Search Results

A risk register is a log in its simplest form. It can take many forms, from very simple to massively complex, but fundamentally, it is where you record your risks to understand your current risk landscape; also, be aware that it will take a few passes to capture everything (and you’ll probably still miss stuff). Purpose of a Risk Register The main purpose is to document your risks and the actions taken to minimise them; this is a core way to satisfy the expectation of most legislation that you have applied due care and due diligence to your cyber security efforts to protect the data of your clients as well as your own valuable information. Documenting allows you to prioritise your risks, ensuring the ones that could impact your business most are focused on. Key Aspects of a Risk Register Risk registers can be designed in various ways, from simple to massively complex, with multiple scoring vectors beyond the standard impact and likelihood. But they should all have the following Risk detail – what is the risk? Risk assessment – what is the impact and likelihood of the risk? Risk treatment – what is the plan of action? It can be nothing Risk ownership – who takes responsibility? And what a lot of people miss Risk monitoring and review – How do you know controls are working now and will be working in the future? Creating and Maintaining a Risk Register Once you have defined your risk register, you must add risks. The first step is to identify the risk. Don’t think of risks as things you have missed; when you start this process, just document risks that could affect you; don’t think about the controls you already have. A good example of this is malware; almost every business will have some form of anti-malware, but it is always a risk; new malware is released daily, so the threat is always present, even if the risk is low due to your anti-malware controls. Closed risks should be reviewed using the same principles. However, the threat landscape changes, and what worked at the point of treatment may no longer be enough. This is why routine review and monitoring are important. Best Practices for Utilising a Risk Register Once you create your register then, here are some good practices to follow to ensure it brings value to the business in the long term Routine reviews – Risk assessment is not a one-time process but a continuous review. Risks change, controls fail, new risks occur and old ones re-occur Get the right people involved—Risk shouldn’t be left to a single individual. It may be managed by one person, even in large organisations, but it needs to involve key people, especially risk owners. Risk is a leadership issue. Ensure that risk is presented to the leadership, and ideally, they should be represented as owners of key business risks. Training and awareness – Make sure everyone involved in risk is trained to understand the process and expectations on them and ultimately bring buy-in. Having a good risk management strategy (read more here) and a well defined risk register (download one for free here) is vitally important to all businesses.

So, previously, we looked at how to get started on your 27001 project and followed up with steps to follow when implementing iso 27001. We’ve glazed over some of the nuances around implementing particular controls and with good reason. Every business can implement controls differently. There is an extensive spectrum of what is considered ‘okay’ for 27001; however, it really is down to your business’s risk appetite as to how diligently you implement those controls. Let’s move on to understanding what the external audit process looks like when implementing iso 27001. All certification audits follow a standard format, and I’ll try to break down the expectations for you. The first thing to note is that there could be a significant lead time to book your audit, so make sure you plan ahead. Picking a company to audit your business is no different to choosing a supplier to provide any other service. Speak to a few of them and get a gut feeling of whether they are a good fit for your organisation. Some are more expensive than others, and some auditors tend to be more pragmatic. Get some quotes and ask for some lead times. Once you’ve picked your auditing company, they typically want to arrange dates for the first part of your audit. Certification audits are divided into two separate audits. The first is called Stage 1, and the second is Stage 2. So, what’s the difference? Stage 1 audits look at your ISMS readiness. The auditor will want to check that the ISMS you built meets all the standard's requirements stated in clauses 4-10. In my original blog, I recommended you purchase the standard, which is why. The standard states precisely what is required. The difficulty comes in interpreting the written words into something tangible that you can evidence. The auditor’s job is to tease out of you how you’ve gone about implementing each of those clauses and making sure it’s been understood correctly. In my experience, the majority of the audit time is spent understanding how you have managed risk. Which risks have you logged, and which controls have you decided to implement in order to build your statement of applicability? At this stage, there should not be much emphasis on how you have implemented the controls. The auditor should be more interested in how you have determined which controls are relevant. There does tend to be some scope creep here, and plenty of auditors will want to see examples of control implementation. Don’t be surprised if it happens, but as you’re well prepared, you can answer any questions they might have at this stage. What else will I have to evidence other than risk? Well, you will need to prove you have an effective internal audit plan; they will want to understand and see evidence of how you are managing non-conformance and continual improvement, as well as how you are monitoring the performance of your ISMS and completing the appropriate management reviews. That sounds difficult. What happens if I miss something? There are a few possibilities. Missing something significant can result in a termination of the audit. Honestly, I’ve never seen this, and if you’ve done enough due diligence prior, then it is pretty unlikely. The other scenario is you will receive a minor conformance or an improvement request at the end of the audit. You will then have some time to fix whatever the issue was prior to your stage 2 audit. Don’t be annoyed if you pick up some level of non-conformance. It happens; people are human, and small mistakes can happen. Just make sure it’s resolved prior to your stage 2. So, what happens in the stage 2 audit? This is where you get to show the auditor how you have implemented the controls in your Statement of Applicability. These are usually show-and-tell sessions where the auditor will ask you to explain how you did something and then ask you to demonstrate what you did. Evidence is key here: Do you have the signed contract for the new starter? A helpdesk ticket for setting up their new accounts that you can show the auditor. Some proof that they have read your policies. Can you provide evidence their laptop was built correctly, that is, has appropriate disk encryption and anti-virus deployed? These are all examples of what they might want to see. Remember, there are over 90 controls to choose from, and each one will need to be evidenced where possible. What happens if I can’t evidence a specific control? Good question! Some controls are more challenging to evidence than others. If you have an incident response plan but have had no incidents, then you can’t have proof that the plan is followed. This is normal. You can’t fail for not being able to positively evidence something. Your auditor will now spend a number of days collecting evidence. They have a few different findings they can capture against each control that you have marked as applicable. Compliant – everything is implemented as described and is ok. Opportunity for Improvement – Its possibly meeting the requirement but adding some additional level of control may provide some benefit. The auditors have to be careful here as they are not allowed to consult whilst conducting audits. You may get some informal or ‘off the record’ advice also. Take it positively and decide if you want to implement any of those changes or not. You’re under no obligation to implement any opportunities for improvement. A Minor non-conformance – the control didn’t quite hit the mark. Something was missed. A Step in a process wasn’t followed. There can be loads of reasons for picking these up. Some examples might be that your asset register was missing a device, or perhaps your supplier register was missing a supplier. Any minor non conformance will need to be resolved and evidence sent to the certifying company prior to you being issued with a certificate. A Major Non-Conformance – You missed something big. The wording in the standard is that there is a material breakdown in the ISMS. Some examples might be no one has had any information security training; there is no asset register, none of the documents in your ISMS is version-controlled and changes are made to them without any appropriate procedure being followed. Perhaps you have not completed any management reviews. A major non conformance may cause an auditor to end the audit, so it pays to make sure everything is in place when implementing iso 27001, prior to a stage 2 audit taking place. Conclusion: Audits always feel scary. The fear of the unknown can be enough to put anyone off. Don’t let it, though. Most auditors are really friendly and will work with you so you can provide positive evidence. If you think that you want some assistance, we can help. That can either be sitting in the audits with you or working through a pre-audit scenario to give you the confidence that you have everything you need to sit the audit by yourself.

Any organisation that processes card payments must comply with the Payment Card Industry Data Security Standard.  Want more details on PCI-DSS read our intro here It can be difficult to know where to start, so here is a brief guide to the steps to becoming compliant. Understanding PCI-DSS Before delving into the strategies, let's briefly understand what PCI-DSS entails. PCI-DSS is a set of security standards to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Developed by major credit card companies like Visa, Mastercard, and American Express, PCI-DSS consists of 12 high-level requirements, divided into numerous sub-requirements, covering network security, data protection, and vulnerability management. Simple Strategies for Compliance Know Your Scope: Understanding the scope of your cardholder data environment (CDE) is fundamental to PCI-DSS compliance. You need to identify all systems, processes, and people that interact with cardholder data. By clearly defining your CDE and mapping out the flow of card data throughout your organisation, you can focus your efforts and avoid any unnecessary complexity that might make achieving compliance more difficult and costly. Read out scoping guide here Conduct Regular Assessments: Regularly assess your systems and processes for compliance with PCI-DSS requirements. Conduct internal audits and vulnerability scans to identify and address any weaknesses promptly. These assessments help maintain compliance and enhance the overall security posture. Secure Cardholder Data: Implement robust security measures to protect cardholder data throughout its lifecycle. This includes encryption of data both in transit and at rest, restricting access to cardholder data on a need-to-know basis, and ensuring secure storage and removal of any sensitive account information. Implement Strong Access Controls: Limit access to cardholder data only to those who require it to perform their job responsibilities. Enforce strong authentication measures such as unique IDs, passwords, and two-factor authentication to prevent unauthorised access. Maintain Secure Networks: Secure your network infrastructure by implementing firewalls, intrusion detection systems, and regular monitoring. Segment your network where necessary to isolate cardholder data from other less sensitive systems, thus narrowing the scope required for compliance and reducing the risk of unauthorised access to card data. Regularly Update and Patch Systems: Keep your systems and software up-to-date with the latest security patches and updates. Attackers often exploit vulnerabilities in outdated software to gain unauthorised access to systems and compromise data. Educate Employees: Train your employees on security best practices and their roles and responsibilities in maintaining PCI-DSS compliance. Awareness programs help foster a culture of security within the organisation and empower employees to identify and report potential security threats. Implement Incident Response Plans: Develop and test incident response plans to effectively respond to security incidents and data breaches. A well-defined incident response plan can minimise the impact of breaches and facilitate swift recovery while ensuring compliance with regulatory requirements. Engage with PCI-DSS Experts: If your organisation lacks the necessary experience or resources, consider seeking assistance from qualified PCI-DSS experts. They can guide, conduct assessments, and help streamline compliance. Stay Informed and Adapt: PCI-DSS is not a static standard; it evolves to address emerging threats and vulnerabilities over time. Monitor online resources to stay informed about updates and changes to the standard and adapt your security measures accordingly to ensure ongoing compliance. Conclusion Achieving compliance with PCI-DSS may seem daunting, but by breaking it down into manageable steps and implementing simple yet effective strategies, businesses can successfully meet the standard's requirements while enhancing overall security posture. Remember, compliance is not just a checkbox exercise but a continuous effort to safeguard sensitive financial data and maintain customers' trust. By prioritising security and adopting a proactive approach, businesses can confidently navigate the complexities of PCI-DSS compliance.

What is PCI-DSS? In today’s digital age, where online transactions have become an integral part of everyday life, ensuring the security of payment card data is critical for businesses. The Payment Card Industry Data Security Standard, or PCI-DSS, is a security standard designed to protect payment card data and prevent fraud. This article will examine what PCI-DSS is, why it is important, and how your business can achieve compliance with the standard. PCI-DSS is a set of security standards established by the PCI Standards Council and major credit card companies like Visa and Mastercard. The primary goal of PCI-DSS is to secure payment card data and prevent unauthorised access, fraud, and data breaches. It applies to all organisations that store, process, or transmit cardholder data, regardless of size or the number of transactions they process. The Importance of PCI-DSS Ensuring compliance with PCI-DSS is essential for several reasons: Protecting Cardholder Data: PCI-DSS helps businesses safeguard sensitive cardholder data, including credit card numbers, cardholder details and sensitive authentication data, from theft or unauthorised access. Preventing Fraud: By implementing PCI-DSS controls and best practices, businesses can significantly reduce the risk of payment card fraud, protecting their customers and reputation. Maintaining Trust: Compliance with PCI-DSS demonstrates a commitment to security and trustworthiness, enhancing customers’ confidence in your business and encouraging them to continue transacting with you. Avoiding Penalties: Non-compliance with PCI-DSS can result in severe consequences, including hefty fines, legal liabilities, and damage to reputation. Compliance helps businesses avoid these penalties and associated costs. Understanding the PCI-DSS Requirements PCI-DSS consists of twelve high-level requirements, organised into six control objectives. These requirements cover various aspects of security, from network security, access control and encryption to physical access controls, logging and monitoring, as well as documented organisational policies and procedures for handling sensitive card data. Here’s a brief overview of the PCI-DSS objectives: Build and Maintain a Secure Network and Systems: This includes installing and maintaining firewalls and ensuring secure configurations are used on all system components that process or store card data. Protect Account Data: Businesses must protect any stored cardholder appropriately and use strong encryption during transmission over public networks. Maintain a Vulnerability Management Program: This involves regularly updating and patching systems, conducting vulnerability scans, and addressing any vulnerabilities that are found. Systems should be protected with anti-malware, and software development must be done securely. Implement Strong Access Control Measures: Cardholder data access should only be allowed for those in the business with a legitimate need to know. Each user should be identifiable with a unique ID, and their access should be regularly reviewed to ensure it’s appropriate. Physical access to card processing facilities should also be restricted and monitored. Regularly Monitor and Test Networks: Continuous monitoring of network activity and security controls is essential to promptly detect and respond to security incidents. You should also conduct regular security testing, including penetration testing and wireless scanning, if appropriate. Maintain an Information Security Policy: Establishing and maintaining a comprehensive security policy that addresses all aspects of PCI-DSS compliance is crucial. This includes educating employees about security best practices, implementing incident response procedures, and ensuring compliance with any applicable local laws and regulations. About SAQs and Scoping The majority of businesses will be able to self-assess their compliance with the standard using a Self-Assessment Questionnaire (SAQ). There are several of these, and the one you will need to complete depends on how you process and/or store cardholder data. For example, if you are an e-commerce business that completely outsources all card processing, you may only need to use SAQ A, and this will mean that many of the controls in the standard won’t apply to you. If you’re using your own internal systems to process payments and have a more complex setup, you may need SAQ D, which contains hundreds of questions and can take a significant amount of time and resources to complete. When starting your compliance project, defining an accurate scope by identifying any card processing systems and their data flows is the critical first step, as this will help you determine which SAQ applies and reveal how much work you will need to do to become compliant. Look out for more in-depth information on scoping and SAQs in future articles. Achieving PCI-DSS Compliance Achieving and maintaining PCI-DSS compliance requires a concerted effort and ongoing commitment to security. Here are some steps businesses can take to achieve compliance: Assess Your Current Security Posture: Start by conducting a thorough assessment of your current security practices and infrastructure to identify areas that need improvement to meet PCI-DSS requirements. Implement Necessary Controls: Implement the security controls and measures outlined in the PCI-DSS requirements as they apply to your particular situation. Train Your Employees: Educate your employees about PCI-DSS requirements and security best practices to ensure they understand their roles and responsibilities in maintaining compliance. Regularly Monitor and Audit: Establish processes for ongoing monitoring, logging, and auditing of security controls to detect and respond to security incidents promptly. Conduct regular internal and external security assessments to ensure compliance. Stay Informed and Up-to-Date: Keep abreast of changes to the PCI-DSS standards and evolving security threats and best practices. Continuously evaluate and update your security measures to adapt to new challenges and requirements. Conclusion In conclusion, PCI-DSS plays a critical role in ensuring payment card data security and preventing fraud in today’s digital landscape. Compliance with PCI-DSS is a fundamental aspect of maintaining trust with customers and protecting your business from financial and reputational harm. By understanding the requirements and implementing appropriate security controls and measures, you can enhance your business's security posture and mitigate the risk of data breaches and fraud.

A risk assessment is the process of identifying, scoring and treating risks, a risk register is where you record the assessment. The assessment method should be a repeatable process that allows you to score risks with consistency allowing your defined acceptance criteria to be used to make decisions on how to treat risks. The register should log the key information garnered from the process to help make decisions. Understanding Risk Assessment: Process and Objectives To make your risk assessment effective, your process is key, the approach should be well defined to ensure consistent results, this allows the business to make prioritising identified risks easier and ensuring that response is appropriate. Quantitative or Qualitative As part of your analysis, you will use a quantitative or qualitative scoring system where possible. Quantitative should be used, but unfortunately, it is difficult to apply due to the exact nature of the process; quantitative uses numbers to define the actual value of risk; a simple example is an e-commerce platform that can be valued operationally by how much revenue it generates. Qualitative, on the other hand, is more of a finger-in-the-air type measurement, and this makes it more important to make at least one person chief finger in the air holder to maintain consistency. The Process These are the key steps in a risk assessment. Identification of Risks: Risks can come from internal and external elements and are often identified through risk workshops, events, and incidents, as well as by looking at the ever-changing landscape. Risk Analysis: Once identified, risk needs to be assessed for their likelihood and potential impact to the business, this will most likely be using qualitative scoring depending on available data. Risk Evaluation: Once analysed you can start to prioritise them based on their risk level, allowing focus on highly impactful and highly likely risks first. Risk Treatment: Now that you have evaluated your risks and determined the level. Once risks have been evaluated, appropriate risk treatment measures are identified and implemented to mitigate or manage them effectively. This may include risk avoidance, risk transfer, risk reduction, or risk acceptance, depending on the organisation's risk appetite and available resources. Monitoring and Review: Finally, the risk assessment process is an ongoing activity that requires regular monitoring and review. Risks should be reassessed periodically to ensure that mitigation measures remain effective and to identify any new or emerging risks that may require attention. Getting Risk Assessments Right These are the 5 key things I would do to ensure that you get the best value out of your risk assessment process. Define your assets: What are you trying to protect? Define stakeholders (risk owners): Involve the key people who can make decisions against risk mitigation. Create a risk team or key risk person: Depending on the size of your business, have a consistent person or team to manage the risk register and risk assessment process, as this creates consistency. Review often: While risks are open, you should be checking in as often as is sensible. Monthly is a good baseline, but if something is going to take 6-12 (or longer), you may want to do quarterly and reduce as the deadline gets closer. Keep it simple: When you first start your risk journey you want to make the process as simple, but still effective as possible, it doesn't need to be complex to bring value. Need a risk register??? Download a simple useable pre-populated one here.

Regulatory Requirements for Risk Management Risk management is a common expectation of most governance and compliance systems, and I am a firm believer that it is the fundamental process in security management. If you understand the potential threats and vulnerabilities that can affect your business, you can be proactive in your defence. A great example of this is a General Data Protection Regulation (GDPR) Data Privacy Impact Assessment, a risk assessment by any other name—a review of potential risks that could impact the privacy of future data processing operations. So officially, although there will be some companies that don’t, the vast majority of companies would need a risk register of some kind for compliance. I recommend you have one regardless; the complexity of said register is up to you. A risk register can be used in several places, most commonly a general risk register and independent project registers. Benefits of Having a Formal Risk Register As part of documenting your risks, you also document your remediation activities and long-term monitoring; risks rarely stop being risks, so having good monitoring to validate that your controls are working and knowing how you previously remediated them means if they do re-occur, you have a good record of your approach to remedying it last time. Risk metrics are also good indicators of your overall security posture, as you should document them regardless of whether you think you have mitigated them or not when you start the process; most businesses will have common risks, such as virus infection, that form a great starting point. Risks of Not Implementing a Risk Register The biggest problem with not implementing a risk register and overall risk management process is that it removes the ability to truly focus on your key vulnerabilities. I have witnessed numerous organisations spending significant sums on the wrong things in a vendor's sales pitch. Risk Assessment process Along with your risk register, you will need a robust risk assessment process to ensure consistency in your approach to managing risk; learn more about risk management and assessments from our other articles about risk - What is Risk Management? and What is the difference between a risk assessment and a Risk Register? Need a risk register??? Download a simple useable example here.

Following up on my previous blog, once you have created your statement of applicability, it’s time to start thinking about implementing changes to your business. Manage this in much the same way as you would any other project. Create an Implementation Plan: Developing a comprehensive implementation plan is crucial for the successful implementation of ISO 27001. Start by outlining the specific tasks required to achieve compliance, such as conducting gap assessments, drafting policies and procedures, and implementing technical controls. Assign clear responsibilities to team members and set realistic timelines for each phase of the implementation process. Consider allocating adequate resources, both human and financial, to support the implementation effort effectively. Additionally, ensure that the implementation plan is flexible enough to accommodate any unforeseen challenges or changes in priorities that may arise during the process. People will be off sick, controls will be misunderstood, and people will have questions about how specific controls might need to be implemented. Establish Information Security Policies: Information security policies are the foundation of your organisation’s ISO 27001 compliance efforts. These policies should reflect the organisation’s commitment to protecting sensitive information assets and outline clear guidelines for employees to follow. Take the time to tailor these policies to your business’s specific needs and risk profile, ensuring they address key areas such as data classification, access control, incident response, and employee responsibilities. Consider involving key stakeholders from across the organisation in policy development to ensure buy-in and alignment with business objectives. Don’t make them a thousand pages long; most importantly, ensure they say what you intend to do, not how you intend to do it. Define Roles and Responsibilities: Clearly defining the team’s roles and responsibilities is essential for ensuring accountability during an ISO 27001 implementation. Identify individuals or teams responsible for leading different aspects of the implementation effort, such as project management, policy development, risk assessment, and technical implementation. Clearly communicate these roles and responsibilities to all relevant stakeholders and provide them with the authority and resources to effectively fulfil their duties. Regularly review and update these roles and responsibilities as needed to reflect changes in the implementation process or organisational structure. Implement Controls: Implementing controls identified in the Statement of Applicability (SoA) is a critical step towards mitigating identified risks and achieving ISO 27001 compliance. This involves deploying a combination of technical, administrative, and physical controls to protect information assets. Examples of controls include access control mechanisms, encryption protocols, security awareness training programs, and incident response procedures. Consider leveraging industry best practices and guidance from ISO 27002 when selecting and implementing controls relevant to your organisation’s risk profile. Do not implement 27002 verbatim, though. It is meant as guidance only, and a lot of the examples provided will not make sense to implement in your specific business. Document Procedures and Processes: Documentation plays a central role in ISO 27001 compliance by providing a clear and comprehensive record of the organisation’s information security policies, procedures, and processes. Document all procedures and processes related to information security management, including policies, operational procedures, work instructions, and other relevant documents. Ensure that these documents are regularly reviewed, updated, and communicated to all relevant stakeholders. Training and Awareness: Training and awareness programs are essential for ensuring that employees understand their roles and responsibilities in maintaining information security and complying with ISO 27001 requirements. Develop and deliver comprehensive training sessions that cover key topics such as security policies, procedures, best practices, and regulatory requirements. Consider leveraging a variety of training methods, including online courses, workshops, and interactive simulations, that cater to different learning styles and preferences. Additionally, you should promote a culture of security awareness by regularly communicating updates, reminders, and success stories related to information security within the organisation. Remember, this is YOUR training plan, though. Smaller organisations may need less training, and that is fine. There is never a requirement to buy a training tool, so don’t get sucked into purchasing one unless you’re confident it will add some value. Monitor and Measure Performance: Establishing mechanisms for monitoring, measuring, and evaluating the effectiveness of implemented controls and processes is critical for maintaining ISO 27001 compliance over time. Implement regular internal audits, risk assessments, and performance reviews to identify any gaps or areas for improvement in the organisation’s information security management system (ISMS). Track key performance indicators (KPIs) such as incident response times, compliance rates, and training completion rates to gauge the effectiveness of implemented controls and processes. Use these insights to make data-driven decisions and continuously improve the ISMS to address emerging threats and evolving business requirements. Management Review: Conducting regular management reviews is essential for ensuring that the ISMS remains aligned with the organisation’s strategic objectives and business priorities. Schedule periodic meetings with senior management to review the performance and effectiveness of the ISMS, identify areas for improvement, and make informed decisions about resource allocation and prioritisation. Ensure that management reviews are conducted in a structured and systematic manner, with clear agendas, objectives, and action items. Encourage open and transparent communication between all stakeholders to facilitate collaboration and decision-making. The members of your management review team should have been discussed when you looked at roles and responsibilities earlier. Continual Improvement: Continuous improvement is at the heart of ISO 27001 and involves actively seeking out opportunities to enhance the effectiveness and efficiency of the ISMS over time. Foster a culture of continual improvement by encouraging feedback, innovation, and collaboration among all stakeholders. Regularly review and update policies, procedures, and controls to reflect changes in technology, regulations, and business requirements. Encourage employees to report security incidents, near misses, and suggestions for improvement, and establish mechanisms for capturing, prioritising, and addressing these inputs in a timely manner. Now you’re about there. It’s time to look at assessment. The next blog, which is all about assessment, will go live next week.

So, your organisation processes payments by credit cards. You know that you need to comply with the Payment Card Industry Data Security Standard (PCI-DSS) to protect cardholder data, prevent fraud and avoid the hefty penalties that come with a breach…. But where do you start? The first and arguably most critical step is to accurately define your scope. This is how you will find out which of the Self-Assessment Questionnaires you need to use to attest to your compliance, which specific controls apply to you, and, therefore, how much time and effort (and money!). it will take for you to become compliant with the standard. Understanding PCI-DSS Scoping: Scoping is the foundation of PCI-DSS compliance, as it defines the boundaries within which cardholder data resides and where security controls must be implemented. A thorough scoping exercise involves identifying all systems, networks, and personnel that interact with cardholder data and describing the flow of this data throughout your organisation. Here are key steps to properly scope for PCI-DSS compliance: Identify Cardholder Data: Begin by locating all instances of cardholder data within your organisation. This includes primary account numbers (PANs), cardholder names, expiration dates, and verification codes. Map Data Flows: Trace cardholder data flow across your systems, networks, and processes. This includes point-of-sale (POS) terminals, e-commerce websites, databases, payment gateways, and any other systems that handle cardholder information. Determine System Components: Identify all systems and components that store, process, or transmit cardholder data. This may include servers, workstations, databases, firewalls, routers, and other network devices. Assess Third-Party Connections: Evaluate any third-party service providers or vendors with access to cardholder data or are involved in payment processing. Ensure that their systems and processes also comply with PCI-DSS requirements. Define Scope Boundaries: Based on the above assessments, define clear boundaries for the cardholder data environment (CDE). This delineates the systems, networks, and personnel that fall within the scope of PCI-DSS compliance. Document Scope and Rationale: Document your scoping decisions, including their rationale. This documentation will be crucial for validation purposes and future audits. Self-Assessment Questionnaires (SAQs): Once you've determined the scope of your PCI-DSS compliance efforts, you'll need to select the appropriate Self-Assessment Questionnaire (SAQ) that aligns with your organisation's activities and processing methods. SAQs are designed to streamline the compliance process for merchants and service providers based on their level of involvement with cardholder data. Here's an overview of the different SAQ categories and when they may apply: SAQ A: This SAQ is for merchants who solely process card-not-present (e-commerce or mail/telephone order) transactions and do not store, process, or transmit cardholder data electronically. It is the least stringent and applies to organisations that outsource all of their card processing functions. SAQ A-EP: This is similar to SAQ A but applies only to e-commerce merchants that outsource payment processing to a third party but still have a web server that directly handles cardholder data. SAQ B: This is for merchants who process cardholder data only through imprint machines or standalone dial-out terminals. This SAQ applies to organisations that process via these methods but do not store cardholder data electronically. SAQ B-IP: This is similar to SAQ B but applicable to merchants using standalone, PTS (PIN Transaction Security) approved payment terminals with an IP connection to the payment processor and no electronic account data storage. SAQ C-VT: For merchants who process cardholder data a single transaction at a time, using a PCI-compliant third-party virtual payment terminal solution on an isolated computer connected securely to the internet. This SAQ applies to organisations that do not store cardholder data electronically. SAQ C: For merchants who process cardholder data via payment application systems connected to the internet. No electronic storage of account data. SAQ P2PE: For merchants using validated point-to-point encryption (P2PE) solutions for card-present transactions. No access to readable clear-text account data or storage of the data. SAQ D: For all other merchants and service providers not covered by the above SAQs. This SAQ is the most comprehensive and applies to organisations that store, process, or transmit cardholder data electronically. Selecting the correct SAQ is crucial for ensuring your compliance efforts are focused and appropriate for your business operations. It's important to review the requirements of each SAQ carefully and consult with your acquiring bank or a qualified external PCI consultant if you're unsure which SAQ applies to your organisation. So, in summary, scoping is a foundational aspect of PCI-DSS compliance that requires careful consideration and documentation. By properly defining the boundaries of your cardholder data environment and selecting the appropriate SAQ, you can streamline the compliance process and mitigate the risk of data breaches. Remember that achieving and maintaining PCI-DSS compliance is an ongoing effort that requires regular assessments and updates to adapt to changes in any of your organisation's systems and processes involved in handling payment card data.

Well, the simple answer is that it really doesn’t have to be. If you’ve looked at implementing it internally, or more likely, you’ve been given the extra responsibility to complete an implementation on top of your day job, it can look a little daunting to begin with. Of course, I could bleat on about hiring someone to do it (like me) but, that might not be practical. So, I thought I’d pop down a starter for ten for you to give you how I would go about tackling it. Buy the standard. I know it’s wordy, and it might not make much sense right now. But, once you have it, it will become a checklist for you a little bit further down the line. It’s not expensive, and if nothing else, it provides excellent bedtime reading if you’re a bit of an insomniac. Get the boss on board. Now, you’ve probably been handed this dandy little project by your senior in the company. That person may or may not be the person signing the cheques, so let’s make sure everyone is on board this train before we start rolling. It doesn’t hurt to reach out to some certification bodies now, even before you’ve started doing any real work. They can give you an indication of cost, which you can take back to the people holding the purse strings. Pricing is relatively consistent between the different certification bodies, but (with my best Martin Lewis voice), get a few quotes, and you can then decide which one to choose. Some may be cheaper than others, but just make sure you are getting like-for-like quotes. There are certified and non-certified assessment bodies. I’m not going into the difference between each here, as it’s a whole other blog. If we’re happy with the costs, now is the time to start doing some work. Scope is a word you will hear, and it simply means, ‘What areas are we including in this certificate.’ A misconception is that you have to certify your entire company. This is incorrect; you might want to have a much smaller scope. A specific product you offer, a specific service you sell, a specific team. The options are endless, but it is up to you to decide what this might be. Typically, the smaller the scope, the easier the project. Start small and look to increase your scope a little down the line once you get the hang of things. Scope is essential, and it will drive things later. It’s always good to ask yourself what you are trying to achieve at this point. What do we want our ISMS to provide? What objectives should we set and measure so we know this project is going to head in the right direction? Once you have your scope defined, go do some hunting about and start pulling together some simple lists of what information you have. Break it down into a couple of areas to make your life a little easier. Think about the hardware first. End user equipment, printers, network devices, app servers, web servers, database servers, blob storage, filing cabinets even. Once you have this list, then write down the type of information you’re storing in these devices. Employee data, Customer Data, Company Data, Source Code, absolutely everything. Decide how important that data is, and how much of a pain it would be if was lost, stolen, or changed in error. Now we have a good list to work from. Now the fun starts. We’re going to look over that list and try and understand how each of those components could be damaged. That could be malicious intent by someone inside or outside of your company, or it could be simply by someone overwriting it. Once we know what those risks are, we are going to try and decide how we can stop those things from happening. This is where we apply controls. Some risks may have one control applied; some may have many (some might have none if you are happy with the risk just the way it is.) It’s up to you and your team to decide which controls you should apply to help you reduce the risk of something terrible happening to a level you are comfortable with. Most people will cast their eye over Annex A at the back of the standard and choose controls from here. Remember, you don’t have to use Annex A if you don’t want to. If this is your first rodeo, though, I probably would. It will make your life easier, and it’ll make life easier for the auditor too. Continue working through each risk until you’ve decided which list of controls you are going to apply once you’re done. You are going to capture all those controls together in a separate list. Congratulations on creating the outline of your first ‘Statement of Applicability’. The most important step now is to give yourself a pat on the back. There’s more to do, but we’ve made a good start. Come back next time to find out where we go next. Conclusion: Implementing ISO 27001:2022 might sound like a big task, but it’s worth it in the long run. It’s your ticket to showing your clients and partners that you take their data security seriously. Remember, it’s not about being perfect from day one. It’s about making steady progress and always looking for ways to do better. So, roll up your sleeves and get started on making your business more secure than ever before.

Risk management is the fundamental process of thinking about what bad things may happen; one way to look at it, is the corporate world’s way of documenting fear, something that could happen but may never happen. In the cyber security world, there is a term called FUD (Fear, Uncertainty, and Doubt), which I hate. It is used by vendors to sell products, and I guess the uncertainty and doubt come from a lack of understanding of the fears that are relevant to your business. This is why risk management is essential; understanding your risks helps you define controls (or not) to protect and/or minimise the impact of the damage these risks may cause. Risk Management Standards There are several well-known risk management standards out there, including ISO 27005, ISO 31000, NIST SP 800-30, COSO, and COBIT, and modelling or risk identification processes like STRIDE, DREAD, and PASTA. Find one that works for you and adopt it, or define your own process. As long as it is repeatable and the output is consistent, it really doesn’t matter. So, let’s define some of the key aspects of risk management. Understanding Risk: Definitions and Concepts Threats and vulnerabilities are the fundamental reason you are doing risk management. A threat is a constant; they take advantage of vulnerabilities to cause harm; a simple example would be a thief. A vulnerability, on the other hand, can be lessened or removed, and the level of control you implement would be appropriate to what you are protecting; for instance, an open window is a vulnerability or weakness in your home security, you could simply close the window or improve security by applying greater controls such as bars or an alarm system. The thief (threat) takes advantage of the open window (vulnerability) to break in and steal your assets. That is the risk. Threat and vulnerability are just a way of representing it. How you document this will be determined by your process. You will need some kind of risk register to document your risk (we will explore this more next week in: What is a Risk Register?) Risk is a basic calculation of impact multiplied by likelihood. Now, there are extensions that can be added to that, but you are adding complexity to an already complex system. Essentially, most of the extensions add little value, and routine review will ensure any additional factors effecting risk can be calculated. Risk scoring. Once you have your threat and associated vulnerability defined, you need to score the risk. This will help you decide whether to do anything. There are many ways to score, but 3x3, 5x5, and HML (High, Medium, and Low) are the most common. Consistency is key when scoring, so you need a method to ensure this. A dedicated risk analyst/officer can assist with this, as a consistent person is helping drive scoring. 3x3 and 5x5 are easier mathematically and if you use HML assign scores to them, I tend to use 1,3 and 5 as values for calculating risk. But it still provides understandable terms for everyone to use without having to quantify a value. All risks should have an owner, and that person should have enough authority to make decisions on that risk. Importance of Risk Management in Business Risk management is a critical aspect of business operations. It helps to understand what is needed to protect the organisation from potential threats and vulnerabilities. By identifying these risks, they can be mitigated proactively to protect the business’s assets. I firmly believe that risk management should form the basis of all your decisions, this goes beyond cyber security, if you have no risk or opportunities (yes risk can bring opportunities) what are spending time and money on trying to fix/prevent? Benefits of Implementing a Risk Management Strategy A risk management strategy allows for consistent, successful, and routine identification and management of risks and opportunities. To be effective, risks need to be scored consistently. This ensures that each risk is managed appropriately, reducing bias, which can result in resource overspending.

Implementing ISO 27001: The Cost of Achieving Information Security Let's start by defining what ISO 27001 is in simple terms, but if you want a detailed explanation check out our, What Is ISO 27001 article - here; What is ISO 27001? ISO 27001 is an international standard for information security management. The standard outlines a systematic approach to managing sensitive information, such as financial data, intellectual property, and personal information, to ensure its confidentiality, integrity, and availability. Implementing ISO 27001 requires significant time, effort, and resources. The cost of implementation can vary greatly, depending on the size and complexity of the organisation and the type of services used to achieve certification. What does it cost? It is hard to say precisely how much you can expect to pay for ISO 27001 implementation as multiple factors drive the cost. It can vary from as little as £100 (buying a policy pack) to as much as £20,000+, but for most SMBs, an assisted implementation should range from £3,000 to £20,000. So let's delve deeper into some things that can drive costs up and how to keep costs down. What drives the cost up? The biggest cost differentiator is the size and complexity of the business. For example, a 10-man, fully outsourced and cloud-first business will be much more straightforward compared to a 1000+ user, multi-site, international with on-premise technology business: essentially, more moving parts, more responsibility on data security. Using a consulting company over in-house skills may be more expensive. On the other hand, completing the implementation in-house may reduce initial costs. But, the long-term operational costs could be higher, and by choosing a consultancy, the results may be a faster and smoother process. The cost can also be affected by the timeframe for the implementation; for example, if a quick turnaround is needed, more resources may be required to deliver the project at an accelerated pace. What drives costs down? Having good security practices and policies already in place can significantly reduce costs. In addition, the effort to achieve compliance is significantly reduced if you have a security culture as part of your everyday business. Using in-house knowledge to deliver the bulk of the implementation and an external resource for reviewing key aspects like auditing can also keep the expenditure down. If you're not in a hurry, implementing the Information Security Management System (ISMS) can help keep costs down and better integrate the system into the organisation. While a DIY approach may seem the cheapest option, some organisations can underestimate the effort required to achieve accreditation. As a result, they may make little progress over a period of two years. Ultimately, this could cost more than bringing in a specialist consulting company to help with the implementation. Why are some companies so expensive? The complexity of the ISMS they use and the day rate they charge will increase the cost of the implementation. The more complex the system, the more time is needed to implement it! Meaning long-term management costs rise. Some companies may over-engineer what is required meaning there is more to implement but with little benefit. Day rate has the most significant impact on cost. Larger consulting companies are generally more expensive due to increased overheads but provide more coverage capabilities for the consultant working on your project in case of availability issues. Larger organisations will also carry greater skills and service diversity which adds to their value, and their prices usually reflect this. Many companies will operate onsite regardless of need which can include expenses for hotels, travel and food, which on a 10-day engagement could easily add another £1,000+. Why are some companies so cheap? Smaller consulting firms will generally cost less due to their reduced operating costs. Companies with only one or two consultants are typically the most affordable, but they often face problems with limited resources and insufficient coverage if the primary consultant is unavailable. This can result in lower daily rates but may lead to other issues, including but not limited to reduced skills diversity, availability issues and lack of innovative processes. Other costs So far, we have explained the implementation costs. There will also be a cost for accreditation if that is your end goal. Over time, we have noticed a steady rise in the number of days required for UKAS bodies to complete their accreditation process. UKAS accreditation is strongly recommended, as the certification holds little value without it. However, it is possible to implement the framework without accreditation and still reap the security benefits while avoiding associated costs. UKAS audit costs for an SMB would be in the region of £4,500 to £8,000, depending on the factors we have already discussed. However, we have seen costs in excess of £25,000 for larger complex organisations. How we compare As an organisation focused on value and simplicity, we offer builds from as little as £4,875. On average, our clients pay around £6,000-£8,000. We also guarantee a Stage 1 pass, and as long as you take our advice, we guarantee you'll pass stage 2 and achieve certification. We have a 100% certification success rate. Where possible, we complete everything remotely as this reduces costs, as no travel, hotels or other expenses are needed. Our day rate is £975, but where required we can and are happy to operate on site, at no additional cost, expenses are built into the day rate, so no unexpected or hidden costs. Our service includes all the documents you require, policies, registers and records. In addition, we will hold numerous workshops to ensure you understand the implementation ready for your audits. We will run your stage 1 audit for you, representing your company as your compliance manager, and at no additional cost and if needed we can assist at stage 2 as well, but this will increase your costs. Still, many clients opt for it as having someone who has in-depth knowledge of the standard and the management system, as well as being able to guide key staff on how to respond to the auditors, makes the whole process more seamless.

Significant and media worthy data breaches seem to be increasing, along with the lesser breaches that only us InfoSec peeps see on security forums and newsletters, but does anyone really care? I would hazard a guess most people don’t, unless it directly affects them most people won’t even read a mainstream data breach article, I hate to say this, but security can be dull, obviously we (the InfoSec community) care, and we even use these breaches as mechanisms of fear (YOU COULD BE NEXT!!) or education (Be Aware). I like to think we lean towards the latter. Breaches seem to be the norm now and as such maybe people are becoming desensitised to them. If we look back at some of the mainstream breaches how many have resulted in a company going under, I am not aware of any. I remember tracking the eBay breach and let’s be honest it was probably a great example of how not to manage a data breach, the breach hit the media before eBay had notified anyone, I received the eBay notification of the breach about 2 weeks after I had already changed my password, but how did it effect the company? We hope internally a more dedicated approach to good data security practices were implemented, externally a dip in price share but within 2 weeks it was right back where it was before the breach. Can a company be “too big to fail”? eBay own the auction market; I use the term “I am going to eBay it” regardless of whether I use their platform or not. 145 million passwords were taken along with other PII that could be used in attacks against the individuals, but the biggest risk will be credential stuffing where people have used the same credentials across multiple systems, and you can be confident some of those will be company systems like VPNs. Even more recent data breaches like Facebook and Cambridge Analytica that affected 50 million users have had no real impact in userbase, anyone stopped using Facebook since that breach? I know I haven’t. I am sure the $5 billion fine sounds a lot but for a company with a $16-17 billion quarterly turnover it really isn’t! When a company owns a market like Facebook, Amazon and eBay do, a data breach is a small blot on its reputation maybe 1% of people will leave but the other 99% will just continue, hopefully improving their passwords and enabling MFA as part of the process. We have no idea how many breaches occur, because unless a breach contains PII then there is no requirement to notify, so companies affected by Spear Phishing CEO/CFO fraud aren’t going to announce they have been taken for £100,000 by cyber criminals, the only people who know are the Board, the cyber insurance company and security consultant they call for advice. Well, I am sure we will continue to post and try to educate some will use FUD but I really think teaching cyber and privacy for life will beat Security Awareness at work as employees that don’t respect their own data wont respect yours.