ISO 42001: AI Risk Assessment vs. AI System Impact Assessment
AI Risk Assessment vs. AI System Impact Assessment: according to ISO 42001 ISO 42001, the international standard for AI management systems, requires organizations to conduct both an AI Risk Assessment and an AI System Impact Assessment. In this article, I would like to discuss the differences between these two assessments and which perspective each assessment […]
Pseudo-IT security – promoted and demanded by the CIO
I recently had an initial meeting with an interested party – a large medium-sized company from the manufacturing industry. The CIO reported that they had already implemented various IT security measures and now felt it was time to have their effectiveness reviewed by an independent body. The specific trigger was a recent ISO 27001 audit, […]
IT security in the banking environment: How banks are doing IT security a disservice (and driving customers away)
The following report is so unbelievable that it could have come from the famous Paulaner garden – if I hadn’t known the person concerned for over 10 years. That’s how I know that what I’ve described actually happened. So take a deep breath – and let’s go! What happened? For more than 15 years, a […]
Synergies between ISO 27001 and ISO 42001: a holistic approach to information security and AI management
Synergies between ISO 27001 and ISO 42001: a holistic approach to information security and AI management The recently published ISO 42001 marks a significant milestone for the methodical use of artificial intelligence (AI) in companies. This standard describes a systematic approach to the introduction and operation of AI systems in organizations. Like almost all ISO […]
The sense and nonsense of compliance automation platforms
When looking for tools to help you implement ISO 27001 or SOC 2, you will also come across so-called (compliance) automation platforms that promise to take up to 90% of the work off your hands by integrating with your (cloud) services. In this article, I explain why this paints a somewhat too rosy picture. The […]
The dark side of video surveillance: How poorly implemented surveillance jeopardizes IT security
Video surveillance is a common means of increasing security in companies. It is intended to prevent theft, protect employees and create a safe working environment overall. But what happens when video surveillance itself becomes a weak point? Poorly implemented surveillance systems can have significant negative effects on IT security and unintentionally reveal sensitive information. Unintentional […]
Bureaucracy in the company, part 98765: Travel expense accounting
I recently met a colleague who is CISO at a large corporation in Germany. In addition to all kinds of technical topics, at some point during the conversation we also got to talking about the administrative processes in his organization. At this point in the conversation, the colleague really vented his frustration: he told me […]
What can you actually do with an AI management system in accordance with ISO 42001?
ISO 42001 will be exactly one year old in December 2024. As there aren’t that many of these certificates on the market yet, I have taken this as an opportunity to take a closer look at what you can actually do with such an AI management system. Introduction: Why and for what is ISO 42001 […]
Funding for IT security measures
Measures in small and medium-sized organisations that serve to increase IT security are often funded by the public sector. In order to strengthen the cyber resilience of these companies, various levels of government in Germany offer funding programmes. These programmes are designed to ease the financial burden of implementing advanced IT security measures and thus […]
Cyber attack with fake invoices
Cybercrime only affects the big players? Certainly not! Last week, we witnessed live how an attacker – unfortunately successfully – defrauded the customers of a retailer and stole a considerable amount of money in the process. What happened? Previously unknown perpetrators have forged purchase contracts from a medium-sized trading company and replaced the bank details […]
