย 
  • Requirements [of information] suppliers;ย 
  • Feedback on the information security performance (not least the certificate of compliance with '27001 and asserted conformance with privacy laws);
  • [Information about relevant] incidents and crises.ย 
Hmmm, as you can guess from the [insertions] in the list, while reading the advice I'm already putting my own slant on this, thinking about how the organisations I've previously worked/consulted with interpreted the standard's concise/minimalist advice, and what I would do now.

Next I set to work drafting the template in the form of a summary followed by a table with three columns (when, internal comms and external comms), rows for each quarter of a year and bullet points outlining the nature of the comms in each case.ย A simple 3ยฝ-page two-year comms plan covering the period up to and beyond certification came together in no time.ย 

Here's a taster, a glimpse of the first ยฝ-page as originally drafted:


The sequence of communications mirrors the ISMS implementation project from initial approval through building the ISMS to certification and then business as usual as the ISMS settles down and gradually matures - hence the comms plan is pretty close to being an ISMS implementation project plan, including management comms about the progress of the project.

Have I neglected anything important though? I turned to Googleย and found useful guidance in the first few search results:
  • Jean-Luc Allard, a respected member of ISO/IEC JTC 1/SC 27, takes the opportunity while writing forย Adviseraย to elaborate on the standard's requirement. I appreciate his advice to consider comms as a two-way street: I will incorporate that into the template comms plan.
  • ISMS.online has quite a bit of advice albeit much of it concerns how their ISMS cloud service generates information in a form that could usefully be communicated. They point out the link to discretionary control A.7.2.2 on security awareness which is already in the plan anyway: maybe we should mention A.7.2.2 in the preamble though.
  • Ben Woelk, program manager for the Information Security Officeย at Rochester Institute of Technology, has published a detailed ISO comms plan - 16 pages laying out all the things they planned to communicate as part of their ISMS. I anticipate our customers using the templates to develop something along these lines, customised of course to suit their specific requirements ... but the SecAware ISMS templates are much shorter and generic.ย  We are deliberately offering a bare-bones starting point hoping to inspire customers to develop the templates as they need, rather than a comprehensive out-of-the-box 'solution' which is unlikely to suit every customer. Nevertheless, Ben's inclusion of the goals and strategies for his comms plan is a cool idea, something again we can mention in the preamble.
I could continue laboriously trawling the remaining 1.7 million Google results (!) for inspiration but life's too short. Already I have the impression that the template comms plan is fine with just a little adjustment to the preamble - that summary section up-front that explains what the plan is about and intends to achieve. For example, it should mention who will be involved in preparing, authorising and delivering the comms (several people from various functions). So that's one of today's tasks on the to-do list.

First, though, I need to feed our ravenous ewes, lambs, goats and kids, two tame deer, a small flock of chooks and a house cow called Ginger. The sky is blue, the sun shining brightly, another glorious Spring day in rural New Zealand. Feeding out is an opportunity to think.

PSย  This blog piece has taken me as least as much time and effort to write as the comms plan itself, but I hope you find it useful to hear about the work that goes into the SecAware ISMS templates and other materials.ย 
...



๐Ÿ“Œ NBlog Aug 28 - NZ Stock Exchange DDoS continues


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Aug 20 - creative teamwork in lockdown


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Aug 27 - creative teamwork post-lockdown


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Aug 19 - IAAC Directors' Guides


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Aug 13 - Google customers phishing


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Aug 8 - musing on ISO/IEC 27014 & infosec governance


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Aug 7 - what is operational resilience


๐Ÿ“ˆ 40.32 Punkte

๐Ÿ“Œ NBlog Sept 24 - status of ISO27001 Annex A


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog July 31 - who's for a Pimms?


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog Mar 11 - book review on "Cyber Strategy"


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog July 28 - an interesting risk metric


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog Nov 15 - the trouble with dropping controls


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog Oct 8 - is Facebook an asset?


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog Sept 27 - 2021 infosec budget


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ NBlog Sept 3 - ISO27001 rocket fuel


๐Ÿ“ˆ 24.56 Punkte

๐Ÿ“Œ ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Apple blocks comms-snooping malware


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Network Time Protocol updated to spook-harden user comms


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Maritime comms flaws exposed: It's OK cuz we canned it, says vendor


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Brit spooks slammed over 'gentlemen's agreement' with telcos to get mass comms data


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ FBI raids home of spy sat techie over leak of secret comms source code on Facebook


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ FBI raids home of spy sat techie over leak of secret comms source code on Facebook


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ European Space Agency wants in on quantum comms satellites


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Huawei enterprise comms kit has a TLS crypto bug


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ It's 2018 and I can still hack into sat-comms gear, sighs infosec dude


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Hackers can cook people alive using sat-comms 'microwave oven' death rays โ€“ claim


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ In-flight satellite comms vulnerable to remote attack, researcher finds


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Spies still butthurt they can't get at encrypted comms data


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ 30 spies dead after Iran cracked CIA comms network with, er, Google search โ€“ new claim


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Oz telcos' club asks: Why the hell do Australia Post, rando councils, or Taxi Services Commission want comms metadata?


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ GCHQ pushes for 'virtual crocodile clips' on chat apps โ€“ the ability to silently slip into private encrypted comms


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ New Samsung Exynos Chip Secures IoT Devices With Short-Range Comms


๐Ÿ“ˆ 19.67 Punkte

๐Ÿ“Œ Marketing biz bares folks' data in the act of asking for their GDPR comms preferences


๐Ÿ“ˆ 19.67 Punkte











matomo