Annex A Controls
The Human Factor in Information Security: Why Controls A.6.4 and A.6.5 Matter After fifteen years of conducting ISO 27001 audits, I can tell you that the most sophisticated cyberattacks often pale in comparison to the damage caused by a single disgruntled employee with legitimate access. Controls
Annex A Controls
A.6.1 Screening — Risk-Proportionate Verification That Actually Works Control A.6.1 requires background verification checks on all personnel candidates, carried out prior to joining and ongoing, taking into consideration applicable laws and being proportional to business requirements, information classification, and perceived risks. What this means in practice: your
Annex A Controls
Understanding ISO 27001's Privacy Control Framework Controls A.5.34 through A.5.37 represent some of the most misunderstood requirements in ISO 27001:2022. I've seen organizations treat these as separate checkbox exercises—privacy team drafts A.5.34, internal audit owns A.5.35,
Annex A Controls
A.5.29 through A.5.33 — Business Continuity and Compliance: The Controls That Make or Break Crisis Response I've been called into organizations six months after they've survived what they thought was their worst-case scenario, only to discover they'd created vulnerabilities far worse
Annex A Controls
The Incident Management Reality Check Most organizations I audit have incident management processes that look immaculate on paper and crumble spectacularly when something actually goes wrong. I've watched security teams fumble through their first real breach while frantically searching SharePoint for a procedure document nobody has read since
Annex A Controls
Understanding Controls A.5.23 and A.5.24: The Cloud Security Lifecycle After fifteen years of auditing organizations across every sector, I've watched cloud adoption evolve from experimental to essential—and I've seen the same security mistakes repeated countless times. Controls A.5.23 and
Annex A Controls
The Foundation Crisis: Understanding A.5.19 Information Security in Supplier Relationships The audit still haunts me. A mid-sized fintech with pristine internal controls—hardened infrastructure, quarterly penetration tests, mandatory security awareness training. Then I asked for their supplier inventory. The IT director sheepishly produced a spreadsheet from 2022 listing
Annex A Controls
Control A.5.15: Access Control Policy That Actually Works Control A.5.15 requires establishing and implementing rules for controlling physical and logical access to information and other associated assets based on business and information security requirements. The key word here is "implementing" — I've seen
Annex A Controls
A.5.11 — Return of Assets: The Termination Control That Reveals Everything Control A.5.11 requires that "personnel and other interested parties should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement." Simple on paper, catastrophic
Annex A Controls
The Foundation That Makes or Breaks Your ISMS Every organization I audit claims they have an asset inventory. About 20% actually have something useful. The rest have either a dusty spreadsheet last updated when someone remembered it existed, an automatically generated list from a scanning tool that nobody reviews, or
Annex A Controls
Here's what I learned from fifteen years of auditing project security implementations: the organizations that succeed at Control 5.8 don't treat it as a security control at all. They treat it as project hygiene. The ones that fail? They bolt security onto their existing project
Annex A Controls
The Three Layers That Matter Control 5.7 requires organizations to collect and analyze information relating to information security threats to produce threat intelligence. The standard deliberately defines three distinct layers of threat intelligence that must be considered, and understanding these layers is crucial to meeting audit expectations: * Strategic threat