OK, welcome to what will hopefully be a vaguely interesting and not entirely infrequent series of posts on various aspects of information security. Your host for this set of trips into the slightly known is one Bridget Kenyon, information security enthusiast.
For my first foray, join me, gentle reader, as we peer under the hood of 27002, the "supermarket of controls", as a very wise friend of mine calls it.
It's the good buddy of 27001, the set of things which make up an Information Security Management System, or ISMS, for those who like their acronyms.
If 27001 is "what you should end up with", then 27002 is a whole catalogue of security measures (controls) you can use to get you there. Stuff like physical perimeters, cryptography, user training, passwords ("secret authentication data"- don't ask) and so on. It's about 81 pages long, and a great bedtime read.
So why a supermarket? Well, in the ideal world, shopping for groceries is done by deciding what you need, writing a list, and then going to the supermarket and picking up what you need. While you're there, you may notice something you forgot to put on your list, and add it to your shopping cart. Good.
In the real world, you either: a) turn up at the supermarket hungry, with no list, and go home with twenty doughnuts, a bar of chocolate, and a sieve; or b) turn up with a list, get side tracked, and end up with twice as much as you needed, and missing something vital (like washing up liquid). Not so good. NB: I am Shopper Type a)...
It's the same for 27002. In the ideal world, you do a risk assessment, decide what controls you need to apply to satisfy contractual obligations, the law, and make it possible for you to sleep at night. Then you write them down (your shopping list), and visit 27002 to check them off. While you're there, you can add anything vital (like passwords) you should have included originally, but forgot.
In the real world, people tend to treat 27002 itself as a shopping list. No. Please don't! You wouldn't go into a supermarket and buy everything, would you? Nor should you go into it with a vague intent, and pick out everything which looks about right. You will end up getting home and finding you now have fifty eggs and no toilet paper (metaphorically speaking).
To spend your money and time wisely, don't let 27002 cozen you into picking the wrong things, or more than you need. Remember your shopping list.
No comments:
Post a Comment