IT Governance Blog on IT governance, risk management, compliance and information security. » Consultants View

Data Protection is a bad thing, so let’s hide behind it (?!)

Ralph O'Brien — Fri, 08 Jul 2011 12:42:35 +0000

Ever called up a call centre and been told “can’t give you that information, the Data Protection Act won’t let me”? What rot.

Data Protection is a bad thing, so let’s hide behind it (?!) is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

A Pilgrim’s Progress…

Nick Orchiston — Fri, 08 Jul 2011 09:24:18 +0000

So there you are ... someone has mentioned ISO 27001 and that you ought to be certified or ‘have ISO 27001’, as it might be “good for business”. You have heard of ISO 27001, but have always dismissed it as being something to think about. Now, however, maybe it’s time to look into it a bit more seriously.

A Pilgrim’s Progress… is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Are You Safe From Cyber Attacks?

Srilatha Thalla — Fri, 08 Jul 2011 07:32:32 +0000

The world has become a far riskier place to do business. As on-line business continues to grow, organisations must face the risks that come with outsourcing and using third party services, larger supply chains and the increase in cyber attacks and cyber fraud. In this modern age, businesses have a dependence on IT, networks and wireless and mobile communications; all of which come with their own security issues.

Are You Safe From Cyber Attacks? is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

ISMS: The Missing Link

Nick Orchiston — Fri, 08 Jul 2011 07:13:36 +0000

You can spend all the money you like on technology or tighten the processes up to the nth degree, but unless people are considered the security will not be watertight.

ISMS: The Missing Link is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Good things happen when planned for – the bad things will happen anyway…

Ralph O'Brien — Wed, 30 Mar 2011 13:11:13 +0000

A blog about "safety" and what is means to be "safe". Often depressing is the fact that there is no such thing. The bad news is that nothing is ever 100% secure. Not if you want to actually be able to use the information anyway!

Good things happen when planned for – the bad things will happen anyway… is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

What is information security?

Ralph O'Brien — Wed, 30 Mar 2011 12:41:19 +0000

Consider an organisation that is a top secret nuclear bunker against three men making furniture in a shed. Clearly they both have different needs to keep their information safe. The "3 men in a shed" will likely have the following as appropriate measures;

What is information security? is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

BS25999 vs ISO 22301

Ralph O'Brien — Tue, 15 Mar 2011 13:43:07 +0000

Most are aware that BS25999-2 (the requirements for a business continuity management system) will be becoming an international standard in the future. The aim is to have this published by the end of 2011, but as ever, there will be a long transitional phase given by the certification bodies, probably at least 2 years after publication.

BS25999 vs ISO 22301 is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

The best management system is an invisible one.

Ralph O'Brien — Tue, 15 Mar 2011 13:29:24 +0000

I often say this to clients, but this is advise that often goes unheeded. These days integrated management systems are becoming more common place. A lot of people are moving away from ,a href="http://www.itgovernance.co.uk/products/1860">ISO 9001 (quality management) and are instead utilising increasingly diverse management system frameworks, ISO 27001 (information security), BS 25999-2 (business continuity), ISO 14001 (environment) etc etc.

The best management system is an invisible one. is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Watch Out: ISO 50001 is about!

Nick Orchiston — Tue, 03 Aug 2010 14:40:23 +0000

Coming to a standards office near you is ISO 50001. Due to be published in early 2011, this will be the definitive Energy Management Standard. Currently, the de facto standard for energy management is EN 16001:2009 'Energy management systems.

Watch Out: ISO 50001 is about! is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Top Security Tips: documentation – Updated

Ralph O'Brien — Thu, 15 Apr 2010 13:32:57 +0000

During my experience as an assessor, auditor, practitioner and consultant, I find that documentation is a real pain for organisations. Too often I see organisations who have ended up with documentation that is inappropriate for the way they work. Large, bulky manuals full of technical information. Documents that are inconsistent and in different formats and layouts. Documents are written for an external assessor rather than for the a practical business process. The result is clear. People don’t bother to read or use them. And this means the resulting business practices become non compliant and out of control. Security risks therefore, will increase dramatically.

Top Security Tips: documentation – Updated is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Beware of Bogus Agencies Acting as the ICO

Ralph O'Brien — Mon, 15 Mar 2010 12:00:22 +0000

Under the Data Protection Act 1998, anyone who processes personal data has a legal obligation to “notify” the Information Commissioner’s Office (ICO) they are doing so. In fact it is a criminal offence not to notify, or to fail to keep the ICO up to date with any changes to the way an organisation processes personal data.

Beware of Bogus Agencies Acting as the ICO is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

ISO27001: Getting The Staff On Board

Phil Hare — Wed, 17 Feb 2010 15:01:03 +0000

Ever watched a presentation that’s left you with the feeling that it was an hour of your life you’ll never get back? Ever sat in a room full of people that are just two PowerPoint slides away from screaming “None of this matters!” before defenestrating themselves? Have you ever had to present to a room full of people like that? People who have so little interest in you or your subject that they’ve had to resort to stabbing their own leg with a biro just to stay awake?

ISO27001: Getting The Staff On Board is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Business vs. The Weather: The Availability Problem

Phil Hare — Tue, 22 Dec 2009 15:35:29 +0000

Recently my neck of the woods has been taking a bit of a beating from the weather gods. First it was the rain, which flooded part of the town I live in and all but destroyed a couple of towns nearby. This week it’s been snow, which has reduced the main roads in and out [...]

Business vs. The Weather: The Availability Problem is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

ISO27001 and the SME: do not be afraid

Phil Hare — Wed, 16 Dec 2009 09:22:39 +0000

Ultimately, the route any SME chooses to take for information security is the decision, and responsibility, of the stakeholders. Just remember: you do have options, and there are firms like IT Governance out here to help, in whichever way suits your business best.

ISO27001 and the SME: do not be afraid is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

Information Security: No cowboys please

Phil Hare — Mon, 07 Dec 2009 09:16:41 +0000

There are some things that make me grind my teeth with despair. People who seem to think that everyone in the train carriage will appreciate the music on their phone, for example, or the grammar checking function on my word processor that's convinced it knows better than I do. Oh, and companies that trade on the reputation of international standards, without actually complying with them. I admit, that last one's probably a bit more specific to me than the other two.

Information Security: No cowboys please is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.

The case for EN 16001

Nick Orchiston — Tue, 01 Dec 2009 10:09:22 +0000

Strategic approach to energy management: EN 16001 In today’s highly volatile and competitive market place energy costs have assumed a greater significance. With rising fuel costs, open markets in gas and electricity and new government climate change policies, no organisation can afford to be complacent in managing its energy efficiently. Evidence shows that adopting structured [...]

The case for EN 16001 is a post from: IT Governance Blog on IT governance, risk management, compliance and information security.