Note-to-self: PECB Exam references: preparation & guidance
  1. Access to course materials
    1. PECB Kate
      1. Kate app
      2. Kate Web
    2. Access via PECB profile
  2. Planning exam
    1. PECB Profile > Exams
    2. PECB Exams direct link online
    3. PECB Exam application
  3. Helpful links
    1. Exam handbooks
    2. PECB Exam Preparation
    3. PECB Exam Rules and policies
    4. PECB Online Examinee manual (PDF)
    5. PECB Exam platform user guide
  4. Exam Handbooks
    1. NIS 2
    2. CISO
    3. ISO27001
  5. Extra material
    1. For each exam:
    2. ISO Standards
    3. NIS 2
      1. Exam Handbook
      2. NIS2 legislation
    4. DORA
      1. Legislation
    5. GDPR
    6. Legislation
  6. Some practical hints and tips for the exam
    1. To prepare for the exam
      1. Open book
      2. Closed book
      3. Prepare the content (open book exam)
    2. Practical hints to prepare your open book exam
      1. Exam app
    3. Before entering the exam
    4. Entering the exam
    5. During the exam
      1. Suggestion for exam approach
  7. Just in case of bad luck
    1. If exam entry fails
    2. If exam result suck…

Access to course materials

PECB Kate

Kate app

Kate Web

https://kate.pecb.com/

Access via PECB profile

Access to your materials: https://pecb.com/en/login ; there will be a tab where you can see and link the registered material

Planning exam

PECB Profile > Exams

Login to your PECB Profile: https://pecb.com/en/login

In the menu on the left hand side, hit the Exams section, then “Enroll” to book an exam.

To book your exam: https://pecb.com/en/eventExamList/schedule

(You’ll be asked to login to your PECB profile).

PECB Exam application

To join an exam you need to install the PECB Exams app from https://pecb.com/pecbexams/

Helpful links

Exam handbooks

Select your exam choice in the list of PECB exam, and in the right hand column, you’ll find the exam handbook.
List Of PECB Exams

In the section below, you’ll find some specific recent and popular exam handbooks, including

  • NIS 2 Lead implementer & foundation
  • CISO
  • ISO27001 Lead Implementer

PECB Exam Preparation

PECB Exam Preparation Guides: https://pecb.com/en/exam-preparation-guides

PECB Exam Rules and policies

PECB Exam Rules and Policies: https://pecb.com/en/examination-rules-and-policies

PECB Online Examinee manual (PDF)

Click to access PECB-online-examinee-manual.pdf

PECB Exam platform user guide

PECB Exam Platform User Guide: https://pecb.com/help/index.php/manuals/online-exam-instructions/probo-user-guide/

PECB Exam Platform Video Tutorial: https://help.pecb.com/index.php/manual/mypecb-dashboard-manual/#3869, (4.52 onwards demonstrates the exam platform)

Exam Handbooks

NIS 2

CISO

ISO27001

Extra material

For each exam:

Download relevant ISO standards (see chapter below) or legislation (free).

ISO Standards

NIS 2

Exam Handbook

Click to access pecb-candidate-handbook-nis2-directive-lead-implementer.pdf

NIS2 legislation

(suggestion to print for exam)

DORA

Legislation

GDPR

Legislation

Some practical hints and tips for the exam

To prepare for the exam

Open book

In case of “open book” exams you can take the learning material print (course content, TOC, index, excercises & quizes) with you , but also

  • the relevant standard print (like the ISO27001 / ISO27002 standard for the ISO27001 exams)
  • the relevant legislation print (NIS2, DORA, GDPR …)
  • your notes

You’re not allowed to use a second pc, laptop, tablet or smart phone during the exam.

HINT: if not yet printed, print the course on paper… in advance.

Closed book

No additional help allowed, at all.

Prepare the content (open book exam)

In case of an open book exam

  • you can use the KATE app during the exam to lookup content
  • use the print (see previous section)

BUT, in many case people get distracted flipping screens between exam and KATE.
BETTER: print the course material (yes, less ecofriendly, but way easier and more comfortable to pass the exam).

Practical hints to prepare your open book exam

  • do not memorize, but study and set up your course material for easy search
  • organise your course with post-its to mark
    • sections
    • important topics (eg. certain articles from legislation…)

Exam app

Install the PECB exam app a few days in advance and check if it works (not a few minutes before the exam).
Please be aware that some enterprise laptops might block the installation of the app.
In rare cases, your firewall might not be happy…

If so:

  • ask help from your IT department
  • use a personal laptop/pc

Before entering the exam

  • you can only use 1 screen and laptop/pc
  • Make sure you’re in an isolated environment, without any interference from people or your phone
  • Mute your mobile
  • ….

Check the exam policies and conditions (see up)

Entering the exam

Check the technical conditions

  • fast internet
  • single screen
  • no remote assistance software

During the exam

Suggestion for exam approach

  • Review / mark questions if you’re unsure of the answer
  • run the exam in 3 rounds
    • First round, answer the questions as quickly as possible
      • mark a question for review if you are in doubt, but
      • don’t loose time, don’t get stuck (waste time) on question
    • Second round
      • Recheck the questions you marked
      • IMPORTANT: only change an answer if you know it is wrong and validated it.
      • Don’t change the answer if you’re not sure.
    • Third round
      • answer questions you don’t know by lookng up
      • lookup the answer in the course (open book exam)
  • The first time you want to submit the exam
    • wait 5 minutes to hit the submit button
    • review the questions, in case you can still improve your score
    • only hit the submit button at second attempt

Just in case of bad luck

If exam entry fails

In case of technical issues, emergency … and you’re not able to enter exam, just know that the exam coupon is ONLY voided when you enter the exam.

Solution: Open a PECB support ticket and ask to replan exam with better conditions.

If exam result suck…

  • the PECB exam coupon is valid for a free retry…
  • Book a new exam with the same code
  • Study again,
  • ask help, eg from a coach
  • Retry with success

Failure is a learning point to do better.

Data protection professionals education & certification comparison IAPP & PECB
  1. Crosspost
  2. Scope
  3. Feedback
  4. Important note
    1. Certified vs Accredited
    2. Certification in GDPR
  5. Comparison Chart
  6. Company approach and purpose
  7. Course & exam comparison
  8. Extra online material
  9. Experience requirements
  10. Exam and maintenance fees
  11. Planning your certification roadmap
  12. References
  13. Download
  14. White label version
  15. Thank you

Crosspost

Full page online article (22p) is available at the Cyberminute blog, which includes a PDF download option.

Below you’ll find a quick recap of the article.

Scope

This article focuses on education tracks for privacy and data protection professionals, or DPOs (ref. GDPR) that need a mix of expertise in legal, operational and business knowledge in their job.

It would take me a tremendous amount of time to list all other local or regional or worldwide providers, but I would challenge you to collect and list them. Feel free to send me the details on the data protection course you attended. I’ll collect and publish the references.

It would be a great resource to have a larger overview on privacy and data protection certification and education. Certainly useful, but I can’t do that on my own. I need your help for that.

Feedback

Any constructive feedback or opinion is welcome. Any constructive suggestion to improve the article will be considered.

Important note

Certified vs Accredited

If you are certified professional, that does not mean you’re accredited. In short

  • When certified you passed the technical requirements incl. exam and/or professional experience (eg. proven track record for audits)
  • When accredited you are accepted to work as professional or auditor by an accreditation or assessment body. Certification is by default a requirement for accreditation as auditor.

Certification in GDPR

Although that you’ll find 2 articles in the GDPR (Art. 42 and Art. 43.) on certification and accreditation, you should know that

  • The GDPR does NOT provide in certification of persons (like DPO)
  • Currently (as of Feb 2020), there is no official GDPR certification track on European level yet, for the processing activities of data controllers and data processors. The program is in progress.

Comparison Chart

To make it easy, we have compile a quick overview in a comparison chart, and then we provide the explanation too. Sure you want to know more about it.

Company approach and purpose

Before you can compare and understand the courses, it’s important to understand the organizations behind these certifications.

Course & exam comparison

The core of the article, comparing IAPP CIPP/E, CIPM & CIPT with PECB CPDO and ISO27701.

Extra online material

Both providers have an interesting set of extra online material to get started.

Experience requirements

IAPP and PECB have different approaches in their certification scheme regarding experience, which might be usefull to think about when planning your education track.

Exam and maintenance fees

Of course you need to think about your budget. But you can plan economically for it, to take a smart track.

Depending your needs, there are some track and sequences you should know about. Plan smartly.

Planning your certification roadmap

Depending your needs, there are some track and sequences you should know about. Plan smartly.

References

The article is bulked with online reference material, have a look at it if you need more background information.

Download

PDF: http://blog.cyberminute.com/wp-content/uploads/2024/03/data-protection-certification-track-comparison-IAPP-PECB-final.pdf

White label version

A white label version (Word) of this document is available on request (DM me via LinkedIn or by mail.)

Thank you

I want to thank the teams at PECB and IAPP for their cooperation to validate their respective part of the comparison.

AI, Cloud & Modern Workplace Conference 2024: red flags and attention points in cloud security audit (watch the security gates) (Part 2/2, the details and solutions)
  1. Introduction
  2. Part 1
  3. Presentation collaterals
    1. Introduction (p1 & 2)
    2. Security = PPT (slide 3-4)
    3. Security across the company (slide 5)
    4. Management team responsibility (p6)
    5. Security controls and measures (p7)
    6. Security is a process, continuously changing (p8)
    7. How are you doing? (p9)
    8. How is your customer or supplier doing? (p10)
    9. Monitoring or Audit: what’s the difference ? (p11)
    10. Audit types (p12-15)
      1. Audit types : internal audit
      2. Audit types : 2nd party audit (mutual)
      3. Audit types : 3rd party audit (external)
    11. Audit main principles (p16)
  4. Audit red flags
    1. 1. First login with god mode (p17)
      1. Hacker interest
      2. Solution
    2. 2. User ID and password
      1. Hacker interest
      2. Solution
    3. 3. Default groups
      1. Solution
    4. 4. Ad-hoc (eh..no) Identity Management
      1. Solution
    5. 5. No process management
      1. Solution
    6. 6. All-in one account
      1. Solution
    7. 7. All-in one desktop
      1. Solution
    8. 8. RDP remote access
      1. Solution
    9. 9. One network
      1. Solution
    10. 10. Onetime configuration
      1. Solution: check…
  5. References
    1. Microsoft
    2. Learn Microsoft Azure audit and logging fundamentals
    3. Azure hardening
    4. ISO standards
    5. Cloud security alliance
  6. Feedback

Introduction

This post is the second part on the session on cloud security red flags, I presented on the AICMWC conference in february (AI, Cloud & Modern Workplace Conference 2024).

Down below you’ll find an overview of the various slides with the talking points I covered during the presentation.

Not only attentionpoints, more importantly how to tackle these red flags and security gates to make your Microsoft 365 and Azure environment more secure with low effort security investments by simply implementing a basis cloud security hygiene.

Enjoy and use it to make your cloud more secure!

This post will be updated, going along with more practical security hints and tips, but you can start already.

Part 1

Event material published in this post: Part 1

Presentation collaterals

Introduction (p1 & 2)

Feel free to connect and link via LinkedIN: https://www.linkedin.com/in/pgeelen/

Overview of my Linked articles : https://www.linkedin.com/in/pgeelen/recent-activity/articles/

Find my Microsoft MVP profile at: https://mvp.microsoft.com/en-us/PublicProfile/5002204

Security = PPT (slide 3-4)

Security is not only built by using technology, you need people to handle the infrastructure and they need instructions and processes to make it work. This combination is called PPT:

  • People
  • Process
  • Technology

Within technology you have both digital as physical infrastructure, that’s why PPT is sometimes referred to as PPPT.
For your information, the new ISO27001v2022 is using exactly these for categories (PPPT).

Security across the company (slide 5)

Security is not only the responsibilitiy of the IT team or cloud security engineer.
Cloud security needs to be tackled throughout the entire company, inluding

  • Strategic level
  • Tactical level (departments)
  • Operational level

Management team responsibility (p6)

Security starts at the top, and should use a PDCA cycle (plan>do>check>act… or Adjust).
(You’ll see that many best practices like NIST and ISO use this approach…)

The management team must provide

  • Accountability
  • Planning
  • Resources
  • Operations
  • Performance
  • Continuous improvement

Security controls and measures (p7)

Withing the security controls and measures, you should (at least) think about…

Asset management
Identity & access management
System & network security
Secure configuration & baseline
Physical security
Threat and vulnerability management
Application security		Policies & procedures
Documentation
HR security
Supplier Management
Incident management
Business continuity
Disaster recovery
Security controls and measures

Whether your talk about your own security, cloud or cyber security… you need these processes one way or another.

Security is a process, continuously changing (p8)

Please be aware that implementing security is not a one-off task, you need to implement security in a continuous way

Typically you can define a lifecycle, with

  • onboarding
  • change
  • offboarding

This is not only applicable to people but also

  • hardware
  • software
  • infrastructure
  • assets
  • documentation
  • processes
  • … anything

How are you doing? (p9)

In first phase the purpose of monitoring and audit, you target yourself…
How is your company doing

How is your customer or supplier doing? (p10)

Second level, while you can delegate certain activities to external parties, you are still accountable for it..
So you better monitor and audit your externally provided operations closely.

For example, in case of a cyberattack, or a data breach on your supplier, you better investigate the impact to your data and infrastructure…

Info: check the page on Supply Chain security breaches of this blog.

Monitoring or Audit: what’s the difference ? (p11)

MonitoringAudit
•Performance check
•Continuous (or high frequency)
•By Owner		•Compliance check
•Regular intervals (lower frequency)
•Independent from owner
Monitoring vs audit

Audit types (p12-15)

  • 1st party (internal audit)
  • 2nd party
    • Customer > supplier
    • Supplier > customer
  • 3rd party
    • external

Audit types : internal audit

  • Self-validation (Auditing within company)
  • No publication to external parties
  • No certificate

Audit types : 2nd party audit (mutual)

  • Commercial interest first
    • Contractual dependence
    • Due diligence
  • Mutual interest
    • Customer checking (potential) supplier
    • Supplier checking (potential) customer, eg before onboarding
  • Delegation / verification of compliance
    • Verification if delegated tasks are done correctly

Audit types : 3rd party audit (external)

  • Independence between parties
  • Auditor vs customer
  • No combination of consulting & audit allowed
    • Segregation of duties
  • Official certificate
    • Published
    • Available to external parties

Audit main principles (p16)

  • Snapshot of situation
  • Quick estimation of situation
  • Risk based
  • Solution based, continuous improvement

Some hands-on experience to stay out of trouble

… detecting the red flags

Audit red flags

1. First login with god mode (p17)

  • First login
  • First administrator
  • has Full power
  • “God mode” (super power, can do everything)

Hacker interest

  • once captured, full control on entire cloud tenant

Solution

  • Create special admin account
  • No mail, enable MFA

2. User ID and password

  • Typically personal account
  • User ID… and just password (an mail address)

Hacker interest

  • userid and password of a single account without MFA is easy hack, only need to guess the password
  • else use phishing… make you click and login to a false page and gain control over your account

… game over.

Solution

  • implement MFA
  • by preference use Hardware tokens
  • use Passkeys (which is MFA next generation)

3. Default groups

  • Azure Groups
  • Large volume of Azure and M365 Roles

Solution

  • Avoid the use of default groups
  • Provide Task based access, granular control
  • Only use default groups when no other option left

4. Ad-hoc (eh..no) Identity Management

  • Manual management
  • No process
  • User duplication from existing users

Solution

  • Setup basic IDM (identity mgmt)
  • Setup IAM (identity and access mgmt)

5. No process management

In many cases the cloud security is set up as a technical platform with

  • Manual management
  • No process owner
  • No process
  • No idea how data flows
  • No idea on changes

Solution

  • Use basic process definitions
  • Check ISO9001

6. All-in one account

In many cases, the account used at first registration is also used for the operational administration later on… which means:

  • User account = admin account
  • Mail enabled
  • Used for office and admin tasks

Solution

  • Account separation
  • Segregation of duties
  • Separate logins for users and administrators

7. All-in one desktop

  • •Login account = local admin account
  • •Full access

Solution

  • Run daily operations as user
  • Run admin tasks temporarily as admin
  • Provide Admin with specific (task based) access

8. RDP remote access

Typically Azure will suggest to use RDP or Bastion host configuration to adminster your Azure machines …

In a test environment, you might use RDP but by design this is a very security weak protocol, easy to highjack.

  • RDP to Azure
  • badly protected remote connection

Solution

  • use Bastion host
  • use other jump host configuration
    • login to admin workstation with MFA
    • then administer your network from secured admin station)

9. One network

  • One network
  • Direct connections to Azure
  • No segmentation (neither in Azure as physical)

Solution

  • Implement network segmentation
    • Segment your network on functional level
    • Identify normal network flows
    • Identify anomalies (abnormal data flows)
  • Put Firewalls on every host and every network

10. Onetime configuration

  • One configuration fixed at first configuration
  • But once set, never reset …
  • No review
  • No IDM cycle

Solution: check…

  • Everytime on new configuration
  • During changes
  • Check regularly (put it on your agenda

Why not use IDM, the identity management lifecycle.

References

Microsoft

Learn Microsoft Azure audit and logging fundamentals

Azure hardening

ISO standards

  • ISO 27001: ISMS (information security management system)
  • ISO 27002: ISMS guidance
  • ISO 27017: cloud security
  • ISO 27018: PII in cloud (data protection in cloud

Cloud security alliance

Cloud security basics (CCSK by CSA)

Feedback

Do you think this post or material needs an update, let me know!
Any suggestion for improvement deserves credits.

The work is never finished, keep improving!

AI, Cloud & Modern Workplace Conference 2024: red flags and attention points in cloud security audit (watch the security gates) (Part 1/2)
  1. Source:
    1. Event website
    2. Main page
    3. My session page
  2. Presentation published on Youtube
  3. Download my slide deck from SlideShare
    1. Powerpoint presentation
    2. Slide content
  4. Other event videos

Source:

Event website

Main page

https://aicmwc.azurewebsites.net

My session page

https://aicmwc.azurewebsites.net/Peter-GEELEN

Presentation published on Youtube

Download my slide deck from SlideShare

Powerpoint presentation

Direct link: https://www.slideshare.net/slideshows/red-flags-and-attention-points-in-cloud-security-audit-watch-the-security-gates/266338983

Slide content

Other event videos

https://www.youtube.com/@DigitalInnovativeMinds/videos

Preparing your audit audience: PowerPoint template to get them ready for an internal audit or external certification audit (incl. practical hints and tips)
  1. Credits
  2. In short
  3. Audience
  4. Typical audit issues to solve with this approach
    1. Audit Audience
    2. CISO/ISMS Consultant
    3. Auditor (internal/external)
  5. Purpose of this template
  6. Preparation to use the slide deck
  7. What’s in the presentation template?
    1. 0. Before we start
      1. 0.1 Hidden slides
      2. 0.2 Slide layout (now anonymous blank)
    2. 1. Front page
    3. 2. Manual (hidden)
    4. 3. Your team in short
    5. 4. Team in organigram (visual)
    6. 5. Team responsibility & tasks
    7. 6&7. Process Turtle (2 versions, hidden)
    8. 8. Reference documentation
    9. 9. Current tasks & projects
    10. 10. Recent changes
    11. 11. Important success stories (good news to shine)
    12. 12. KPIs (Key Performance Indicators)
    13. 13. Incidents & issues
    14. 14. Sample operational evidence of normal operations
    15. 15, 16 & 17 Some hints and tips (hidden slides)
  8. Next year
  9. Downloads
  10. Feedback

Credits

First of all I want to shout out to Nathalie Claes (find her on linkedIN), who brought the bright idea to guide her customers with some handy format of presentation. Thank you Nathalie!

I’ve been using her tactics and extended her approach since I’ve audited one of her customers… realizing that her approach has a lot of benefits, an increased efficency and it makes the audits more effective in many ways.

Both during implementation with customers I coach as with customers I audit.

In short

  1. Download the auditee template from the Downloads section.
  2. Customize the template with company layout
  3. Distribute template to audited teams
  4. Prepare audit
  5. Ready, set, audit, …go!
  6. Start over again next year.

Audience

  • ISO management system implementers
  • consultants
  • internal auditors
  • external auditors
  • audit victims (auditees)

The template provided below (posted on my Github, link in Downloads section) is focussed on ISO 27001, but it’s extremely easy to convert it to other standards.
Of course, you can use it for other types of audits too… It’s up to you.

Typical audit issues to solve with this approach

Audit Audience

In many cases, it might be helpful to provide some guidance to avoid stress, certainly when it’s the first audit, or when the audience has no experience in audits.

Furthermore it’s quite important the auditee understands what information to provide to the auditor.

Some tips:

  • Prepare & check upfront.
  • No stress. Keep breathing, it’s not more than an audit.
  • The purpose of an audit is to check conformity and identify points of improvement.
  • Show you’re in control of the system.
  • It doesn’t need to be perfect, let some room to grow, a management system is based on a maturity.
  • Be transparent even if the system does not run as smooth as you wish.
  • Ask help when needed.
  • If you don’t know the answer to questions, just say so. Don’t worry.

CISO/ISMS Consultant

The ISMS project team usually knows the ISMS, but isn’t the only team to be audited… Especially when the ISMS consultant is external to the company.

The audit focuses on the operational teams under the ISMS. The ISMS project team can help, but is not leading the conversation during the audit of the various teams…

Auditor (internal/external)

As mentioned earlier, the primary role of the auditor is to check conformity against the standard and the enterprise objectives and policies
During an audit (both internal as external), the auditor is looking for evidence that 3 essential views match to each other:

  1. policies and documentation
  2. being executed by people responsible
  3. prividing operational evidence & proof of operations

Purpose of this template

  • provide a quick check list to the auditees
  • getting prepared easily
  • streamline and synchronize the audit feedback
  • document the management system
  • provide audit evidence
  • make audit more efficient for both audience and auditor
  • minimize stress, be relaxed
  • make it easier next year

Preparation to use the slide deck

To use the slide deck, you’ll need some preparation:

  • organigram (company organisational overview)
  • ISMS process overview
  • links to ISMS reference documentation
  • samples of
    • recent team tasks & projects
    • recent changes (onboarding, offboarding, projects, updates, …)
    • success stories
    • KPIs (Key Performance indicators)
    • recent issues & incidents
    • operational evidence

The first time you prepare this deck, you’ll discover it takes a lot of work.

The good news, next year, it’s ready for reuse with less effort, you’ll simply need to update it (considering your ISMS is stable and hasn’t been overhauled from scratch).

What’s in the presentation template?

Sidenote: did you know you can quickly make an animated gif from a powerpoint (PPT > File > Export > Create an Animated GIF > choose options)

More info here : https://support.microsoft.com/en-au/office/make-an-animated-gif-from-a-slide-show-a598753e-92de-4f1b-8393-714db4d334b4)

0. Before we start

0.1 Hidden slides

In the deck you’ll see hidden slides, these are manuals and guidances, that don’t need to be presented to the auditor, but they help to prepare the audit:

  • Slide 2 is a quick manual
  • Slide 6 & 7 have a process turtle (based on ISO 9001 process map)
  • Last 3 slides have hints and tips for the auditee team handling the presentation

If you wish, once your team’s slide deck is ready, you could consider to delete the hidden slides (but still, they might be useful for next year, to catch up again)

0.2 Slide layout (now anonymous blank)

The slide deck is designed without any theme, so you can make it more appealing with your company layout as you wish.

1. Front page

You’ve got a title and subtitle to customize.

And important, check

  • the date (which is auto set)
  • set the proper security labeling in the footer (based on your classification scheme in your ISMS.)

2. Manual (hidden)

  • Slides with no-presentation icon in upper right corner are hidden
  • You’ll find some guidance, hints and tips at the end of the presentation
  • Presentation has no graphical layout, you can add company layout to it as you wish

3. Your team in short

Briefly introduce the team being interviewed.

4. Team in organigram (visual)

Position your team in the company.
Explain

  • what’s the relation to management
  • reporting hierarchy

5. Team responsibility & tasks

Explain what the team is doing… what is on your agenda…

6&7. Process Turtle (2 versions, hidden)

As most of the ISO standards are process based, you can refer to the proces flow diagram posted in ISO9001. (Source: ISO 9001:2015 Section 0.3.1)

In short, to perform any activity, you need input from certain sources (you need to document).

When performing and completing the activity, you have output (deliverables) that probably need to be handed over to receiving interested parties.
These interested parties, senders and receivers, are an essential part of your context definition (ISO 27001 clause 4) in your Management System (MS), whether it is a ISMS (27001), PIMS (27701), QMS (9001), BCMS (22301),… or other.

8. Reference documentation

While requirements of other standards slightly differ, ISO 27001 is very explicit about requirements for policies & procedures

  • ISO 27001 Clause 5.2 policy
  • ISO 27001 Clause 7.5 Documentation
  • ISO 27001 Annex 5.1 Policies for Information security
  • ISO 27001 Annex 5.37 Documented operating procedures

In this slide, you list the main polices, procedures, operational documents… that you use as team.

9. Current tasks & projects

Describe

  • what has been on your agenda last year
  • what you’re planning next year

10. Recent changes

ISO27001 v2022, clause 6.3 (and also other standards, similar chapter) requires to handle changes in a planned manner.
This requirement is supported by ISO 27001 v2022 Annex 8.32 Change management. (BTW, is was ther

11. Important success stories (good news to shine)

It’s always nice for the auditee to tell what has been the greatest success last year.

12. KPIs (Key Performance Indicators)

ISO 27001 Clause 9.1 requires performance evaluation via monitoring and measurement.
Therefore the audited team needs to document relevant performance indicators as part of the management system.

In ISO 9001 all processes needs KPIs in a broad sense, but for ISO 27001 the organisation needs to determine what needs to be measured for the ISMS, which is a smaller scope of operations in most of the cases.

13. Incidents & issues

What are your most important incidents & issues your encountered recently and how did you handle them?
ISO 27001 has an important requirement of handling incidents (deviations), in the 2013 version covered by Annex A.16

In 2022 it has been moved to various sections (ISO 27002:2022 has a mapping table B.2, that explains the transfer)

ISO 27001:2013ISO 27001:2022
A.16
A.16.1
A.16.1.1A.5.24
A.16.1.2A.6.8
A.16.1.3A.6.8
A.16.1.4A.5.25
A.16.1.5A.5.26
A.16.1.6A.5.27
A.16.1.7A.5.28
Source: ISO27002:2022 Table B.2

The purpose here is to show how trouble is solved, not the amount of trouble, but how continuous improvement is achieved.

14. Sample operational evidence of normal operations

As mentioned earlier, during an audit there are 3 pillars to collect and verify information

  • policies and documentation
  • interviewing people responsible
  • operational documentation (evidence & proof of operations)

This slide provides the information where to find it.
What systems can be used to prove that the ISMS actually works, for example

  • HR system (showing onboarding, change and offboarding of people)
  • Access control system
  • Badge management system
  • IT systems (like Active Directory, Azure Entra formerly known as Azure AD, …)
  • Ticketing systems, …

The auditee should document recent

  • events,
  • activity,
  • incidents,
  • changes

with exact refernences, that can be traced (also one year later, next audit…)

15, 16 & 17 Some hints and tips (hidden slides)

A bit of short overview what we covered in this article:

  • Prepare & check upfront.
  • No stress. Keep breathing.
  • Be transparent.
  • If needed, ask guidance by ISMS team, ISMS project team, CISO, …
  • If you don’t know the answer to questions, just say so. Don’t worry.
    • Don’t lie, the auditor will cross check other evidence and correlate/corroborate.
  • If audit questions are not clear, ask clarification to auditor…

Before (external/internal) audit

  • Exercise, do a dry-run to present your audit slot
  • Prepare

During the audit

  • Make sure to have a coach available during all meetings
  • Usually ISMS project lead, ISMS specialist, CISO, …

Next year

Next year, for the next audit, you copy this year’s presentation and provide an easy update, including

  • changes and updates since least year
  • show trend analysis (which is required to document in the management review)

Downloads

You can download the template for free from my Github page: GitHub\Peter Geelen\ISO27000\Audit Support

Direct link for the ppt v2: https://github.com/PeterGeelen/ISO27001/blob/main/Audit%20Support/ISO27001%20auditee%20guidance%20v2.pptx

Always check for the latest version in the Audit support folder.
Don’t need to tell you there is more interesting and free stuff to download from my Github repositories.

Feedback

Do you think this post or material needs an update, let me know!
Any suggestion for improvement deserves credits.

Outlook life hack: setup Microsoft Outlook signature roaming (redirect your local Outlook signature folder to OneDrive)
  1. Outlook settings roaming
  2. Issue: Signature roaming not included in Outlook settings roaming
  3. How to setup Outlook signature roaming
    1. Find the signature folder on system drive (user profile)
    2. Copy the signature file folder content to OneDrive
    3. Rename old local signature folder
    4. Create Signature folder junction to OneDrive folder
    5. What is a junction?
  4. Redo – In case of PC reset or another pc or outlook client
  5. Important warning for outlook data files
  6. References

Outlook settings roaming

In the new Microsoft Outlook, you can set Cloud storage options to enable roaming for Outlook settings (use the same settings accross multiple devices).

Source: https://support.microsoft.com/en-us/office/outlook-roaming-options-f5ed5b9b-2df8-4c2d-aed3-d90bb14e5a59

“When you enable Outlook to store your settings in the cloud, settings for your Microsoft 365 account will automatically roam across all your devices that use Outlook for Windows.  “

BUT…. something is NOT included in this settings roaming, your mail signature.

Issue: Signature roaming not included in Outlook settings roaming

Source: https://support.microsoft.com/en-us/office/outlook-roaming-options-f5ed5b9b-2df8-4c2d-aed3-d90bb14e5a59

In the section “Which Outlook options can be roamed?”, the article describes the features that are stored in cloud, in the roaming function:

(quote)

“Settings in the following areas of the Outlook Options dialog can be roamed: 

  • General
  • Mail
  • Calendar
  • Groups
  • People
  • Tasks
  • Search
  • Ease of Access
  • Advanced

Settings in the following areas of the Outlook Options dialog are not roamed: 

  • Language
  • Customize Ribbon
  • Quick Access Toolbar
  • Add-ins
  • Trust Center”

How to setup Outlook signature roaming

If you want to use the same signatures accross multiple PCs or devices, there is a very simple trick to centralise your signature files.

Find the signature folder on system drive (user profile)

Source: https://support.microsoft.com/en-us/office/find-and-transfer-outlook-data-files-from-one-computer-to-another-0996ece3-57c6-49bc-977b-0d1892e2aacc

The signature folder is a local folder on your system drive, in the user folder

  • Windows 11/10    drive:\Users\<username>\AppData\Roaming\Microsoft\Signatures
  • Older versions of Windows    drive:\Documents and Settings\user\Application Data\Microsoft\Signatures

Copy the signature file folder content to OneDrive

Copy the entire “Signature” folder to your OneDrive.

Copy the entire folder path name in memory (or note it down in a OneNote or Notepad)

Rename old local signature folder

Rename the old Signatures folder to “Signatures.old” for example.

Create Signature folder junction to OneDrive folder

Then open a command prompt with administrative rights.
Navigate to the “Roaming\Microsoft” folder in the user profile.

Create a folder redirection, a junction, to the Onedrive folder with the folowing command:

mklink /J Signatures “<OneDrive folder>\Signatures”

Use double quotes if the folder path contains spaces.

From the command prompt run a “dir” command to check the folders and the Signature folder must be marked as <JUNCTION> mapping to the OneDrive folder path.

What is a junction?

A junction is a transparent redirect, the computer thinks there is a folder, but the content is actually fetched from another location.

Redo – In case of PC reset or another pc or outlook client

As these settings are not part of the Outlook roaming, you need to apply this approach to each Outlook client or system.
If you have a secondary pc, laptop or tablet with Outlook you need to fix the signature roaming.

Redo

  • If you reset, reinstall your pc,
  • If you buy a new pc

Important warning for outlook data files

While you can store your signature files on a Onedrive, you must not store your Outlook data files (pst, ost…) on a synchronized drive. Outlook is not happy to handle mailboxes or mail archives on a OneDrive.
It needs to be a local folder.

References

Find and transfer Outlook data files from one computer to another: https://support.microsoft.com/en-us/office/find-and-transfer-outlook-data-files-from-one-computer-to-another-0996ece3-57c6-49bc-977b-0d1892e2aacc

Microsoft Windows 11 quick tip: keep your screen unlocked during demo or audit.

Sometimes it comes handy to block the screensaver or automatic screenlock to keep your screen active for example during a demo or an audit to take notes.

While a typical Powerpoint presentation will keep your desktop active, this is not usable during a demo or audit for example.

When you want to leave your Windows 11 desktop open and available, there is a quick handy tip you can use.

Windows Mobility Center to the rescue.

Windows Mobility Center

Hit the windows button or search the menu for Windows Mobility center.

Check the Presentation Settings , hit the “Turn on” button.
To stop, hit the button again. “Turn off”.

Fix to enable Mobility center on desktop (by default not available)

Credits: https://www.thewindowsclub.com/enable-windows-mobility-center-on-desktop-computer

Important to note: mobility center doesn’t work (out of the box) on Windows desktop machines, it’s a laptop feature…

But you can also activate the Windows Mobility center on a desktop machine

  • set the proper values in the registry
  • create a shortcut

In short, in registry, check or create this folder

HKEY_CURRENT_USER\Software\Microsoft\MobilePC\AdaptableSectingsKey

  • SkipBatteryCheck (DWORD):1

Another key is needed:

HKEY_CURRENT_USER\Software\Microsoft\MobilePC\MobilityCenter

  • RunOnDesktop (DWORD):1

Next create a shortcut (to menu of task bar) of the Mobility Center executable in this folder:

%LocalAppdata%\Microsoft\Windows\WinX\Group3

You’ll need to restart your system to activate the setting.

Important Security advice

Keep in mind that when you enable the presenter mode, your laptop won’t lock, so you need to manually lock the desktop or disable the presenter mode when leaving your computer behind.

Credits

https://www.thewindowsclub.com/enable-windows-mobility-center-on-desktop-computer

Note-to-self: Microsoft Outlook error when copying meeting from one agenda to another
  1. Issue
  2. Background info
  3. Solution
  4. References
  5. Automated or centrally deployed solution (like Intune)

Issue

When you try to drag or copy a meeting slot from one Outlook calendar to another Outlook calender (from one account to another) you get an error message stating:

“Copying meetings is not supported.”

Background info

Source: https://support.microsoft.com/en-us/office/outlook-blocks-copying-meetings-with-copying-meetings-is-not-supported-4baaa023-2199-4833-b7ac-d9f0715d50f1

Apparently: “After updating Outlook Desktop to Version 2311 and you attempt to copy a meeting, you get the following message:

Solution

Use this registry key to re-enable copying meetings: 

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\Calendar] 

“EnableMeetingCopy”=DWORD:1 

References

Automated or centrally deployed solution (like Intune)

Check here: https://tdannecy.me/fix-copying-meetings-is-not-supported-message-in-outlook

Note-to-self: Troubleshooting Microsoft Office language pack download
  1. Background
  2. Issue
  3. Error message
  4. Where you actually should go

Background

Due to issues with Windows 11, I had to reinstall/reset the system, including Office, nowadays Microsoft 365.

Issue

As I’m an Dutch speaking Belgian, I’m working with Dutch language documents…

No, that’s not the issue.
The actual issue: Word started to throw errors on the proofing tools for the Dutch language.

Error message

“MISSING PROOFING TOOLS: Text in Dutch is not being checked. Do you want to download proofing tools and future updates?”

Then it displays a “Download” button, like shown below

When you hit the download button, you are brought to his page (or alike).

But there is no download link on the page… or at least not for me maybe a pop-up or add blocker page is blocked by my DNS blackhole, firewall or ad-blocker.

Where you actually should go

Instead of clicking the Download button to visit the Microsoft support web page, go to the File menu > Options > Language (not Proofing).

In the second part of the screen, you see the authoring languages, hit the “Proofing available” option, for the language you need.

Then Office starts installing the pack.

Et voila, ready.

Note-to-self: some Microsoft default tools you need to reinstall yourself after system reset & rebuild (#Windows11)
  1. Background
    1. Quick hint
  2. Default apps missing
  3. Apps impacted (Other apps?)
  4. Other Windows client DRP hints

Background

A few weeks ago my Windows 11 laptop lost control over it’s keyboard due to a security update.
Pretty sure my keyboard is physically OK, I had to reset my pc, found some time last weekend.

After reset my Windows 11 acted normal, even with recent security updates loaded.

[Personal note: still need to troubleshoot which Windows update exactly crashed my keyboard drivers beyond reparation. #FUBAR Possible corruption caused by conflict with apps installed. More on this later.]

Luckily I had a data separation policy, and I saved my user data on a separate drive. Allowing me to reset the OS system drive. Then you still need to reinstall the apps, but your data is kept safe…)

Quick hint

  • set your operating system data on a system drive
  • save and link all user data to a second data drive

All working fine again… for now (still need to reinstall some apps).

Default apps missing

You might notice dat some default Windows apps might be missing after reset, like for example the Snipping tool.

I thought they came with the default Windows (re)installation. Wrong.

Some of them need to reinstall from the Windows store.
Like for example the famous Snipping tool : https://apps.microsoft.com/detail/9MZ95KL8MR0L?launch=true&mode=full&hl=en-us

The snipping tool is the replacement for the Windows screenshot… so pretty handy in case of troubleshooting.

Apps impacted (Other apps?)

  • Snipping tool
  • Feeback hub

(more to come) when I find out other interestings tools are missing…

Other Windows client DRP hints

Regularly create a Windows restoration point, by preference immediately after a successful startup & login to your desktop.
Do not NOT create a restore point just before a restart with hotfix updates, because the restoration point has the updates installed, pending reboot, and then might crash.

(article will be updated on the fly, when new learning comes in…)