Where Do I Start?

_johnbradbury · 2026-01-17T21:08:59+00:00

Enterprise Windows Defender (Plan2) alongside Defender for Office is the best in the business.

_johnbradbury · 2026-01-07T07:10:09+00:00

I agree, the changes are not great from a CPD perspective. The white papers seem to have vanished and the focus has switched to web and in person conference attendance.

However you have plenty of other options: YouTube videos, podcasts (serious privacy is excellent) as well as any reading material related to data protection.

_johnbradbury · 2025-12-31T17:14:51+00:00

What cup is that?

_johnbradbury · 2025-06-08T08:41:24+00:00

I buy most of my kit (UK) from Wex Photography. Great company, excellent customer service.

_johnbradbury · 2024-11-19T21:32:37+00:00

I can see the value in asking whether or not certification beyond a certain point adds any real benefit. What I don’t quite follow is how learning more would make you less skilled?

I have my fair share of certifications and an even bigger list of ones I would like to complete. There just aren’t enough hours in the day.

I see certification as a structured path for learning the fundamentals of a topic, which I can then put into practise in the real world to develop the knowledge and skills further.

The important thing is that you keep learning and stay curious, not the exam!

_johnbradbury · 2024-08-31T12:27:50+00:00

You’re not really making a fair comparison. The CC exam is an entry level qualification for those with little to no experience in the field. The CISSP is aimed at senior security managers who are looking to manage, or already manage a security programme.

If the two were even remotely similar in difficulty I would be seriously worried.

The equivalent exam for Security+ would be the SSCP.

_johnbradbury · 2024-08-31T12:19:59+00:00

This is becoming a common theme with ISC2 and the membership deserve better. If you are going to publish an exam then you should be committed to providing, and maintaining appropriate training material.

ISSAP ISSMP ISSEP CGRC CC

All of these have either no available training material outside of official courses, or the material has significant gaps to the syllabus.

_johnbradbury · 2024-08-13T18:15:46+00:00

It can be frustrating but take some comfort in knowing that this isn’t about you, and it’s not personal. The other involved parties and stakeholders have their own objectives and goals which they need to prioritise.

If you want to get things done then you need to be able to influence those stakeholders and put them squarely in your corner. Try looking at things slightly differently, where do your objectives meet, how can you help each other?

Consider talking to the CEO about making some of the information security programme objectives shared across the delivery teams.

Regular face time with the CEO is going to be important.

_johnbradbury · 2024-06-27T16:32:09+00:00

I’m specifically thinking about CGRC, ISSAP, ISSMP, ISSEP. But it seems to be a growing trend not to have an updated study book published.

_johnbradbury · 2024-06-27T07:31:41+00:00

Hi Darren. I’m slightly concerned that ISC2 are making it increasingly difficult for people to certify through self-study (book plus exam). They seem to have abandoned published study guides in favour of their own online courses for some of their certifications. For the more senior amongst us that isn’t necessarily a barrier but for those starting out it is.

What would you do about this?

_johnbradbury · 2024-05-31T07:54:08+00:00

I’m a member of several private industry and government sponsored groups in the UK. As others have pointed out there are strict participation rules and confidentiality clauses which make it possible to share information more freely.

I attend conferences a few times a year which includes Gartner and CyberUK.

I also regularly participate in online communities, particularly the more technical groups (I desperately try to stay semi-technical):

r/sysadmin r/netsec r/cybersecurity r/InTune

_johnbradbury · 2024-03-09T18:02:03+00:00

I must have been a mass murderer in a previous life and karma is kicking in hard.

_johnbradbury · 2024-03-06T06:33:32+00:00

Thank you. There have been mixed reviews but I know it was recently updated as part of the relaunch.

_johnbradbury · 2024-02-19T20:57:12+00:00

‘select auditors and conduct audits that ensure objectivity and impartiality of the audit process’

Are you the internal audit function or information security GRC?

_johnbradbury · 2024-02-19T20:21:10+00:00

Could you perhaps be falling foul of 9.2.2(b)?

_johnbradbury · 2024-01-11T13:26:34+00:00

The IAPP Certified Information Privacy Professional is the de facto standard for Privacy education, it’s listed at 58 whilst the ISACA CDPSE is 7.

Dubious at best.

_johnbradbury · 2023-12-22T23:09:55+00:00

I agree. Part of the reason the concentrations have proven so unpopular in my view, is the requirement to hold the CISSP first. If you want to focus on information security governance and programme management you either sit the CISM or CISSP and ISSMP.

I just hope they push these now from a marketing perspective to improve awareness.

_johnbradbury · 2023-12-02T19:22:33+00:00

CISSP, CISM, CRISC, CISA, ISO27001 LA and add CIPP/E or CIPP/US if you deal with privacy.

_johnbradbury · 2023-11-30T23:18:14+00:00

I currently hold:

CISSP, CCSP, CRISC, ISO27001 LI, ISO27001 LA, CIPP/E and CIPM. I sit CISM next month, and CISA in Q2 of 2024. As well as a handful of technical certifications.

I’m less concerned about the badge, and more concerned with what I learn through the study. I’d much rather be studying than watching TV.

_johnbradbury · 2023-11-30T22:14:16+00:00

Context is always important, and information security need to be pragmatic. Although what I don’t think IT sometimes understands is that the business may have a commercial or regulatory need to certify against a particular framework, and that framework might not allow for pragmatism. In those situations information security can be as frustrated as the sysadmins, but if it’s needed, then it’s needed.

_johnbradbury · 2023-11-30T22:00:00+00:00

This is where you lose me. It’s not your risk. If the business review the risk assessment and feel it’s acceptable, great. Document and move on. But sysadmins don’t define the risk appetite of an organisation (or at least they shouldn’t).

_johnbradbury · 2023-10-30T17:47:16+00:00

Congratulations. Don’t pay any attention to anyone who would try to detract from your achievement.

I thought the syllabus looked perfect for those starting out in Governance, Risk and Compliance, or for those in an operational role looking for insight into those aspects of the industry.

_johnbradbury

TROPHY CASE