IT Governance Blog on IT governance, risk management, compliance and information security.

The (ISC)² CISSP certification is recognised as the premier qualification for a senior career in information security. At first sight, preparing for the CISSP exam seems straightforward although many find the huge amount of information associated with the 10 CBK Domains and a 6-hour examination a daunting prospect. Our training team regularly receive calls from desperate individuals who feel they have left their preparation too late!

CISSP Exam Preparation training courses were conceived to meet this need, but with so many courses available on the market, how can CISSP exam candidates choose one that will actually help?

At IT Governance, we launched our innovative CISSP Accelerated Training Programme about 18 months ago. Although we were not first to market, we started by talking to our customers about their CISSP experiences and reviewing the existing CISSP exam preparation books and courses. This confirmed that candidates who attended a pre-exam training course were more successful, particularly if the course focused on improving knowledge in the CBK Domains that they were struggling to understand.

By listening to our customers, we developed a training programme that includes a Pre-course CISSP Knowledge Assessment that determines the strengths and weaknesses of the each candidate’s current knowledge. Our trainer then uses this assessment to prepare an individual Pre Course Study Plan which is incorporated into the subsequent 5-day classroom training session.

>> Find out more about how our Pre-course Knowledge Assessment can help you achieve a first time pass in the CISSP exam 

The recent ISBS survey commissioned by the Department for Business, Innovation and Skills dished up some eyebrow raising stats on the increasing number of information security breaches.

For example during the past year, large organisations reported an average of 113 security breaches (up from 71 in the previous year).

HR departments can play a key role in encouraging professional development amongst IT staff to counter this growing threat to information security.

Choosing the right training and qualifications

For HR professionals looking to support professional development our new, free ‘Information Security Qualifications – Fact Sheet’ provides a clear overview of a wide range of qualifications.

This straightforward paper will help you to decipher the difference between a whole range of qualifications, including CISA, CISM, CIS F, CIS LA and CIS LI.

Once clear on the qualification options, creating a professional development plan that builds in-house expertise, reduces the risk of security breaches and demonstrates a clear commitment to employee development will be a doddle.

>> Find out about the certifications available through our training courses

Tools to become better at ISO27001

Earlier this month the Times of India reported that India is currently in need of an additional 55,000 certified cyber security professionals by 2015 to protect its IT infrastructure.

The number of certified cyber security professionals in India is currently only 22,000. When you consider that 42,000,000 Indians fall victim to cyber crime each year and 85% of all Indian websites have been hacked, it’s clear that the skills gap is both an emergency situation and a huge opportunity for those with the right skills.

Professionals with expertise in information and cyber security will find themselves in high demand

Take advantage of India’s booming cyber security industry

IT Governance is the leading supplier of books and tools relating to IT governance risk and compliance. Our materials are designed to help students and practitioners develop the skills and knowledge they need to be effective professionals.

ISO 27001 is the international best practice standard for information security management. By achieving compliance to ISO 27001, organizations can ensure their information and systems are kept secure.

	Information Security Risk Management for ISO27001/ISO27002 Described as “an essential resource for any information professional” this book gives detailed and practical ISO 27001 guidance to show you how to ensure business continuity, minimise risk and maximise return with ISO 27001. Price:$10.00

	ISO27001 Certified ISMS Lead Implementer online Become a certified ISO 27001 Lead Implementer with this three-day training course that you can join from anywhere in the world. Learn from ISO 27001 expert Alan Calder as he delivers real-time, interactive classes teaching you to implement ISO 27001 in your organisation. Price:$995.00

	ISO27001/ISO27002 A Pocket Guide Are you new to ISO 27001? This pocket guide offers the ideal introduction to information security standards, what they are and why you should care. Price:$5.00

	The Case for ISO 27001 Understand why you should implement ISO 27001 and the benefits it can bring. This book gives a detailed explanation of what ISO 27001 can do for you. Price:$10.00

	Standalone ISO 27001 ISMS Documentation Toolkit Have you already started, or are you about to start, an ISO 27001 project? This toolkit will help you complete it as quickly and easily as possible. Purchase all the necessary ISO 27001 documentation and save yourself hundreds of hours of work. Price:$420.00

IT security isn’t just a problem for the IT department; it’s a problem for the whole organisation.

With security being high on the senior management’s priority list, why is it that 87% of small businesses and 93% of large organisations across all sectors experienced a breach in the last year according to the 2013 ISBS report?

In an attempt to shine fresh light on how company directors, board members and IT Professionals perceive IT security we have created the Boardroom Cyber Watch 2013 Survey.

For your chance to win an Amazon Kindle Fire and to receive a free copy of the IT Governance report on company directors and IT Security, then please complete our short survey. It’s multiple-choice and should take just 2 minutes to complete.

This survey is open to Company Directors, Board Members and IT Professionals.

Your opinion counts – take part in the survey here:

www.surveymonkey.com/s/boardroomcyberwatch2013

Following a successful InfoSec Europe 2013 at Earls Court, London, Steve Watkins (Director, Trainer and Consultant at IT Governance Ltd) reflects on the most popular enquiries relating to ISO 27001 …

ISO 27001:2013?

Key questions and answers:

• When is the new ISO 27001 coming out?
• What changes are there to the control framework?
• What will it mean for our ISMS/certification?

Back in January, IT Governance’s CEO, Alan Calder, issued some information on the Draft International Standard that was put out for public consultation.

I blogged about the latest news prior to the exhibition and what a new standard would mean for those with certification.  Nothing has changed as of yet, and if you are considering ISO 27001 there is little point in delaying your project.  We share any news when it arrives, so keep up with the latest on Twitter (@ITGovernance and @swatty70) – watch this space!

ISO 27001 for SMEs?

A number of visitors were asking about an Information Security Management System (ISMS) standard for SMEs, suggesting that ISO 27001 is not suitable for small organisations.

There are other models and frameworks available such as IASME and the HM Government/BIS’s 10 Steps to Cyber Security, however these are not comparable to accredited certification, yet.

I maintain that ISO 27001 can be applied to small organisations and work really well for them (see Eagle and Ascensus case studies as examples), and that it is the approach used by that those claiming it is not applicable that does not suit.

Is there an ISO 27001-equivalent standard specifically for the UK?

Not yet, and technically there will not be. However, the draft of PAS 555 – the “Cyber security risk – Governance and management – Specification” came out for public consultation in late 2012/early 2013 and my guess is that it will become the default qualification criteria for UK businesses looking to supply the public sector.  It will of course take a while for any form of third-party certification scheme to establish itself, but in the meantime (guess what?) ISO 27001 is a good starting point and an ISMS that reflects that can certainly encompass PAS 555 compliance.

And finally the most popular query regarding training …

Which is the best course, the ISO 27001 Lead Auditor or ISO 27001 Lead Implementer?

Unsurprisingly, it depends on what you are looking for from a training course/qualification.  The Lead Auditor certificates still has the greater degree of traction with potential employers, arguably for all the wrong reasons – it is actually the ‘Lead Implementer’ course that is designed to give a delegate the knowledge to be able to manage a successful ISMS/27001 certification project.  The Lead Auditor should provide the delegate with the means to conduct audits on other organisations; I say ‘should’ as some of those I have seen concentrate more on enabling the delegates to pass the end-of-course-exam as opposed to developing audit skills! The Lead Audit course also gives an insight into what a competent auditor from a client or certification body should be looking for if/when they come calling. (For the record, the IT Governance Lead ISMS Auditor course has always been positioned to develop the candidates audit skills to enable them to conduct an effective audit of an organisation’s ISMS using ISO 27001 as the framework and in doing-so, enable them to pass the exam also – a slight, but important difference!)

Don’t know your CISMs from your CRISCs? Our new fact sheet will help you gain some clarity.

“Information Security Qualifications – A Fact Sheet” is the latest in a series of new titles in development, designed to help customers understand their IT GRC problems and solutions.

As austerity continues to bite in many western economies, organisations in both the private and public sectors are seeking ways to decrease budgets and make savings. In this green paper, IT Governance explains why it’s more important than ever to ensure employees are trained and knowledgeable to maintain a standard of efficiency and competitive edge.

The paper then goes on to explain and compare the various information security qualifications available.

IT Governance’s Green Paper library now contains 30 downloads covering subjects as diverse as information security, project governance, green IT and social media.  They combine the expert subject-matter knowledge of IT Governance’s consultancy team with an understanding of customer’s frequently encountered problems to create value-adding, useful documents for information security professionals and business practitioners.

The free green papers can be downloaded from the IT Governance website at: www.itgovernance.co.uk/green-papers.aspx.

Earlier this week, Australian police announced they had arrested 24 year old Matthew Flannery (known online as Aush0k) who claimed to be the leader of ‘hacktivist’ group LulzSec. Although the group supposedly disbanded in 2011, Flannery has been charged with two counts of hacking into computer systems and faces up to twelve years in jail.

The Lulzsec group, renowned for their love of memes (especially nyan cat – a cartoon cat with a poptart body, shown here) and hatred of Justin Bieber and Rupert Murdoch, have slowly been unmasked one by one – largely thanks to a seven month undercover investigation.

In less than a year they were able to achieve global renown by attacking some of the internet’s highest profile websites and celebrities. Their exploits included:

• Accessing the user database of both Sony and SEGA
• Replacing the homepage of PBS with Nyan Cat, then using their news pages to state that rapper Tupac is alive and well in New Zealand
• Launching huge DDoS (Distributed Denial of Service) attacks against government bodies in the USA, UK and Brazil
• Hacking the website of The Sun, claiming Rupert Murdoch had died, then redirecting the website to Lulzsec’s own twitter feed

Hacking groups like such as LulzSec and Anonymous, pose a serious threat to organisations.

Although their anger is generally directed at large organisations they view as infringing personal freedoms, these hacking groups demonstrate how sophisticated ‘informal’ hackers have become. Hacking is not the preserve of organised criminals working for profit, or computer geeks who never leave the house.

Around the world there are teenagers and aggrieved twenty-somethings for whom hacking is a hobby. They share information on shady internet forums, learning from one another until they collectively are able to access some of the most secure computer systems around.

Then they go to work for Information Security companies (in the case of Matthew Flannery, at least).

Organisations must be aware of the threats they face, both externally and from within. Employees must be subject to sensible and robust security procedures, and all systems must be secure against internal and external cyber attacks.

IT Governance has just released a new green paper briefing for organisations in the Asia-Pacific region on Information Security and ISO 27001 – the international best practice standard for information security management systems.

To download your copy for free, simply visit our website »

The biggest event in the world of UK information security is just coming to an end for another year, at Earl’s Court in London.

Infosecurity Europe is an opportunity for the major players in the areas of IT governance, risk and compliance to get together to share ideas, network and compare freebies (there’s still a couple of hours to pop by stand F98 for a free £5 voucher, a 15-minute consultancy surgery and, if you ask nicely, perhaps some sweets too).

But, just opposite our stand, there’s also been a busy programme of talks, lectures and seminars with some of the leading experts on information security taking the time to share their wisdom.

Chloe Smith’s Keynote Speech

Yesterday, Chloe Smith, UK minister for political and constitutional reform, gave her keynote speech outlining the government’s commitment to taking information security seriously.

She focussed not only on the enormous threats posed by cyber criminals (apparently 33,000 malicious emails are intercepted by the government’s secure gateway each month) but also the huge opportunity it presents for UK companies.

The cyber security industry is worth £3.8billion each year to the UK economy, with the sector employing 26,000 people in 2380 companies. Industry growth is expected to be double that of the ‘traditional’ security world.

This is excellent news for those in the industry.

Cyber security is key, not only to the 2380 companies directly attached to it, but also to any company that relies on electronic communication, ecommerce, card payments, cloud technologies, social media, mobile storage devices, etc. Cybersecurity affects everyone – and qualified cyber security professionals are already in very high demand.

Get ahead with IT Governance

IT Governance is responsible for the world’s first certificated programme of ISO27001 – the leading cyber security standard – education.  We offer a structured learning path from Foundation to Advanced level in ISO27001 as well as courses in other cyber security disciplines including PCI DSS and DPA.

To read Chloe Smith’s keynote speech in full, visit the Government Speeches website: https://www.gov.uk/government/speeches/chloe-smith-keynote-speech-at-infosec-2013

Looking for a qualification that demonstrates a broad  understanding of information security management? You should consider CISMP – the Certificate in Information Security Management Principles (to give it its full, rather snappy title).

What is CISMP?

CISMP is a foundation level qualification, awarded by the British Computer Society (BCS). It provides an ideal basis upon which more technical or advanced level qualifications can be built as your career progresses.

What does CISMP cover?

CISMP demonstrates an understanding of key principles in the following areas of information security management:

• Management controls
• Technical controls
• Risk management
• Legal frameworks
• People and physical security
• Standards including ISO 27001
• Business continuity

BCS accredited trainers are key to CISMP success

To add CISMP to your C.V. you have to pass a two-hour exam. BCS reports that exam candidates attending a training course provided by a BCS accredited training organisation (ATO) achieve a notably higher pass rate than those who self-study.

IT Governance has been approved by BCS as an accredited training organisation for the CISMP – Certificate in Information Security Management Principles course. This five-day classroom course covers all aspects of the BCS syllabus and is delivered by an experienced, BCS-qualified trainer.

>> Join us on the next course and jump start your career.

Vigilant Software has updated its information security risk assessment tool vsRisk^TM that is distributed by IT Governance EU.

vsRisk 1.7 features various enhancements that permit an even faster and more fluid experience for organisations wishing to carry out information security risk assessments.

The only risk assessment tool in its price range to integrate out-of-the-box to an ISO 27001 management system, vsRisk 1.7 also allows users to carry out an automated, robust and extensive cyber security risk assessment of their organisation’s assets, compliant with ISO 27001. In addition, vsRisk 1.7 adheres to the risk assessment methodology set out in ISO 27005, the standard that supports the requirements of an information security management system as defined by ISO 27001.

Aimed at those responsible for information security risk management, vsRisk 1.7 has many benefits include including assessing the confidentiality, integrity and availability of information. vsRisk 1.7 is an ideal tool for IT managers, risk managers, assessment officers, information security consultants, chief technology officers, chief information officers, auditors, certification body assessors, information security officers, IT compliance analysts and systems engineers .

There is a 15 day free trial of vsRisk. Download a free trial >>