GRC Lab

If you want to install the risk mindset, read these books: Links to the standards and publications can be found in my latest article. ________ Enjoy this? Join 7K+ in GRC Lab — my free newsletter to help you launch, grow and accelerate your career in GRC:

The (FREE) secret to safeguarding small businesses. If you've ever felt overwhelmed by the complex requirements of IT security frameworks, you're not alone. Many small business owners are told to implement frameworks that are too complex and costly. The result? - Exposed vulnerabilities - Financial strains - Inefficient resource allocation - Missed growth opportunities What a mess. Thankfully, I stumbled upon a hidden gem designed specifically for the unique needs of very small businesses (VSBs). Introducing DIN SPEC 27076:2023-05, a standard that changes the game for VSBs, making IT security accessible, manageable, and, believe it or not, free. When applied with insight, it enables businesses to assess and improve their security posture in a clear and straightforward way. In my newsletter, I’ll introduce how DIN SPEC 27076 can be used to help small businesses in improving their security. You’ll discover how to: - Follow the provided consulting process - Use the provided requirements catalogue - Generate a report - Derive suggestions for improvement Read here: Link in first comment

NIS2 is gaining momentum. Despite popular believe, organisations do not have to comply with NIS2. This is because NIS2 is a directive, issued by the European Union. Directives need to be transposed into national legislation by the EU member states first, to come into effect. The deadline to do so, was October, 18th. Many countries, including Germany have missed this deadline. In the most recent draft of the German NIS2 adaptation, the following categories of requirements were to be found. - Risk Management - Reporting Obligations - Information Obligations - Sanctions - Governance - Registration - Evidence - Critical Entities I expect them to be somehow similar to those of other European countries. Many of them can be fulfilled by an ISMS according to ISO/IEC 27001, but not ALL of them. Which ones trouble you the most?

Did you know there are close to 100 standards within the ISO 27000 family of standards? Yep, ISO/IEC 27001 is not alone. Want to find out more about them? https://lnkd.in/e_6eBvfu

A quick start guide for ISO/IEC 27001. If you feel like: ⦿ ISO 27001 is too hard to implement, ⦿ ISO 27001 is too expensive to implement, ⦿ ISO 27001 is just for big enterprises? You are not alone. A couple of years ago, I was in the same situation. I needed to provide advice on how to implement the standard. At that time I knew everything about its requirements (or at least I thought I knew), but I struggled to translate them into actionable tasks that follow a defined order. It all started with an empty spreadsheet. Fast forward to today, this spreadsheet now contains over 300 tasks, each mapped to normative requirements and suggestions for corresponding deliverables. This is how it's structured. ✅Step 1: Management Support ✅Step 2: Scope of the ISMS ✅Step 3: Gap Analysis ✅Step 4: Competence Assurance ✅Step 5: Information Security Policy ✅Step 6: Asset Inventory ✅Step 7: Risk Management Methodology ✅Step 8: Information security risk assessment ✅Step 9: Information security risk treatment ✅Step 10: Performance Evaluation ✅Step 11: Improvement 🏅Step 12: Certification audit Want to find out what the very first step in every ISO 27001 project should be? → Click the link in the comments to find out.

Would you like to see the functions of the NIST Cybersecurity Framework in ISO 27001? The CSF Core is divided into 6 functions that represent the highest level of organization within the framework. These functions are the broad actions we take to manage cybersecurity, such as identifying what needs protection and responding if there's a security issue. Each function is further divided into 22 categories, which are groups of cybersecurity outcomes closely related to each other. The categories are then divided into 106 subcategories, providing specific outcomes of technical and management activities. Would this approach resonate with you? --- Repost to help your network. ♻️ Follow The GRC Lab for more.

I am not a big fan of the 'People' control theme. ISO 27001:2022 introduced so-called control themes to categorize its reference security controls into four groups: - Organizational - People - Physical - Technological. Here is why I am not a big fan of the 'People' theme. I find the “People” control theme to be redundant and overlapping with the Organizational theme. Many of the controls categorized under “People” are essentially about how organizations manage their personnel, such as ensuring appropriate skills, roles, and responsibilities, which is inherently an organizational concern. This makes the distinction between “People” and “Organizational” controls blurry, and in practice, the separation adds little value. In addition you have controls like information security event reporting, which are clearly associated with the organizational controls of incident management, which are to be found, of course, as part of the 'Organizational' controls. What do you think about the control themes, and do you use them in practice?

Free CISM course now available. Are you eyeing at becoming a Certified Information Security Manager (CISM)? The exam tests your knowledge in 4 domains. - Information Security Governance - Information Security Risk Management - Information Security Program - Incident Management Domain 1 was by far the toughest. It took me some time to wrap my head around the difference between governance and management, as many organisations lack a clear distinction between them. Now I want to share my experience and help you become a CISM as well. I am therefore excited to announce the release of my FREE CISM Domain 1 course on YouTube. 🔥 Link in the comments ↓

BREAKING: Take Your Career to the Next Level with TRECCERT! Are you ready to step up your game in Governance, Risk, and Compliance (GRC)? Our exclusive bundle offers everything you need to achieve one of the prestigious TRECCERT certifications. What’s included: - Exam Voucher + FREE retake to ensure your success - Official Training Material to guide you every step of the way Browse our collection and choose your path.

I am thrilled to announce that I am now a TRECCERT ISO/IEC 27001 Lead Implementer! Here’s what makes this certification special: ✅ ANAB Accredited ✅ Global Recognition ✅ Practical Approach As an authorized reseller, I am also excited to announce that my ISO/IEC 27001 Lead Implementer course is now fully aligned with TRECCERT’s official certification exam. The course will provide you with everything you need to implementing ISO 27001 just as before, but now it will also prepare you for the official TRECCERT ISO/IEC 27001 Lead Implementer exam. Get started over here: https://lnkd.in/eNmm5tan