GRC Lab

ISO/IEC 27001 Lead Implementer - Black Friday Sale 2024. Our ISO/IEC 27001 Lead Implementer Course is fully aligned with the official TRECCERT ISO/IEC 27001 Lead Implementer certification exam. This course is your all-in-one solution: ✅ 11 hours of on-demand video ✅ Official TRECCERT Exam Voucher + FREE retake ✅ 500 pages of TRECCERT training material ✅ Full practice exam ✅ Templates, ✅ Project plan with 430+ tasks And much more to guide you every step of the way Save 100€ now with our Black Friday offer—available only until Monday. https://lnkd.in/eHZdAExA

FREE Scope template for your ISMS. ↓ Implementing an ISO 27001 compliant information security management system is a challenging project that requires a structured approach. A key deliverable of every ISMS is the "scope". This document defines the boundaries of the management system. The definition of the scope should be approached at the very beginning right upon securing support by top management. ✅ Step 1: Obtain Management Support ✅ Step 2: Determine Scope of the ISMS ↳ ISMS Scope Template ✅ Step 3: Gap Analysis ✅ Step 4: Information Security Policy ✅ Step 5: Competence Assurance ✅ Step 6: Asset Inventory ✅ Step 7: Risk Management Methodology ✅ Step 8: Information security risk assessment ✅ Step 9: Information security risk treatment ✅ Step 10: Performance Evaluation ✅ Step 11: Improvement 🏅 Step 12: Certification audit ____ This template, along with many others, is included in my ISO/IEC 27001 Lead Implementer course! (Find the link in the first comment.)

5 things I wish knew before preparing for the CISM exam The CISM exam was tough. ☑︎ 4 hours long ☑︎ 150 multiple-choice questions ☑︎ Foreign language (at least for me) ☑︎ Closed book Here are 5 things that can make your life easier: - Read the questions carefully - Pay attention to key words, such as most, least, primary, etc. - Try to exclude at least one option - Don't panic if more than one answer seems to be correct. - Only one represents the correct answer regarding the identified key word. With this help and a little bit of luck, I was able to pass the exam on the first attempt. ___ → 🔥Free CISM course in first comment

What does it take to achieve compliance with ISO 27001? The answer? - “It depends…” Please note, I am NOT a lawyer, but that is the definitive answer.” Here is why it depends: ISO 27001 demands two types of documented information: Mandatory ↳Documents explicitly required by the standard. Additional ↳ Documents deemed as necessary by the organization for the effectiveness of the ISMS. For instance: ⦿ The Scope of the ISMS is a mandatory document, explicitly required. ⦿ The Statement of Applicability (SoA) is a mandatory document, explicitly required. ⦿ The requirements of interested parties have to be considered, but they are not explicitly required in the form of documented information. ⦿ A security zone concept of your physical perimeters, highly advisable to have but not explicitly required. Does this confuse you? Me personally, it still does. But, together with my partner Kertos, we have been working on a list of deliverables for an ISMS to integrate them on to our GRC platform. The result: - 1x Policy - 19x Topic-specific policies - 27x Procedures - 78x Records If you need help with implementing an ISMS, talk to me.

Let's dive deeper into the distinction between ISO 27001 and ISO 27002, as there's often confusion around these two standards. 📕 ISO/IEC 27001 ↳ A management system standard that describes requirements for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). This standard helps organizations to understand their context, establish information security objectives, and develop a risk management approach. 📕 ISO/IEC 27002 ↳ An informative standard that provides guidance on implementing the controls listed in Annex A of ISO 27001. ISO/IEC 27002 doesn't mandate specific controls; rather, it offers best practices that can be adapted based on your organization's risk assessment. Here's the key point: ⦿ The guidance of ISO/IEC 27002 is not mandatory! ⦿ You are free to design and implement controls in other ways, which is advisable to do. More about ISO/IEC 27002 → Link in first comment

The true harm of promises like "become ISO 27001 certified in 2 weeks". In the past week, there were numerous threads on LinkedIn about how GRC platforms and their collaboration with audit firms, weaken the credibility of SOC2 attestations, and ISO 27001 certificates. Here is what I think. The rush to get “certified fast” is understandable But, this is a risky shortcut that can lead to a certification that’s hollow at best. ISO 27001 is not just a checklist—it’s a system that requires thoughtful implementation and ongoing maintenance to provide real value. For instance, the standard requires a risk assessment to identify risks that are specific to the organisation in scope. Controls shall then be selected with regards to the results of such an assessment. While one might say, let's just implement all controls of annex, how to design them to actually treat the identified risks is completely overlooked with such an approach. Then, once controls are in place, an ISMS needs to be operated. This means gathering data, monitoring performance, and letting the system run before audits or management reviews. Only through regular operation can an organization understand how well its ISMS performs and make adjustments to continuously improve. Promises of certification within a couple of weeks ignore these fundamental steps. What did I miss? ____ If you enjoy posts like these, you might also like to visit GRC Lab, the all-in-one hub to launch, grow and accelerate your career in GRC. (link in first comment)

I finally managed to obtain a "real" Lead Auditor certification. What do I mean with real? While there are many providers of lead auditor certification programs, only a few of them have an accreditation. The TRECCERT ISO/IEC 27001 Lead Auditor certification program is one of them. It is accredited by ANAB against ISO 17024, similar to renowned programs like the CISSP or CISM. The exam tests your knowledge in 6 domains: - Domain 1 - 13.33% ISMS Fundamentals - Domain 2 - 36.66% ISMS Requirements and Controls - Domain 3 - 6.66% Auditing Fundamentals - Domain 4 - 10.00% Audit Initiation and Preparation - Domain 5 - 23.33% Audit Execution - Domain 6 - 10.00% Audit Reporting, Completion and Follow-Up How did I prepare? Maybe something to talk about it in the next post. ____ Interested in becoming a Lead Auditor or Lead Implementer yourself? Why not visit GRC Lab, the all-in-one hub to launch, grow and accelerate your career in GRC. https://lnkd.in/eHZdAExA

If you want to install the risk mindset, read these books: Links to the standards and publications can be found in my latest article. ________ Enjoy this? Join 7K+ in GRC Lab — my free newsletter to help you launch, grow and accelerate your career in GRC:

The (FREE) secret to safeguarding small businesses. If you've ever felt overwhelmed by the complex requirements of IT security frameworks, you're not alone. Many small business owners are told to implement frameworks that are too complex and costly. The result? - Exposed vulnerabilities - Financial strains - Inefficient resource allocation - Missed growth opportunities What a mess. Thankfully, I stumbled upon a hidden gem designed specifically for the unique needs of very small businesses (VSBs). Introducing DIN SPEC 27076:2023-05, a standard that changes the game for VSBs, making IT security accessible, manageable, and, believe it or not, free. When applied with insight, it enables businesses to assess and improve their security posture in a clear and straightforward way. In my newsletter, I’ll introduce how DIN SPEC 27076 can be used to help small businesses in improving their security. You’ll discover how to: - Follow the provided consulting process - Use the provided requirements catalogue - Generate a report - Derive suggestions for improvement Read here: Link in first comment

NIS2 is gaining momentum. Despite popular believe, organisations do not have to comply with NIS2. This is because NIS2 is a directive, issued by the European Union. Directives need to be transposed into national legislation by the EU member states first, to come into effect. The deadline to do so, was October, 18th. Many countries, including Germany have missed this deadline. In the most recent draft of the German NIS2 adaptation, the following categories of requirements were to be found. - Risk Management - Reporting Obligations - Information Obligations - Sanctions - Governance - Registration - Evidence - Critical Entities I expect them to be somehow similar to those of other European countries. Many of them can be fulfilled by an ISMS according to ISO/IEC 27001, but not ALL of them. Which ones trouble you the most?