ISO/IEC 27002 has been updated in 2022. So, what’s changed?
This international standard of generic information security controls is widely used across the information security community as a benchmark for implementing good security practices, and has been largely unchanged since 2013. However, earlier this year the updated standard has had more than a facelift – it’s had a full makeover. Fundamentally there are three main changes, which I’ll go into.
New Zealand Privacy Week 2021 was held recently; 10 – 14 May. This annual event is designed to help promote privacy awareness and to help inform people of their rights under the Privacy Act. A key event of the week was the Privacy Forum that was held here in Wellington on Friday 14 May. If you were unable to attend, the good news is that Axenic were there and the following blog is a review of some of the key insights from the event courtesy of Axenic Principal Consultant Lisa Zannino.
Over the past few years, I’ve led and been involved in many security audits on both sides of the table, which has helped me develop some insights worth sharing. Sometimes these auditing engagements are seen as something to just get through, however, there were a few organisations which really made the most of the exercise and applied the impartial information learned to gain a more accurate understanding of their real risk exposure. After all, that is the primary reason for performing these assurance activities, isn’t it? To ensure the implementation of the most relevant controls, for managing the highest rated risks, occurs within resourcing and budgetary constraints.
So, how can you ensure your organisation gets the most out of its next security audit? Here are my top 5 recommendations:
Getting practical security information and guidance shouldn’t be so hard. Unfortunately, sometimes it can feel that way. Yes, there may be times when you will need to bring in specialists to assist your business to meet its security needs, but there are many aspects of security which you can choose to do, even on the leanest of budgets.
How are risk owners and agency heads able to make informed decisions about ICT system accreditation without being provided with adequate information?