Why combining IT and cybersecurity responsibilities in a leadership role is risky
Recently, LinkedIn suggested that I apply for the position of “Director of Global IT & Cyber Security”: a medium-sized company, multiple locations, well-known brand. Apart from the fact that I have enough to do at TEN Information Management, I took a look at the job description. Why? Because I hear from the organization that the […]
Bureaucracy, Part 748923: The difficulty of paying bills on time
As an entrepreneur, you know that when business isn’t going so well, outstanding payments can sometimes pile up. Most business partners pay after a friendly reminder, but sometimes you encounter absurd situations. I would like to tell you about one such situation today. In my opinion, it belongs in the category of bureaucracy that the […]
Overview of significant changes to ISO/IEC 27006-1:2024
The revision of ISO 27006 brings significant changes for ISMS audits according to ISO 27001—especially for digitized companies. I have looked into this and identified the following key points: New calculation logic for audit days Updated remote audit policies Simplified auditor qualification No rigid experience requirements: Quantitative requirements such as “four years of professional experience” […]
Vocabulary related to information security – a basic prerequisite for mutual understanding!
In practice and in marketing, misleading terminology is often encountered in connection with information security standards such as ISO 27001 and SOC 2. This imprecise use not only leads to misunderstandings, but can also undermine the trust of customers and partners. In the following, I will highlight typical misinterpretations and supplement them with further examples […]
Collective irresponsibility in the supply chain: Why information security often fails during supplier onboarding
In theory, it sounds simple: suppliers are selected according to defined criteria, risks are assessed and then selected. In practice, things are usually different. Especially when onboarding suppliers, there is often a pattern of collective irresponsibility – everyone in the company assumes that “the others” will take care of the details. The result: a bureaucratic […]
The policy problem: Why nobody reads policies anymore – and how we can change that
The “policy problem” plagues many companies and has become an annoying reality: There are countless policies on almost every topic, but hardly anyone knows which ones are relevant to him or her. This is particularly fatal in the area of information security – things that can only be regulated organizationally fall “under the radar” of […]
ISO 42001: AI Risk Assessment vs. AI System Impact Assessment
AI Risk Assessment vs. AI System Impact Assessment: according to ISO 42001 ISO 42001, the international standard for AI management systems, requires organizations to conduct both an AI Risk Assessment and an AI System Impact Assessment. In this article, I would like to discuss the differences between these two assessments and which perspective each assessment […]
Pseudo-IT security – promoted and demanded by the CIO
I recently had an initial meeting with an interested party – a large medium-sized company from the manufacturing industry. The CIO reported that they had already implemented various IT security measures and now felt it was time to have their effectiveness reviewed by an independent body. The specific trigger was a recent ISO 27001 audit, […]
IT security in the banking environment: How banks are doing IT security a disservice (and driving customers away)
The following report is so unbelievable that it could have come from the famous Paulaner garden – if I hadn’t known the person concerned for over 10 years. That’s how I know that what I’ve described actually happened. So take a deep breath – and let’s go! What happened? For more than 15 years, a […]
Synergies between ISO 27001 and ISO 42001: a holistic approach to information security and AI management
Synergies between ISO 27001 and ISO 42001: a holistic approach to information security and AI management The recently published ISO 42001 marks a significant milestone for the methodical use of artificial intelligence (AI) in companies. This standard describes a systematic approach to the introduction and operation of AI systems in organizations. Like almost all ISO […]