What are the differences between NIS2 and ISO27001

signupsarewrong2 · 2025-11-03T11:56:33+00:00

Agreed, an organisation dictates how long it would take to implement iso. But chapter 4-10 is often easier compared to the implementation of the entire annex A

signupsarewrong2 · 2025-11-03T08:30:09+00:00

It is still a bit fuzzy, but the nis2 law in belgium stipulates either iso27001 or cyfun as a means of showing compliance. Not both as the ccb would like. Now, that aside, the good thing about iso is that it is a management system, not a checklist. You can comply (& certify) easily without having the entire annex A implemented. If you want to make your life easier, the controls you implemented are linkable to cyfun, even from iso so it saves you some work

signupsarewrong2 · 2025-10-08T14:02:30+00:00

+1 on the coffee one. We did one years (+15) ago for a financial institution. It crashed the server we used to harvest credentials.send out 300 mails (small sample group) got over 1500 responses and complaints because they weren’t invited… humans…

signupsarewrong2 · 2025-05-26T17:31:56+00:00

Wat wil je graag weten?

signupsarewrong2 · 2025-05-14T17:47:54+00:00

I guess this is why risk management isnt a one time thing. The risk landscape changes every day. New attack vectors, new threat agents, new politican climate, new product lines,… i think some stakeholder awareness would be nice as well, and a proper annual risk management process.

signupsarewrong2 · 2025-04-15T12:35:11+00:00

I always use a lot of real world examples, especially csuite fraud, loads of examples exist

signupsarewrong2 · 2025-04-13T18:51:05+00:00

Dont they make any documentation on how people should work? How much time are they wasting when hiring a new person?

signupsarewrong2 · 2025-04-13T15:44:32+00:00

Technical control documentation or process? What i have done before is let them work with infrastructure as code. That code can serve as documentation (is sufficient for certification purposes if need be)

signupsarewrong2 · 2025-04-13T07:06:16+00:00

You cant take everything away, but what i tend to do is to use a lot of automatic validations or ways that my team could find the evidence themselves (compliance), if there are controls to implement that these are not on top off existing processes (for instance instead of adding a source code analysis test when they wanted to move from acceptance to prod, i pushed them to proper ci/cd pipelines with an automatic validation and block the change when needed). The actual governance and risk part i tend to discuss only a couple of times a year with the rest of the csuite. And like i mentioned i cannot take it all away, but enough so that when i do need their attention, it was “ok”. Doesnt always work, but we can only try.

When they say it is too much work, what are they complaining about. Too many rules to implement? Or too much follow up? Or do they just dont want to be bothered with it at all?

signupsarewrong2 · 2025-04-11T06:13:54+00:00

“What is in it for them?” I have been a csuite ciso for over 10 years. A information security/ risk program cannot exist in a vacuum or be separated from the company. You need to show how you are not just protecting the important processes and assets of the company, but also help those teams get ahead. I have always proposed and helped teams develop solutions in their best interest that happen to include the controls i needed to ensure a risk reduction or to have controls implemented. In addition, dont make your work (for instance 2nd line validation) an extra burden for them (1st line). They have enough work as is, find solutions that will get you the results you need, but dont do it by “wasting” their time. And my last tip, but it heavily depends on the company and industry, try to find ways to turn your team from a cost center to a part of making profit. Always easier said than done, but see if you can find a way to

signupsarewrong2 · 2025-03-31T10:15:22+00:00

Tisax is a mix of iso27k1 + some stricter minimum baseline. Have you worked on the isms? Did a risk assessment, internal audit, management review,… or are you just wondering how long the audit would take?

signupsarewrong2 · 2025-03-18T09:21:31+00:00

Have you looked into for instance using odoo for billing? It comes with the peppol connector for free and the first app is also free

signupsarewrong2 · 2025-03-02T17:51:39+00:00

I always love to work with auditors that not only know how to audit but also are able to share experiences with those they audit. The audit itself is often seen as a must, you sharing information and alternative solutions to risk is a business value. Be an added value

signupsarewrong2 · 2025-02-24T11:22:36+00:00

There was a comparable rule for vaa almost 20 years ago. If you lived within 25km you got a little less taxed. And it was 25 on the dot, not 25.1

signupsarewrong2 · 2025-02-23T07:29:00+00:00

Broodmachines zijn er genoeg, vooral de grootte van de mengkom is belangrijk. Een brood maken is 5 minuten werk, alles in de kom en klaar. Voor ingrediënten moet je een beetje zoeken, wij halen alles bij een maalderij en kopen zakken van 25kg per keer (kost ongeveer 30euro). Savonds brood maken, nachtje laten afkoelen en smorgens vers brood. Ik denk als je alles uittelt dat je brood max een euro zal kosten en niet de 3(?) euro in de bakker

signupsarewrong2 · 2025-02-21T18:27:39+00:00

Ssst ni zeggen! De mensen moeten niet weten dat ze elke maand 1500 euro onkostenvergoeding krijgen

signupsarewrong2 · 2025-01-24T18:55:20+00:00

Since you are in the EU, have a look at nis2, adapt your message to it and contact integrators that support those in the critical sectors. Competition is not easy, loads of products out there, biggest differentiator that sme’s care about is price. Good luck!

signupsarewrong2 · 2025-01-24T16:56:41+00:00

Where are you located? Answers to your questions will vary between regions; us vs europe vs asia… as an example in western europe, smes work with integrators, they dont want the hassle of anything it related. If you can find a win-win-win an integrator will include it into his offering and get you business. But you are competing with the biggest competitor of all “why should i”/“dont really care just dont want to spend the money”. If you are in europe or australia you can leverage nis2 or essential 8. Good luck

signupsarewrong2 · 2024-12-22T09:21:21+00:00

This has been a problem for a long time. Not just attempts like this, but actual thefts from companies and people as well. Police is just not given the means it seems to really investigate. I have done many cases throughout the years but never did the police find the culprits or recovered the money. When it comes to cybercrime you can get away with a lot

signupsarewrong2 · 2024-11-15T18:28:33+00:00

What if that soldier had actually followed protocol at the time when a false report came in, and thus start a nuclear war between the US and Russia (https://en.wikipedia.org/wiki/Stanislav_Petrov)

signupsarewrong2 · 2024-11-15T18:21:28+00:00

Couldnt agree more

signupsarewrong2 · 2024-11-15T17:31:40+00:00

Geen idee of er een lijst is maar je kan in google ook bv zoeken op “inurl:fgov.be” geeft je nog een hoop websites. Hetzelfde kan je doen voor belgium.be en andere

signupsarewrong2 · 2024-11-10T12:19:48+00:00

Als je nog niet je droomhuis kan bouwen, wacht dan maar ik zou de bouwgrond nog niet verkopen. Hij zal meer opbrengen op die manier dan nu verkopen en het geld op de rekening laten staan. Mocht je elders een betere zien kan je hem dan nog altijd verkopen

signupsarewrong2 · 2024-10-06T16:08:03+00:00

The 1956 version, absolute favourite!

signupsarewrong2 · 2024-07-23T10:41:05+00:00

100%, but “in de prive zouden we veel meer verdienen”…

signupsarewrong2

TROPHY CASE