Berlin Cyber Security Social #5 - ISO 27001

Written By Superuser Marketing

⚡️About the talk

For this event, I shared behind the scenes information and stories on the challenges of implementing an ISMS according to the ISO 27001 standards based on the many internal and external audits that I have taken part in.

Most of the content are in the stories, which are not repeatable here, but small talking points were added.

Thank you to the organizer, Brandi Zavala, for organizing a great event!

📌 Related Resources

Article for ISC(2) on ISO 27001:2022 and Cyber Security Leadership in Startups and SMEs

Brief background

  • There was an audit major non conformity…

  • ..and I have been spending a lot of time preparing for audits.

  • Decided to dedicate the topic for Berlin Cybersecurity Social on sharing my do’s and don’ts!

Extremely high level overview of ISO 27001:

  • Yes, you can buy the standards, also read the best practice standard!

  • Yes you can see the ToC on iso.org!

  • Yes, you can read all sorts of resources online…

Engage top management

  • You need resource, personnel, capacity and budget buy-in

  • You need to overcome challenges around disengagement, executive communication and ways to translate information security objectives into strategic business objectives

Don’t be part of the problem

  • Audits get treated as homework - this is a problem!

  • External consultants are seen as out of touch - another problem!

  • Learn to be solution-focused and offer value, using ISO 27001 as a vehicle.

Socialize security across the organization

  • Look at current roles and responsibilites

  • I use “socialize” instead of “enforce” security for various reasons..

Don’t work in a security silo

  • Easy to do this

  • Exercise: Talk to someone not in security and not in your team. Ask them what they do every day. Try to see how you play a role.

Be realistic with the implementation

  • You get external pressures

  • Timeline depends on internal factos

Don’t assume CaaS solves your needs

  • Be pragmatic with the platform

  • Be realistic with the limitations

Monitor your controls regularly

Example: Dev pushes secrets to repp. There are relevant people, technological and even organizational controls.

Don’t treat audits as a one hit Netflix season

  • …otherwise it’s a shallow implementation.

There is more than just ISO 27001

  • Consider an ISMS or other standards

Big thank you to the organizer, Brandi Zavala!

Photo from the amazing c-base venue in Berlin

Contact Us Today

Learn more about Superuser OÜ events by following us on LinkedIn.

Have a question? Find the following resources on our Services Page for other enquires,
contact us.

Register your interest for upcoming new products and services or stay up-to-date by subscribing to our mailing list.

Superuser Marketing
Previous

Roundtable: Brave Questions on AI and Cyber Security
Next

March 20 Roundtable: AI and Cyber Security