“I’ll do the rest with ChatGPT.” Why an ISMS is not a copy-paste project
About a year ago, a prospective customer said to me:“You know, Mr. Neeff, everything we need for our ISO 27001 ISMS documentation is now available for free on the internet. And I’ll do the rest with ChatGPT.” I love statements like that because I know exactly how much substance there is behind them. Namely, NONE. […]
Information security does not begin with ISO 27001, but with honesty.
Many believe that the core of effective information security lies in a particularly “good” or “beautiful” implementation of ISO 27001 or NIS-2. But the real success factor is something else: an honest assessment of the current situation. What does this mean in concrete terms? This is precisely where the wheat is separated from the chaff.True […]
Security risk board of directors: When ignorance becomes a real vulnerability
As the threat escalates, a publicly traded corporation continues to cut corners on IT security, relying on hope rather than defense. The CISO? No influence. No budget. No team. Now the few employees are sick, and no one cares.The executive suite? Looking the other way. Years of overload, zero recognition, no opportunities for development, and […]
Excel Dieter, PowerPoint Joe, and the management system chaos
Anyone involved in setting up and operating management systems—such as for information security in accordance with ISO 27001 (ISMS) or quality management in accordance with ISO 9001—is all too familiar with the scenario: Pages and pages of PowerPoint slides, huge Excel files with complex formulas, and dozens of Word documents often form the basis of […]
AI, copy & paste, and the end of genuine diligence?
I receive many emails and LinkedIn in-mails—mostly from people who promise me the moon. They claim to have “cracked the LinkedIn code” and can help me gain lots and lots of new customer relationships in no time. I just smile wearily at these messages now.But last week, I finally lost my temper. One sender was […]
Threat intelligence without context is worthless
Platforms such as Mandiant, Recorded Future, and CrowdStrike Falcon Intelligence promise to provide information about the current threat situation in near real time. Many of these tools deliver comprehensive reports and are used by numerous organizations. But here’s the problem:The flood of information is often so great that it simply overwhelms experts and decision-makers.In larger […]
Why combining IT and cybersecurity responsibilities in a leadership role is risky
Recently, LinkedIn suggested that I apply for the position of “Director of Global IT & Cyber Security”: a medium-sized company, multiple locations, well-known brand. Apart from the fact that I have enough to do at TEN Information Management, I took a look at the job description. Why? Because I hear from the organization that the […]
Bureaucracy, Part 748923: The difficulty of paying bills on time
As an entrepreneur, you know that when business isn’t going so well, outstanding payments can sometimes pile up. Most business partners pay after a friendly reminder, but sometimes you encounter absurd situations. I would like to tell you about one such situation today. In my opinion, it belongs in the category of bureaucracy that the […]
Overview of significant changes to ISO/IEC 27006-1:2024
The revision of ISO 27006 brings significant changes for ISMS audits according to ISO 27001—especially for digitized companies. I have looked into this and identified the following key points: New calculation logic for audit days Updated remote audit policies Simplified auditor qualification No rigid experience requirements: Quantitative requirements such as “four years of professional experience” […]
Vocabulary related to information security – a basic prerequisite for mutual understanding!
In practice and in marketing, misleading terminology is often encountered in connection with information security standards such as ISO 27001 and SOC 2. This imprecise use not only leads to misunderstandings, but can also undermine the trust of customers and partners. In the following, I will highlight typical misinterpretations and supplement them with further examples […]