Berlin Cyber Security Social #5 - ISO 27001
⚡️About the talk
For this event, I shared behind the scenes information and stories on the challenges of implementing an ISMS according to the ISO 27001 standards based on the many internal and external audits that I have taken part in.
Most of the content are in the stories, which are not repeatable here, but small talking points were added.
Thank you to the organizer, Brandi Zavala, for organizing a great event!
📌 Related Resources
Article for ISC(2) on ISO 27001:2022 and Cyber Security Leadership in Startups and SMEs
Brief background
There was an audit major non conformity…
..and I have been spending a lot of time preparing for audits.
Decided to dedicate the topic for Berlin Cybersecurity Social on sharing my do’s and don’ts!
Extremely high level overview of ISO 27001:
Yes, you can buy the standards, also read the best practice standard!
Yes you can see the ToC on iso.org!
Yes, you can read all sorts of resources online…
Engage top management
You need resource, personnel, capacity and budget buy-in
You need to overcome challenges around disengagement, executive communication and ways to translate information security objectives into strategic business objectives
Don’t be part of the problem
Audits get treated as homework - this is a problem!
External consultants are seen as out of touch - another problem!
Learn to be solution-focused and offer value, using ISO 27001 as a vehicle.
Socialize security across the organization
Look at current roles and responsibilites
I use “socialize” instead of “enforce” security for various reasons..
Don’t work in a security silo
Easy to do this
Exercise: Talk to someone not in security and not in your team. Ask them what they do every day. Try to see how you play a role.
Be realistic with the implementation
You get external pressures
Timeline depends on internal factos
Don’t assume CaaS solves your needs
Be pragmatic with the platform
Be realistic with the limitations
Monitor your controls regularly
Example: Dev pushes secrets to repp. There are relevant people, technological and even organizational controls.
Don’t treat audits as a one hit Netflix season
…otherwise it’s a shallow implementation.
There is more than just ISO 27001
Consider an ISMS or other standards
Big thank you to the organizer, Brandi Zavala!
Photo from the amazing c-base venue in Berlin
Contact Us Today
Learn more about Superuser OÜ events by following us on LinkedIn.
Have a question? Find the following resources on our Services Page for other enquires,
contact us.
Register your interest for upcoming new products and services or stay up-to-date by subscribing to our mailing list.