Incident Management Is Critical for Organizational Stability and Learning

Understanding ISO/IEC 27035: Building Incident Response Awareness for Businesses and Industry

This post provides a detailed introduction to ISO/IEC 27035 and its relevance to modern business. With cybersecurity increasingly under the spotlight, companies should be aware of how to respond swiftly and effectively to threats.

Understanding ISO/IEC 27035: Building Incident Response Awareness for Businesses and Industry

In today’s digital age, cybersecurity incidents are inevitable. Whether it's a data breach, malware attack, or a phishing scam, businesses need to be ready to respond. ISO/IEC 27035 provides an essential framework for incident management within the broader landscape of the ISO/IEC 27000 family of standards, ensuring that businesses not only have the tools to detect and respond to cyber threats but can also minimize the impact and recover effectively.

What is ISO/IEC 27035?

ISO/IEC 27035, titled “Information security incident management, “is a standard that provides guidance on how to plan and prepare for information security incidents, detect and respond to them, and learn from past incidents to strengthen future defenses. It covers the full lifecycle of security incident management, including:

- Preparation(creating policies and setting up incident response teams),

- Detection and Reporting (systems and protocols for identifying incidents),

- Assessment (analyzing the scope and impact),

- Response (containing and resolving the threat),

- Learning (documenting the lessons learned to improve future incident handling).

How Does ISO/IEC 27035 Fit into the ISO/IEC 27000 Family?

The ISO/IEC 27000 series is a family of standards designed to help organizations manage information security risks. While ISO/IEC 27001 focuses on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), ISO/IEC 27035 dives specifically into incident management—a critical component of an effective ISMS.

By focusing on handling security breaches and incidents, ISO/IEC 27035 complements other standards in the family. For instance:

- ISO/IEC 27002 provides best practices for information security controls, and incident management from 27035 enhances those controls.

- ISO/IEC 27001 lays down the framework for an ISMS, while ISO/IEC 27035 ensures that when incidents occur, the system is robust enough to manage them effectively.

Relationship with ISO 31000 (Risk Management)

ISO 31000 is an international standard for Risk Management. While ISO/IEC 27035 focuses on managing incidents after they occur, ISO 31000 provides a more comprehensive framework for risk identification, evaluation, and mitigation before incidents happen.

The synergy between these standards is key: ISO 31000 helps organizations identify potential risks and put controls in place, reducing the likelihood of an incident, while ISO/IEC 27035 ensures that organizations are prepared to respond effectively to those risks if they materialize.

Why ISO/IEC 27035 Matters for Business and Industry

For businesses and industries relying heavily on digital operations, a well-prepared incident response is no longer optional—it’s critical. The financial, reputational, and legal impacts of a poorly managed incident can be devastating. By implementing ISO/IEC 27035, organizations gain several benefits:

- Improved Preparedness: Proactive preparation means fewer surprises when incidents arise.

- Faster Detection: Better detection systems reduce response time, helping mitigate damage.

- Effective Response: Containing threats quickly can prevent escalation and wider impacts.

- Continuous Improvement: Learning from past incidents ensures that future risks are mitigated more effectively.

Incorporating ISO/IEC 27035 into a company's security practices ensures an integrated and responsive approach to managing security incidents, aligning with broader risk management frameworks such as ISO 31000 and ensuring compliance with the wider ISO/IEC 27000 family of standards. By doing so, businesses can protect their data, operations, and reputation in the face of growing cyber threats.

Article by: Hubert T. Robertson

22nd Sept 2024

The Interplay of Artificial Intelligence, Cybersecurity, and Risk Management in Organizations

In today's digital era, where cyber threats are increasingly sophisticated and pervasive, organizations must constantly refine their strategies to protect sensitive data and maintain system integrity. The integration of Artificial Intelligence (AI) into cybersecurity practices offers significant enhancements in detecting and responding to potential threats. Furthermore, effective risk management, guided by established standards such as those from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is crucial for building robust security frameworks.

Artificial Intelligence in Cybersecurity

AI technologies, including machine learning (ML) and natural language processing (NLP), have revolutionized cybersecurity by providing advanced tools that can analyze vast amounts of data at unprecedented speeds. AI systems can identify patterns and anomalies that might indicate a security threat, from malware attacks to unusual network traffic, which a human analyst might overlook.

For instance, AI-driven security systems can automate the threat detection process, thereby reducing the time it takes to identify breaches and minimizing the window of opportunity for attackers. Additionally, AI enhances the accuracy of threat detection with its learning capabilities, continuously adapting and improving based on new data, threats, and feedback.

Cybersecurity and Risk Management

Risk management is a critical pillar of cybersecurity. It involves identifying, analyzing, and mitigating risks associated with network and data security. Effective risk management ensures that protective measures align with the specific threats an organization faces and the critical nature of the assets at risk.

AI contributes to risk management by providing predictive insights into potential vulnerabilities and threat landscapes. These insights enable organizations to allocate resources more efficiently and implement proactive strategies tailored to anticipated cyber threats.

Relevant ISO and IEC Standards

In the rapidly evolving landscape of cybersecurity and risk management, staying updated with the latest standards is essential for organizations aiming to protect their digital assets effectively. Several ISO and IEC standards play pivotal roles in shaping the cybersecurity and risk management frameworks of organizations:

ISO/IEC 27001 - This is perhaps the most well-known standard concerning information security management systems (ISMS). It provides a framework for organizations to establish, implement, maintain, and continuously improve an ISMS. The standard emphasizes the importance of assessing and treating information security risks tailored to the needs of the organization.
ISO/IEC 27032 - This standard focuses on cybersecurity and provides guidelines for enhancing the security of digital networks and the internet. It emphasizes the role of different stakeholders in cyberspace, promoting a safer and more secure digital ecosystem.
ISO/IEC 31000 - Although not exclusively for cybersecurity, this standard outlines guidelines for risk management. It offers principles, a framework, and a process for managing risk that can be applied to various organizational activities, including cybersecurity.
ISO/IEC 27005 - This standard is specifically tailored towards information security risk management. It provides guidelines based on ISO/IEC 27001 and is designed to assist organizations in implementing and maintaining risk management within an ISMS context.
ISO/IEC 42001:2023 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS)1. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems.

How Organizations Can Prepare

Organizations looking to adapt to the upcoming changes in the ISO/IEC 27001 standard can begin by:

Conducting a Gap Analysis: Assess the current ISMS against the anticipated changes to the standard to identify areas requiring enhancement or modification.
Training and Awareness: Preparing the internal team for upcoming changes by organizing training sessions focused on the new elements of the standard.
Integrating Technology: Leveraging AI and other technologies in their ISMS, anticipating the greater emphasis these will have in the new version of the standard.
Engaging with Experts: Consulting with cybersecurity and risk management experts who are familiar with the standard’s revisions to ensure that the organization’s ISMS aligns with the new requirements.

Conclusion

The integration of AI into cybersecurity and risk management not only enhances an organization’s ability to respond to immediate threats but also helps in predictive risk analysis and strategic planning. By adhering to ISO and IEC standards, organizations can ensure a systematic, well-structured approach to managing security risks. This combination of advanced technology and standardized practices is essential in forming a dynamic defense against the ever-evolving landscape of cyber threats. The upcoming revision of ISO/IEC 27001 is an important reminder of the need for organizations to stay proactive in their cybersecurity and risk management efforts. By preparing for and adapting to these changes, organizations can ensure that their risk management strategies remain robust and effective against the backdrop of an increasingly complex cyber threat environment. As these standards evolve, they offer a pathway for organizations to reinforce their commitment to securing their assets and maintaining trust with stakeholders.

Hubert T. Robertson

28/04/2024

References

International Organization for Standardization (ISO): ISO/IEC 27001 Information security management systems — Requirements. ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
International Organization for Standardization (ISO): ISO/IEC 27032 Guidelines for cybersecurity. ISO/IEC 27032:2023 - Cybersecurity — Guidelines for Internet security
International Organization for Standardization (ISO): ISO/IEC 31000 Risk management — Guidelines. ISO - ISO 31000 — Risk management
International Organization for Standardization (ISO): ISO/IEC 27005 Information security risk management. ISO/IEC 27005:2018 - Information technology — Security techniques — Information security risk management
International Organization for Standardization (ISO): ISO/IEC 42001:2023 Artificial Intelligence Management System — Requirements. https://pecb.com/en/education-and-certification-for-individuals/iso-iec-42001
Columbus, L. (2021). How AI Is Improving Cybersecurity. Forbes. How AI Is Disrupting And Transforming The Cybersecurity Landscape (forbes.com)
McKinsey & Company (2019). How artificial intelligence can improve resilience in operating models. https://www.mckinsey.com/~/media/McKinsey/Industries/Metals%20and%20Mining/Our%20Insights/How%20artificial%20intelligence%20can%20improve%20resilience%20in%20mineral%20processing%20during%20uncertain%20times/How-artificial-intelligence-can-improve-resilience-in-mineral-processing.pdf
NIST (National Institute of Standards and Technology) (2020). Risk Management Framework. NIST Special Publication 800-37.

LEARNING ON THE MOVE!

PMIG's Philosophical Approach to Education and Training of Adult Learners

The world has become a much busier place. The increasing demand by organizations for employees who are up-to-date with ever-changing skills, tools, techniques, and technologies, appears to be spiraling out of reach of average adult learners. Due to the rapid pace of these changes, average adults cannot afford the time to embark on extensive courses lasting for long durations, only to become redundant by the time they graduate. There was a time when people took a four-year undergraduate degree, that was extensive and exhaustive..... and that could have lasted for a lifetime. Now try to imagine what will happen to an information technology student. I started with IBM PCMS-DOS, Lotus 123, and Quatro Pro. The latter two are the precursors of Excel. You needed to know the mathematics to input the formulas. That knowledge is now almost useless because Excel has these built in.

But here I intend to discuss the teaching-learning philosophy being embraced by PMIG Inc. This institution has adapted its curricula to meet the needs of today's busy adult learners, by delivering student-centered learning that pivots on authentic learning. Student-centered learning encompasses a variety of approaches toward curriculum design, and facilitation of learning, using various pedagogical methods and technologies that are relevant to the student's needs. The philosophy empowers the students to make significant decisions concerning what they learn; by what means they prefer to learn; when they learn, and at what pace. Authentic learning enables the students to develop useful life skills by relating their learning to real-life situations and creating tangible, useful products.

Given this philosophy, PMIG Inc. is providing useful, relevant, contemporary training courses that offer several options for learning. The graded learning journey generally commences with an introductory course, followed by a foundation course where the learner is equipped with the practical tools and techniques required and an advanced course of theory and practice.

Hubert T. Robertson

18th April 2024.

Lifelong learning in bite-sized chunks is key to

successful learning

Keep up-to-date with what is happening in the exciting field of Project Management.

This page has been provided for technical articles, white papers, and project management stories and experiences. Updates on new events and project management experiences will be posted here. Do you have a technical article or project management experience to share? Contact us! We'll be happy to accommodate you.

Cybersecurity is no longer an option. It is a must!

At the local and global organizational levels, almost all aspects of general and project management are driven by information technology. Some particularly susceptible areas are financial management, banking, marketing, defense, product development details, .... the list is endless. Also, human resources recruitment, onboarding, and development are challenged because these individuals, who have their own levels of commitment, may make personal decisions that will affect their organizations in one - favorably, way or another. While trust is a key element, the inherent risk of misuse of information and access will still remain. Cybersecurity at this juncture is, therefore, no longer a paragraph at the end of an IT textbook. It has now emerged as a substantial and all-embracing organizational management mantra, on equal footing with Risk Management. The rapid increase of digitization in organizations has also exacerbated the significance of cybersecurity risks. Businesses and other organizations are now bound to be aware of the implications of cyber risks for their organization's safe, effective and sustained functionality. Cybersecurity is no longer an option. It is a must!

By Hubert T. Robertson, MBA, MSc, PGDPM, PMP, PMI-RMP,

PECB ISO 21502 Certified Senior Lead Project Manager.

21st October 2022

________________________________________________________________________

What is really meant by project success?

Depending upon who's looking at it, a project may be regarded as a resounding success or a dismal failure. Why is this so? Is there a standard measure?

Projects can be regarded as temporary endeavors undertaken to achieve given objectives, within a specified time- frames, budgets, scope, and/or quality requirements. In other words- projects, quite unlike their operational counterparts, are subject to a core set of constraints which are usually referred to as the "Iron Triangle", which contains the limitations of cost, time, and scope. Over the years, some authors and researchers have been using the terms 'scope' and 'quality' synonymously; while claiming that quality is an element of scope. Also, the term 'budget' is often used instead of 'cost' as is 'schedule' used to replace 'time'.

Whatever the definitions used, the fact is that the project management world has become very accustomed, to measuring their successes by comparing achievements within scope, cost, and budget, (Caccamese & Bragantini 2012); Atkinson (1999), and (Toor and Ogunlana 2009) ... and particularly in the engineering, building and civil construction, marketing and information technology projects (Cooke-Davies 2002); Toor and Chuan (2006).

A look at the reports has revealed that for social development projects, other factors are used to gauge project success. This situation has led to varying views of project success, depending upon the type and intention of the project, as well as the stakeholders involved. A project manager might have delivered a project that is on time, within scope, and within-budget project, but yet, not receive commendations because it failed to satisfy the purpose. This author is actually aware of a community center that was built way upriver, on the riverbank, to serve indigenous youth who were supposed to paddle their little boats to that interior location. Needless to say, that building, which was ironically painted white, became, and has remained a 'white elephant.

Conversely, some projects failed to achieve the iron triangle', but were notable successes. Another point to consider is that there is a difference between 'project success' and 'project management success. It is generally accepted among professionals, that a project manager cannot be really held accountable for achieving higher-level results, so if his project failed to achieve increased social interaction within the community, but he had achieved within the constraints set out, he was successful in his project management. So the conundrum continues to exist, From the point of view of the contractor, the project was successful; the beneficiaries saw it as a useless building, and the donor agency… it depends… could have seen it as successful if their aim was to make a timely disbursement of funds!

Is there a need for a standard measure? The arguments continue. What has been noticed is that PMI in its later PMBOKs has quietly dropped the definite mention of the iron triangle alone. Serrador and Turner (2014) have noted that even PMI’s PMBOK (2008) 4th Edition no longer mentions the triple constraints, but includes customer satisfaction as a criterion.

References:

Atkinson, R. (1999) Project Management: Cost, Time and Quality, Two Best Guesses and a Phenomenon, It’s Time to Accept Other Success Criteria. International Journal of Project Management, 17, 337-342. https://doi.org/10.1016/S0263-7863(98)00069-6

Caccamese, A. & Bragantini, D. (2012). Beyond the iron triangle: year zero. Paper presented at PMI® Global Congress 2012—EMEA, Marseilles, France. Newtown Square, PA: Project Management Institute.

Cooke-Davies, T. (2002). Establishing the link between project management practices and project success. Paper presented at PMI® Research Conference 2002: Frontiers of Project Management Research and Applications, Seattle, Washington. Newtown Square, PA: Project Management Institute.

Project Management Institute (2017) A Guide to the Project Management Body of Knowledge. Sixth Edition.

Serrador, P. and Turner, J. R. (2014) The relationship between Project Success and Project Efficiency. 27th IPMA World Congress. Procedia – Social and Behavioral Sciences 119 (2014) 75 -84. Available online at www.sciencedirect.com

Toor, S. R. & Ogunlana, S. (2010). Beyond the ‘iron triangle’: Stakeholder perception of key performance indicators (KPIs) for large-scale public sector development projects. International Journal of Project Management. 28. 228-236. 10.1016/j.ijproman.2009.05.005.

By Hubert T. Robertson, MBA, MSc, PGDPM, PMP, PMI-RMP,

PECB ISO 21502 Certified Senior Lead Project Manager. June 2020

Share this page