https://certi360.com/ Cybersecurity, ISO 27001 and Bill 25 insights for Quebec SMBs en-CA Thu, 02 Jul 2026 00:00:00 GMT https://certi360.com/en/personal-information-inventory-what-exactly-should-you-list/ https://certi360.com/en/personal-information-inventory-what-exactly-should-you-list/ Thu, 02 Jul 2026 00:00:00 GMT The question comes up in almost every Bill 25 compliance engagement I take on. https://certi360.com/en/which-claude-model-to-choose-and-at-what-effort-level/ https://certi360.com/en/which-claude-model-to-choose-and-at-what-effort-level/ Sat, 27 Jun 2026 00:00:00 GMT Since I've been using Claude, I always wonder which model to choose and what effort level to give it: medium, high, or xhigh? Here's what I've found. https://certi360.com/en/iso-iec-27043-the-backbone-of-digital-investigations/ https://certi360.com/en/iso-iec-27043-the-backbone-of-digital-investigations/ Wed, 24 Jun 2026 00:00:00 GMT Here is a scenario I have seen play out several times. A security incident occurs in an organization. The internal team (or an external consultant) starts digging through systems: someone collects event logs, another takes screenshots, a third tries to reconstruct the sequence of events. https://certi360.com/en/iso-iec-ts-170122024-official-guide-for-remote-audits/ https://certi360.com/en/iso-iec-ts-170122024-official-guide-for-remote-audits/ Sun, 21 Jun 2026 00:00:00 GMT If you have received or conducted an audit by videoconference, this standard concerns you directly. ISO/IEC TS 17012:2024 is the first international technical specification devoted exclusively to remote audit methods in management systems. Published July 2024; ISO 19011:2026 refers to it. https://certi360.com/en/the-exposure-window-has-become-a-catastrophe-window/ https://certi360.com/en/the-exposure-window-has-become-a-catastrophe-window/ Wed, 10 Jun 2026 00:00:00 GMT Anthropic has just published the first Project Glasswing data, and if you work in cybersecurity or compliance, here's what it means concretely for your organization. https://certi360.com/en/what-increases-and-decreases-trust-in-soc-2-and-iso-27001/ https://certi360.com/en/what-increases-and-decreases-trust-in-soc-2-and-iso-27001/ Wed, 10 Jun 2026 00:00:00 GMT Trust in a world where abuse seems to reign. Four years ago, I wrote an article on how to trust an auditor's report. I asked: how do you assess an auditor's independence, competence, and rigour? The problem was already real. In 2026, it has become industrialized. https://certi360.com/en/ai-in-the-soc-why-90-percent-of-teams-get-no-real-value/ https://certi360.com/en/ai-in-the-soc-why-90-percent-of-teams-get-no-real-value/ Fri, 05 Jun 2026 00:00:00 GMT I came across a Hacker News article this week referencing the SOC-CMM 2026 Maturity Report, an annual study of about 200 SOCs worldwide. The number that stopped me: only 10% of SOCs report excellent value from their AI deployments. https://certi360.com/en/iso-42001-your-smb-only-uses-chatgpt-non-applicable-controls/ https://certi360.com/en/iso-42001-your-smb-only-uses-chatgpt-non-applicable-controls/ Fri, 05 Jun 2026 00:00:00 GMT I continue in the same vein as my article on ISO 27001 controls that do not apply to organizations without software development. Today I tackle the AI version. ISO/IEC 42001:2023, published in December 2023, governs artificial intelligence management systems. https://certi360.com/en/trust-in-a-world-where-abuse-seems-to-reign/ https://certi360.com/en/trust-in-a-world-where-abuse-seems-to-reign/ Fri, 05 Jun 2026 00:00:00 GMT Four years ago, I wrote an article on how to trust an auditor's report. I asked: how do you assess the auditor's independence, competence, and rigour? The problem was already real. In 2026, it has been industrialized. https://certi360.com/en/the-basement-hacker-never-sleeps/ https://certi360.com/en/the-basement-hacker-never-sleeps/ Mon, 01 Jun 2026 00:00:00 GMT Bruce Schneier recommends reading Melissa Hathaway's analysis in the Cyber Defense Review on his blog. https://certi360.com/en/your-vendors-are-a-target-iso-27001-planned-for-it/ https://certi360.com/en/your-vendors-are-a-target-iso-27001-planned-for-it/ Thu, 28 May 2026 00:00:00 GMT You think your systems are well protected. Firewall in place, antivirus up to date, password policies respected. And yet, an attacker gets into your network… through your accounting software vendor. https://certi360.com/en/bill-25-project-understand-your-website-compliance-free/ https://certi360.com/en/bill-25-project-understand-your-website-compliance-free/ Wed, 27 May 2026 00:00:00 GMT I decided to take on this project to get back into programmer mode during the holiday break. Coding for real — meaning without eating, sleeping, knowing what day it is, or taking a shower! I have a lot of admiration for those who do it for a living. Here is the result: loi25.certi360.com. https://certi360.com/en/iso-190112026-what-changes/ https://certi360.com/en/iso-190112026-what-changes/ Wed, 27 May 2026 00:00:00 GMT ISO 19011 was published in May 2026. If you read my article on the 2018 version, here I cover the new edition. The structure remains the same: audit principles, audit programme, conduct, auditor competence. What changes is the content within those chapters. https://certi360.com/en/how-to-tell-if-an-email-link-is-safe-to-click/ https://certi360.com/en/how-to-tell-if-an-email-link-is-safe-to-click/ Mon, 25 May 2026 00:00:00 GMT We all receive emails with links. Sometimes we are certain they are legitimate based on past trust; other times we hesitate. That hesitation is healthy, because malicious links are today the primary entry point for attacks. Here is how to verify a link before clicking. https://certi360.com/en/95-percent-of-ai-projects-fail-measure-the-value-added/ https://certi360.com/en/95-percent-of-ai-projects-fail-measure-the-value-added/ Tue, 19 May 2026 00:00:00 GMT I came across this Fortune article published in August 2025, which reports the results of an MIT study titled GenAI Divide: State of AI in Business 2025. The statistic struck me. https://certi360.com/en/ai-agents-and-prompt-injection-can-a-simple-email-steal-your-data/ https://certi360.com/en/ai-agents-and-prompt-injection-can-a-simple-email-steal-your-data/ Tue, 19 May 2026 00:00:00 GMT I'll give you the answer right away: yes. https://certi360.com/en/fear-and-trust-in-ai-people-only-see-the-chat/ https://certi360.com/en/fear-and-trust-in-ai-people-only-see-the-chat/ Tue, 19 May 2026 00:00:00 GMT When artificial intelligence comes up in an executive meeting, the image most people form in their minds is ChatGPT. A chat window, a question, an answer. https://certi360.com/en/silent-sms-type-0-your-phone-responds-to-someone-you-never-see/ https://certi360.com/en/silent-sms-type-0-your-phone-responds-to-someone-you-never-see/ Tue, 12 May 2026 00:00:00 GMT A Type 0 SMS arrives on your phone. You hear nothing. Nothing displays. Yet your phone received the message and automatically responded — without notifying you or asking permission. https://certi360.com/en/privacy-even-wounded-it-is-worth-fighting-for/ https://certi360.com/en/privacy-even-wounded-it-is-worth-fighting-for/ Wed, 22 Apr 2026 00:00:00 GMT I've worked in cybersecurity for years. I know what ends up on the dark web. Your name, email, password, phone number, maybe your Social Insurance Number. Breaches pile up: LinkedIn, Desjardins, Facebook, Equifax. At some point, you think: what's the point? https://certi360.com/en/iso-iec-27701-do-you-really-manage-clients-personal-information/ https://certi360.com/en/iso-iec-27701-do-you-really-manage-clients-personal-information/ Wed, 15 Apr 2026 00:00:00 GMT A client recently asked me whether their ISO 27001 certification was enough to meet Bill 25 requirements. My short answer: no. ISO 27001 protects information. ISO/IEC 27701 protects personal information. If your organization handles personal information, this standard concerns you. https://certi360.com/en/can-you-pass-iso-27001-with-templates-or-ai/ https://certi360.com/en/can-you-pass-iso-27001-with-templates-or-ai/ Wed, 08 Apr 2026 00:00:00 GMT A client called me a few months ago. He'd bought an ISO 27001 template pack online. Proud of himself. Six months of work filling in documents. I ended up at his office for the preparatory internal audit. https://certi360.com/en/iso-19011-the-standard-to-rule-them-all-in-compliance/ https://certi360.com/en/iso-19011-the-standard-to-rule-them-all-in-compliance/ Mon, 06 Apr 2026 00:00:00 GMT I cannot resist quoting one of my favourite books and films, but in this case the reference is not gratuitous. A standard to rule them all is exactly what ISO 19011 is. If you have ever received a compliance audit report — ISO 27001, ISO 9001, ISO 22301 — that report followed a precise logic. https://certi360.com/en/why-vibe-coding-is-so-polarizing/ https://certi360.com/en/why-vibe-coding-is-so-polarizing/ Fri, 20 Mar 2026 00:00:00 GMT Lately we've been seeing a new expression: vibe coding. https://certi360.com/en/version-1-21-improved-cookie-analysis/ https://certi360.com/en/version-1-21-improved-cookie-analysis/ Sat, 07 Feb 2026 00:00:00 GMT Today I present improvements to the tool at https://loi25.certi360.com. Each test checks one aspect of the site's behaviour regarding cookies and consent. 1. CONSENT COMPLIANCE 2. COOKIE SECURITY 3. RETENTION PERIODS 4. DARK PATTERNS IN THE BANNER https://certi360.com/en/opinion-compliance-platforms/ https://certi360.com/en/opinion-compliance-platforms/ Wed, 04 Feb 2026 00:00:00 GMT Today I'd like to share my opinion on compliance tools and platforms. https://certi360.com/en/does-my-site-really-need-a-consent-banner/ https://certi360.com/en/does-my-site-really-need-a-consent-banner/ Tue, 20 Jan 2026 00:00:00 GMT It's a question that comes up often. https://certi360.com/en/understanding-tls-ssl-testing-on-loi25-certi360-com/ https://certi360.com/en/understanding-tls-ssl-testing-on-loi25-certi360-com/ Mon, 29 Dec 2025 00:00:00 GMT In the context of Quebec’s Act 25 on the protection of personal information, the security of communications between a website and its visitors is a basic protection measure. When an organization collects or transmits personal information via its Web site, it must ensure that these exchanges are prot https://certi360.com/en/84-audit-questions-to-evaluate-a-business-continuity-plan/ https://certi360.com/en/84-audit-questions-to-evaluate-a-business-continuity-plan/ Thu, 23 Oct 2025 00:00:00 GMT A good Business Continuity Plan (BCP) should not gather dust in the IT department's office. https://certi360.com/en/new-iso-iec-27701-2025-standard/ https://certi360.com/en/new-iso-iec-27701-2025-standard/ Wed, 15 Oct 2025 00:00:00 GMT It's done — the ISO/IEC 27701:2025 standard has finally been published. https://certi360.com/en/iso27001-no-software-development-here-is-the-list-of-non-applicable-controls/ https://certi360.com/en/iso27001-no-software-development-here-is-the-list-of-non-applicable-controls/ Mon, 15 Sep 2025 00:00:00 GMT After my latest ISO 27001 audits, I see the same mistake. Companies that declare applicable controls that have nothing to do with their reality. They complicate their lives, waste time and spend money unnecessarily. Software dev – Photo by Ajay Gorecha on Unsplash In the worst case, a financial serv https://certi360.com/en/difference-between-owasp-top10-and-asvs/ https://certi360.com/en/difference-between-owasp-top10-and-asvs/ Wed, 10 Sep 2025 00:00:00 GMT First of all, it’s important to know that Le Top 10 is an awareness document that explains the main application risks, making it perfect for education, rapid self-assessment and “quick wins”. On the other hand,ASVS is a comprehensive requirements framework for systematically building, testing and va https://certi360.com/en/owasp-asvs-what-is-it/ https://certi360.com/en/owasp-asvs-what-is-it/ Fri, 05 Sep 2025 00:00:00 GMT Even a simple website often relies on complex platforms, such as CMS (content management systems) or APIs. Safety must no longer be an afterthought. It’s a basic requirement. The OWASP ASVS, Application Security Verification Standard, is a set of requirements for designing, developing, testing and c https://certi360.com/en/introduction-iso-9001-quality-management/ https://certi360.com/en/introduction-iso-9001-quality-management/ Wed, 03 Sep 2025 00:00:00 GMT It is a quality management standard that structures the way an organization operates, documents its processes and demonstrates compliance. ISO 9001 is not just for manufacturers who want to produce defect-free equipment. Usually, the standard is requested by a customer who wants to be sure of the st https://certi360.com/en/iso-iec-270182025-new-version-for-cloud-processors/ https://certi360.com/en/iso-iec-270182025-new-version-for-cloud-processors/ Fri, 29 Aug 2025 00:00:00 GMT I’ve already talked about the ICI standard – March 2022 article: https://medium.com/@btk667/iso27018-concernant-la-protection-des-renseignements-personnels-des-processeurs-infonuagique-261378d7ddef ISO announced on August 25, 2025, the update of the ISO/IEC 27018 standard. I’d like to tell you what’ https://certi360.com/en/which-iso27001-controls-apply-under-quebec-bill-25/ https://certi360.com/en/which-iso27001-controls-apply-under-quebec-bill-25/ Sun, 03 Aug 2025 00:00:00 GMT For those who have implemented ISO 27001:2022, you must create a file called a Statement of Applicability based on the Annex A controls. There are 93 of them. You must also explain why certain controls apply to your organization. https://certi360.com/en/which-iso27001-standards-are-applicable-in-accordance-with-quebecs-act-25-on/ https://certi360.com/en/which-iso27001-standards-are-applicable-in-accordance-with-quebecs-act-25-on/ Sun, 03 Aug 2025 00:00:00 GMT Those who have implemented ISO27001:2022 must create a file called a “declaration of applicability” based on the controls in Annex A. There are 93 of them.We also need to explain why certain controls are applicable to our organization. The easy way is if there is a legal requirement, contractual req https://certi360.com/en/iso270312025-new-version-for-it-continuity/ https://certi360.com/en/iso270312025-new-version-for-it-continuity/ Fri, 25 Jul 2025 00:00:00 GMT When it comes to business continuity in cybersecurity, most SMEs immediately think of backups or a redundant cloud server. Yet this is only the tip of the iceberg. The ISO/IEC 27031 standard has been in existence for over 10 years, providing a framework for the continuity of information and communic https://certi360.com/en/correcting-without-looking-for-the-cause-is-wrong/ https://certi360.com/en/correcting-without-looking-for-the-cause-is-wrong/ Wed, 23 Jul 2025 00:00:00 GMT A Root Cause Analysis (RCA) is a structured approach to identifying the root causes of an incident or non-conformance in an exhaustive and precise manner. I came across this image a few months ago during an internet search for a client and I’ve kept it ever since because I find it so simple, so I’d https://certi360.com/en/iso-223012019-focuses-on-business-continuity/ https://certi360.com/en/iso-223012019-focuses-on-business-continuity/ Thu, 03 Jul 2025 00:00:00 GMT ISO 22301:2019 is entitled “Security and resilience – Business continuity management systems – Requirements”. It is the international benchmark for implementing a continuity management system. It guides organizations in the planning, implementation and continuous improvement of processes designed to https://certi360.com/en/physical-intrusion-testing/ https://certi360.com/en/physical-intrusion-testing/ Wed, 25 Jun 2025 00:00:00 GMT My former company, Gardien Virtuel, used to do this type of testing, and I had so much fun carrying out these mandates, because with each project, there are extraordinary stories, anecdotes that make us understand just how vulnerable employees can be! Locked door – Photo by Sheldon Kennedy on Unspla https://certi360.com/en/information-security-vs-cybersecurity/ https://certi360.com/en/information-security-vs-cybersecurity/ Sat, 21 Jun 2025 00:00:00 GMT Over the past few days, I’ve seen a lot of comments on LinkedIn around words like “cybersecurity”, “information security” and “cyberattack”. In the media, it seems that every time a computer is involved, there’s always talk of a “cyber attack”, even when it’s a minor incident or not linked to a secu https://certi360.com/en/opinion-on-open-source-software-stop-financing-our-technological-dependence/ https://certi360.com/en/opinion-on-open-source-software-stop-financing-our-technological-dependence/ Mon, 26 May 2025 00:00:00 GMT Every year, millions of our tax dollars are sent directly to US multinationals for software licenses. This does not create jobs here, nor expertise or a basis for building other solutions. The only statistic I found was that in “2012, the Quebec government spent $1.4 billion renewing proprietary lic https://certi360.com/en/consent-standards-iso-27560-and-iso-29184/ https://certi360.com/en/consent-standards-iso-27560-and-iso-29184/ Fri, 23 May 2025 00:00:00 GMT Today I’d like to talk to you about the families of the ISO standard with a concrete example. I’ve just discovered that the ISO 27560 standard is free – take the opportunity to download it and let’s talk about these standards. ISO/IEC 27560 and ISO/IEC 29184 both deal with data protection consent, b https://certi360.com/en/iso-27001-audits-differences-between-stage-1-and-stage-2/ https://certi360.com/en/iso-27001-audits-differences-between-stage-1-and-stage-2/ Fri, 18 Apr 2025 00:00:00 GMT Achieving ISO 27001 certification is an important and stressful process for organizations wishing to demonstrate their commitment to information security. The certification process towards ISO27001 comprises two key stages: stage 1 and stage 2 audits. dual – Photo by Possessed Photography on Unsplas https://certi360.com/en/understand-the-role-of-iso-certification-and-accreditation-bodies/ https://certi360.com/en/understand-the-role-of-iso-certification-and-accreditation-bodies/ Wed, 09 Apr 2025 00:00:00 GMT Getting started with the International Organization for Standardization (ISO) It all began with ISO (International Organization for Standardization), an international non-governmental organization founded in 1947. ISO develops and publishes “voluntary” international standards in a wide range of fiel https://certi360.com/en/iso27001-defining-the-scope-of-the-security-program/ https://certi360.com/en/iso27001-defining-the-scope-of-the-security-program/ Fri, 04 Apr 2025 00:00:00 GMT ISO/IEC 27001:2022 describes the requirements for implementing an Information Security Management System (ISMS). One of the crucial steps in this process is the creation of a precise and clear definition the scope of ISMS. I’ve already talked about this subject here. Today, I’d like to focus on writ https://certi360.com/en/iso-27001-a-5-31-legal-regulatory-and-contractual-requirements/ https://certi360.com/en/iso-27001-a-5-31-legal-regulatory-and-contractual-requirements/ Thu, 27 Mar 2025 00:00:00 GMT When we think of information security, we often think of encryption, firewalls or access management. Yet one of the pitfalls of small business is ignoring legal, regulatory and contractual obligations. Law – Photo by Mikhail Pavstyuk on Unsplash Ignoring them can have costly consequences. For exampl https://certi360.com/en/your-privacy-policy-template/ https://certi360.com/en/your-privacy-policy-template/ Tue, 18 Mar 2025 00:00:00 GMT This sample privacy policy is the basis on which I develop privacy policies for my clients’ websites. Although it serves as a starting point, it must be adapted to the specific characteristics of each organization, taking into account its size, needs and sector of activity. It is also strongly recom https://certi360.com/en/iso27001-a8-29-with-ci-cd-pipeline-continuous-integration-and-continuous-deployment/ https://certi360.com/en/iso27001-a8-29-with-ci-cd-pipeline-continuous-integration-and-continuous-deployment/ Tue, 11 Mar 2025 00:00:00 GMT The security measure in Annex A8.29 of ISO 27001:2022 is entitled “Security testing in development and acceptance”. Organizations must define and implement security testing processes throughout the development lifecycle.. The aim is to identify and correct vulnerabilities before systems or applicati https://certi360.com/en/iso27001-a8-28-dast-and-sast-security-and-development-tools/ https://certi360.com/en/iso27001-a8-28-dast-and-sast-security-and-development-tools/ Thu, 06 Mar 2025 00:00:00 GMT As part of my work on the implementation of ISO27001:2022, I have had to deal with issues relating to application development and testing, mainly for the security measure in Annex 8.28. Accept – Photo by Clay Banks on Unsplash Note that the development is covered by the following measures: 8.25– Sec https://certi360.com/en/what-is-the-role-of-an-information-asset-manager/ https://certi360.com/en/what-is-the-role-of-an-information-asset-manager/ Mon, 17 Feb 2025 00:00:00 GMT The importance of IT security and the growing value of data in the business world have led to the creation of specific roles to manage and protect the organization’s information assets. Among these roles, I’d like to mention here that of the information assets manager. In the course of my work I oft https://certi360.com/en/event-logs-bill-25-and-privacy-explained/ https://certi360.com/en/event-logs-bill-25-and-privacy-explained/ Wed, 05 Feb 2025 00:00:00 GMT The management of event logs is an essential aspect of the protection of personal information, particularly in the context of Quebec’s Bill 25. These logs contain IP addresses, which are personal information. Server farm – Photo by Massimo Botturi on Unsplash In the event of negligent use of activit https://certi360.com/en/cookies-bill-25-and-privacy-explained/ https://certi360.com/en/cookies-bill-25-and-privacy-explained/ Sat, 01 Feb 2025 00:00:00 GMT Lately, I’ve been working on a number of mandates that, to my great delight, include the management of personal information, especially since the adoption of Bill 25. The new law on personal information is motivating companies to take matters into their own hands. One of the issues at stake is the m https://certi360.com/en/20-myths-about-pci-dss/ https://certi360.com/en/20-myths-about-pci-dss/ Mon, 27 Jan 2025 00:00:00 GMT PCI-DSS (Payment Card Industry Data Security Standard) certification is a set of security standards designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Credit Card – Photo by Mark OFlynn on Unsplash I’ve already told you about https://certi360.com/en/how-long-can-i-keep-my-system-event-logs/ https://certi360.com/en/how-long-can-i-keep-my-system-event-logs/ Wed, 22 Jan 2025 00:00:00 GMT What is an event log? An event log, also known as an audit trail or log, is a record that documents actions taken by computer systems, applications and users. These logs are essential for IT security, troubleshooting, regulatory compliance and business monitoring. Archives – Photo by Galen Crout on https://certi360.com/en/information-security-training-investment-or-false-hope/ https://certi360.com/en/information-security-training-investment-or-false-hope/ Fri, 10 Jan 2025 00:00:00 GMT Imagine an e-commerce company with annual sales of $20 million having its operations interrupted for 72 hours by a phishing e-mail. Training – Photo by Gastro Editorial on Unsplash An employee unwittingly clicked on a malicious link, giving access to sensitive data and resulting in a loss of $2 mill https://certi360.com/en/iso-27001-clause-10-2-non-conformity-management-procedure/ https://certi360.com/en/iso-27001-clause-10-2-non-conformity-management-procedure/ Sat, 04 Jan 2025 00:00:00 GMT Even the best-designed safety programs run into discrepancies. What to do in these situations? Photo by Etienne Girardet on Unsplash What does clause 10.2 actually require? Clause 10.2 of ISO 27001:2022 requires organizations to develop and maintain a process for dealing with non-conformances to the https://certi360.com/en/iso-27001-clause-10-1-continuous-improvement/ https://certi360.com/en/iso-27001-clause-10-1-continuous-improvement/ Sun, 29 Dec 2024 00:00:00 GMT As in other fields, in the world of information security, standing still is tantamount to going backwards! The aim of clause 10.1 of ISO 27001:2022 is to continue our race, our perpetual marathon, except that we’re not running to win a medal, but to preserve the security of our information. Clause 1 https://certi360.com/en/my-10-best-reads-of-2024/ https://certi360.com/en/my-10-best-reads-of-2024/ Sat, 21 Dec 2024 00:00:00 GMT This year, I’ve been lucky enough to read quite a few books that have made an impression on me. I present to you my top 10 reads of 2024, with a few bonuses because, frankly, I couldn’t stop at 10! Books – Photo by Sebastien LE DEROUT on Unsplash 1. “New Cold Wars” by David […] https://certi360.com/en/iso-27001-clause-9-3-management-review/ https://certi360.com/en/iso-27001-clause-9-3-management-review/ Fri, 20 Dec 2024 00:00:00 GMT Clause 9.3 of ISO 27001:2022 explains how to carry out a management review, which is an important step in ensuring that the Information Security Management System (ISMS) is working properly, and in the continuous improvement of the security program. Management meeting -Photo by Campaign Creators on https://certi360.com/en/how-do-i-become-an-iso27001-external-auditor/ https://certi360.com/en/how-do-i-become-an-iso27001-external-auditor/ Mon, 09 Dec 2024 00:00:00 GMT ISO 27001 is an international standard that sets out the requirements for an information security management system (ISMS). So to become an ISO 27001 external auditor, there are several steps to follow in order to be recognized by a certification body. Photo by Agence Olloweb on Unsplash Training an https://certi360.com/en/iso27001-clause-9-2-internal-audit-ensuring-conformity/ https://certi360.com/en/iso27001-clause-9-2-internal-audit-ensuring-conformity/ Fri, 06 Dec 2024 00:00:00 GMT Clause 9.2 of ISO 27001:2022 requires organizations to carry out regular internal audits of their information security management system (ISMS). Doing your taxes – Photo by Dimitri Karastelev on Unsplash These audits are essential to validate that the safety program is effective, identify weaknesses https://certi360.com/en/iso27001-clause-9-1-monitoring-our-dashboard/ https://certi360.com/en/iso27001-clause-9-1-monitoring-our-dashboard/ Thu, 05 Dec 2024 00:00:00 GMT Clause 9.1 of ISO27001:2022 requires organizations to carry out practical monitoring of their information security management system (ISMS). In concrete terms, we defined the security objectives of our security program when we implemented Clause 6.2. Now we need to monitor them. Obtain performance i https://certi360.com/en/ladies-what-to-do-before-meeting-a-suitor/ https://certi360.com/en/ladies-what-to-do-before-meeting-a-suitor/ Tue, 16 Jul 2024 00:00:00 GMT It’s a Friday night, you’re chatting on a dating site and your suitor would like to meet you. What research should you do before meeting him? Dating – Photo by Priscilla Du Preez on Unsplash Meeting someone new is exciting, but it’s important to take a few precautions before embarking on a new encou https://certi360.com/en/testing-my-business-continuity-strategies-what-does-it-mean/ https://certi360.com/en/testing-my-business-continuity-strategies-what-does-it-mean/ Fri, 03 May 2024 00:00:00 GMT How do you know that the team has mastered the business continuity or incident management plan? Where the team knows how to react in the event of an incident. It’s easy! Let’s do a test. Practice – Photo by Niklas Tidbury on Unsplash Several types of test There are several types of test, each with [ https://certi360.com/en/dad-my-friend-had-his-cell-phone-stolen/ https://certi360.com/en/dad-my-friend-had-his-cell-phone-stolen/ Tue, 26 Mar 2024 00:00:00 GMT Oh no! What bad news, to realize that your phone has been stolen. It’s so frustrating and worrying, especially at your age, knowing that your phone is an extension of your social life. I know I’m being a wet blanket, but before I do anything after flight, you have to prepare before! Cellphone – Phot https://certi360.com/en/iso27001-clause-8-3-dealing-with-risks/ https://certi360.com/en/iso27001-clause-8-3-dealing-with-risks/ Wed, 20 Mar 2024 00:00:00 GMT Clause 8.3 of ISO 27001:2022 is crucial because it addresses how organizations should respond to the information security risks identified in the risk assessment (in clause 8.2). The clause stresses the importance of dealing with these risks effectively and consistently with the risk treatment metho https://certi360.com/en/as-a-ciso-or-ciso-why-am-i-not-on-the-management-committee/ https://certi360.com/en/as-a-ciso-or-ciso-why-am-i-not-on-the-management-committee/ Tue, 12 Mar 2024 00:00:00 GMT The role of a Chief Information Security Officer (CISO) or the Information Systems Security Manager (ISSM) is a very important role for any organization, especially in today’s context of growing threats to information security. Army commander – Photo by British Library on Unsplash That said, I recei https://certi360.com/en/iso27001-clause-8-2-risk-assessment/ https://certi360.com/en/iso27001-clause-8-2-risk-assessment/ Fri, 01 Mar 2024 00:00:00 GMT Clause 8.2 is one of the most important clauses in the standard, as it forms the basis for all other information security controls. Risk management is the cornerstone of information security in any organization. ISO 27001:2022 places particular emphasis on the importance of this notion through claus https://certi360.com/en/iso27001-clause-8-1-operations-planning/ https://certi360.com/en/iso27001-clause-8-1-operations-planning/ Mon, 26 Feb 2024 00:00:00 GMT Clause 8.1 of ISO 27001 underlines the importance of rigorous planning and control of information security operations within an organization. In concrete terms, in clause 6 we defined our objectives, now we have to bring them to life. Planning – Photo by Patrick Perkins on Unsplash Like the foundati https://certi360.com/en/how-do-you-prepare-a-digital-will/ https://certi360.com/en/how-do-you-prepare-a-digital-will/ Thu, 15 Feb 2024 00:00:00 GMT We all know that when we draw up our wills, we need to list our bank accounts, other financial institutions and assets that will be sold after our death, as well as the strategies for distributing or sharing them with our loved ones. But these days, in this “dematerialized” world, our lives are incr https://certi360.com/en/managing-information-security-in-the-supply-chain/ https://certi360.com/en/managing-information-security-in-the-supply-chain/ Fri, 09 Feb 2024 00:00:00 GMT I come across a survey report on the subject of supply chain risk management from Gartner 2023. It states that “supply chain attacks are on the rise, with 63% of respondents saying their organization has suffered a supply chain attack in the past year”. A number of questions have popped into my head https://certi360.com/en/in-search-of-artifacts-what-does-a-compliance-auditor-hope-to-discover/ https://certi360.com/en/in-search-of-artifacts-what-does-a-compliance-auditor-hope-to-discover/ Fri, 02 Feb 2024 00:00:00 GMT An artifact is an element created as an output from a process or project. An artifact can be a document, record, report or tool used to plan, organize, implement, monitor and control ISMS-related activities. It is proof that the activity actually took place. Artifacts – Photo by Trnava University on https://certi360.com/en/protection-of-personal-information-in-the-context-of-bill-25-the-difference-between-data/ https://certi360.com/en/protection-of-personal-information-in-the-context-of-bill-25-the-difference-between-data/ Mon, 29 Jan 2024 00:00:00 GMT Today we’re going to explore the difference between de-identified data and anonymized anonymized data. These two terms come up a lot in the field of privacy protection, and understanding the difference between them is essential for any organization handling personal information. It’s not only a ques https://certi360.com/en/iso27001-clause-7-5-document-management/ https://certi360.com/en/iso27001-clause-7-5-document-management/ Mon, 22 Jan 2024 00:00:00 GMT When it comes to information security, every detail counts, including the way information is created, stored, maintained and destroyed. Clause 7.5 of ISO 27001 addresses the “management of documented information”, an aspect often overlooked, but nonetheless crucial to the implementation of an effect https://certi360.com/en/article-5-stalking-endure-porn-disclosure-and-hypertrucage/ https://certi360.com/en/article-5-stalking-endure-porn-disclosure-and-hypertrucage/ Sat, 30 Dec 2023 00:00:00 GMT This is the last article in my series on stalking. This behavior is very disturbing and destabilizing, especially with the use of artificial intelligence tools that can create false images of you, but naked, or superimposed in an adult video allowing people to be taken advantage of. “Revenge porn” o https://certi360.com/en/best-reads-of-2023/ https://certi360.com/en/best-reads-of-2023/ Sun, 24 Dec 2023 00:00:00 GMT Here we are at that time of year when we pause and look back at all the work we’ve done, and in my case, I’m also looking back at all the books I’ve read this year. I realize that few books have really hooked me this year, looking at the list I rather took time […] https://certi360.com/en/article-4-stalking-how-can-i-tell-if-someone-is-spying-on-me/ https://certi360.com/en/article-4-stalking-how-can-i-tell-if-someone-is-spying-on-me/ Mon, 18 Dec 2023 00:00:00 GMT The issue of security and digital privacy is paramount. As technology advances, it’s essential that we continue to be concerned about protecting our personal information. If you’re wondering how to detect if you’re being spied on with technological tools, here are some basic tips. [Links to article https://certi360.com/en/article-3-stalking-prevent-it/ https://certi360.com/en/article-3-stalking-prevent-it/ Thu, 14 Dec 2023 00:00:00 GMT Today, I present the third article in a series on harassment. In this article, I seek to understand how to prevent harassment. [Links to article 1] I hope this article will help raise awareness of the issue and encourage collective thinking to reduce harassment. It’s crucial that we work together to https://certi360.com/en/article-2stalking-its-different-forms/ https://certi360.com/en/article-2stalking-its-different-forms/ Tue, 12 Dec 2023 00:00:00 GMT Following on from the previous article, in which I explored the laws surrounding stalking, allow me to present a few concrete examples that illustrate in greater detail what stalking is all about. You can rediscover the article by following thelink here to article no. 1! Harassment is a worrying soc https://certi360.com/en/article-1-criminal-harassment-the-laws/ https://certi360.com/en/article-1-criminal-harassment-the-laws/ Sun, 03 Dec 2023 00:00:00 GMT On the night of Friday August 25 to Saturday August 26, 2023, Ianick Lamontagne committed an irreparable act: the murder of his children, followed by his own suicide. I was so surprised and shocked by this tragic story that I wrote about it in various media. I later discovered that he had clearly cr https://certi360.com/en/iso27001-clause-7-3-raising-awareness/ https://certi360.com/en/iso27001-clause-7-3-raising-awareness/ Fri, 25 Aug 2023 00:00:00 GMT Information security is a crucial issue in today’s digital age. Yet we often only realize its importance after we’ve been the victim of a cyber-attack or security incident. Clause 7.3 of ISO27001 requires that not only employees, but all stakeholders in an organization, are made aware of the importa https://certi360.com/en/iso27001-clause-7-2-skills/ https://certi360.com/en/iso27001-clause-7-2-skills/ Mon, 14 Aug 2023 00:00:00 GMT Clause 7.2 is designed to ensure that those who have an impact on the organization’s information security have the appropriate and necessary skills to carry out their responsibilities properly. Competence – Photo by Ahmed M Elpahwee on Unsplash Specifically, clause 7.2 requires the organization : De https://certi360.com/en/iso27001-clause-7-1-resources/ https://certi360.com/en/iso27001-clause-7-1-resources/ Tue, 25 Jul 2023 00:00:00 GMT The organization must identify and provide the resources needed to establish, implement, maintain and continuously improve the information security management system (ISMS). Resources – Photo by Sincerely Media on Unsplash Management has already defined its safety objectives (Clause 6.2), and must t https://certi360.com/en/iso-27001-clause-6-3-change-planning/ https://certi360.com/en/iso-27001-clause-6-3-change-planning/ Fri, 21 Jul 2023 00:00:00 GMT Planning changes to an information security management system (ISMS) is important for several reasons. Firstly, it helps to minimize the impact on operations. Then there’s the fact that unplanned changes can lead to breakdowns or malfunctions in the organization. Have you ever installed an update on https://certi360.com/en/iso-27001-clause-6-2-objective-how-to-measure-the-objectives-of-a-security-program/ https://certi360.com/en/iso-27001-clause-6-2-objective-how-to-measure-the-objectives-of-a-security-program/ Mon, 17 Jul 2023 00:00:00 GMT Setting a goal is the best way to achieve it, otherwise how do we know when we’ve succeeded? By defining your information security objectives, you can clearly determine what you want to achieve. to achieve to protect the company’s systems and data against internal and external threats. What do we wa https://certi360.com/en/your-transition-plan-to-iso27001-version-2022/ https://certi360.com/en/your-transition-plan-to-iso27001-version-2022/ Sat, 08 Jul 2023 00:00:00 GMT It’s now almost a year since ISO 27001:2013 was replaced by the new version named ISO 27001:2022. Here’s your transition plan! Change – Photo by Suzanne D. Williams on Unsplash This 2022 version of the standard enhances requirements and introduces new elements to meet changing challenges and new thr https://certi360.com/en/iso27001-clause-6-1-actions-to-address-risks-and-opportunities/ https://certi360.com/en/iso27001-clause-6-1-actions-to-address-risks-and-opportunities/ Mon, 19 Jun 2023 00:00:00 GMT Information security risk management is the set of actions taken by an organization to understand and reduce the effects of risk. Clause 6.1 of ISO 27001 addresses actions to identify threats, estimate their risk levels and manage the action plan to prevent or repair the impact of these risks. Photo https://certi360.com/en/iso27001-clause-5-3-information-security-roles/ https://certi360.com/en/iso27001-clause-5-3-information-security-roles/ Tue, 28 Feb 2023 00:00:00 GMT Roles, responsibilities and power sharing within an organization are of the utmost importance when it comes to information security. Understanding who is responsible for what, and the authority associated with each role, is essential for organizations to ensure the security of their data and network https://certi360.com/en/iso27001-clause-5-2-policy/ https://certi360.com/en/iso27001-clause-5-2-policy/ Fri, 17 Feb 2023 00:00:00 GMT Policy is the equivalent of a corporate mission, since without a mission there is no corporate project. So, without a policy, information security management has no objective and, unfortunately, little chance of success. Politics – Photo by Marco Oriolesi on Unsplash An information security policy i https://certi360.com/en/iso27001-clause-5-1-commitment-and-leadership/ https://certi360.com/en/iso27001-clause-5-1-commitment-and-leadership/ Sun, 12 Feb 2023 00:00:00 GMT Photo by Brooke Lark on Unsplash The organization’s management is key to ensuring that ISO 27001 requirements are met and that the ISMS is effective. It’s important to understand that ISO27001 is a standard that needs to be implemented from the top down. So, the organization’s management must show l https://certi360.com/en/iso27001-clause-4-4-isms-maintenance/ https://certi360.com/en/iso27001-clause-4-4-isms-maintenance/ Mon, 06 Feb 2023 00:00:00 GMT Clause 4.4 of the ISO27001 standard is one of the smallest in size, but the one that, in my opinion, has the greatest day-to-day impact on the organization. Maintenance – Photo by Markus Spiske on Unsplash Establishing and implementing In the context of ISO 27001 on information security, the term “e https://certi360.com/en/iso27001-clause-4-3-determining-the-scope-of-the-security-program/ https://certi360.com/en/iso27001-clause-4-3-determining-the-scope-of-the-security-program/ Fri, 03 Feb 2023 00:00:00 GMT The scope of an ISMS (Information Security Management System) is crucial, as it defines the direction and objective that the security team must follow. Direction – Photo by Nick Fewings on Unsplash The scope of the Information Security Management System (ISMS) is the set of activities, processes and https://certi360.com/en/iso27001-clause-4-2-understanding-stakeholder-needs-and-expectations/ https://certi360.com/en/iso27001-clause-4-2-understanding-stakeholder-needs-and-expectations/ Thu, 26 Jan 2023 00:00:00 GMT As we often say, information security is everybody’s business. We need to identify and understand the needs of this world. Photo by Matheus Ferrero on Unsplash Clause 4.2 of the ISO 27001 standard on information security calls for stakeholders to be identified, as they have a significant impact and https://certi360.com/en/iso27001-clause-4-1-understanding-the-organization-and-its-context/ https://certi360.com/en/iso27001-clause-4-1-understanding-the-organization-and-its-context/ Wed, 25 Jan 2023 00:00:00 GMT To begin with, are we able to define who the organization is in clear terms? Photo by Jametlene Reskp on Unsplash This stage consists of determining an organization’s internal and external challenges. It is an important process for understanding the risks to which the company is exposed. It also hel https://certi360.com/en/whats-the-difference-between-an-information-security-incident-and-a-non-compliance/ https://certi360.com/en/whats-the-difference-between-an-information-security-incident-and-a-non-compliance/ Mon, 23 Jan 2023 00:00:00 GMT Photo by Possessed Photography on Unsplash When implementing a management system (such as SGSI-ISO27001) we need to understand the difference between several concepts, the one I’d like to discuss with you is between an event, an incident and a non-conformity. Can you tell the difference between thes https://certi360.com/en/5-steps-to-becoming-an-iso27001-external-auditor/ https://certi360.com/en/5-steps-to-becoming-an-iso27001-external-auditor/ Thu, 19 Jan 2023 00:00:00 GMT Photo by Glenn Carstens-Peters on Unsplash Becoming an ISO 27001 external auditor requires a combination of training, professional experience and certification. ISO 27001 is an international framework for information security management, providing guidelines for protecting sensitive corporate inform https://certi360.com/en/best-reads-of-2022/ https://certi360.com/en/best-reads-of-2022/ Wed, 28 Dec 2022 00:00:00 GMT Photo by Ashim D’Silva on Unsplash You may have been discovering this slowly over the last few years as you’ve read me talking about books, but I really do enjoy reading! In short, during this year, 2022, I’ve done a lot of reading, some of which doesn’t deserve your attention, but others that do! S https://certi360.com/en/how-much-does-it-cost-to-obtain-iso27001-certification/ https://certi360.com/en/how-much-does-it-cost-to-obtain-iso27001-certification/ Mon, 24 Oct 2022 00:00:00 GMT The question of the cost of an ISO27001 certification project frequently comes up, and rightly so, since this certification is based on the most widely recognized international standard for information security management. Photo by Ibrahim Rifath on Unsplash Companies are increasingly being asked by https://certi360.com/en/iso-27017-guide-for-the-use-of-cloud-services/ https://certi360.com/en/iso-27017-guide-for-the-use-of-cloud-services/ Sat, 25 Jun 2022 00:00:00 GMT Cloud computing is becoming increasingly popular as companies look for ways to improve efficiency and reduce costs. Security in this context is essential. Now comes the international standard ISO 27017, providing guidance on how to implement security controls for cloud services for both customers an https://certi360.com/en/how-can-you-trust-an-auditors-report/ https://certi360.com/en/how-can-you-trust-an-auditors-report/ Sun, 15 May 2022 00:00:00 GMT In a world of compliance with laws, regulations and standards, it can be difficult to know whether or not to trust an auditor’s report. Trust is an important value in all business contexts. The Russian proverb “Trust, but verify” takes on its full meaning. Your trust rests on the work of auditors wh https://certi360.com/en/pci-dss-4-0-whats-new/ https://certi360.com/en/pci-dss-4-0-whats-new/ Wed, 13 Apr 2022 00:00:00 GMT When I received notification of the standard’s publication on March 31, 2022, I thought it was an April fool’s joke. So I let the day pass to check the next day, and well no – it’s just an April fool’s joke.The standard has indeed been published! Transition period The transition period is from March https://certi360.com/en/iso-27018-privacy-protection-for-cloud-processors/ https://certi360.com/en/iso-27018-privacy-protection-for-cloud-processors/ Fri, 25 Mar 2022 00:00:00 GMT Are you a cloud service provider? Do your customers process personal information? Do your customers use your platform to deliver their services? Do you offer data processing options that your customers can tailor to their needs? If these 4 conditions apply to your organization, then this standard is https://certi360.com/en/password-manager-how-and-why-do-i-need-one/ https://certi360.com/en/password-manager-how-and-why-do-i-need-one/ Thu, 10 Mar 2022 00:00:00 GMT A few days ago I asked a question on the LinkedIn platform, namely what would be the best choice for a password vault application. Survey results on LinkedIn Emergency – have a password vault! Each of us has dozens of passwords for the different sites we visit, be it Facebook, Twitter, Medium, Googl https://certi360.com/en/personal-information-do-you-know-your-role/ https://certi360.com/en/personal-information-do-you-know-your-role/ Mon, 07 Mar 2022 00:00:00 GMT There are two distinct roles when it comes to corporate responsibility for managing personal information. Controllers and processors of personal information. What is the difference between these two roles in the context of processing (collecting, displaying, storing, analyzing, transmitting, treatin https://certi360.com/en/how-do-i-draw-up-a-communication-plan/ https://certi360.com/en/how-do-i-draw-up-a-communication-plan/ Tue, 01 Mar 2022 00:00:00 GMT A communication plan is a formal document that describes how information will be shared between the organization and its stakeholders, both internal and external. The stated aim of such a plan is to anticipate the actions to be taken in given circumstances. For example, in the event of a security in https://certi360.com/en/why-do-companies-fail-their-security-audits/ https://certi360.com/en/why-do-companies-fail-their-security-audits/ Tue, 22 Feb 2022 00:00:00 GMT Lately, I’ve been doing a lot of compliance audits (internal and external), mainly for PCIDSS and ISO standards. (22301, 27001, 27017, 27018, 27035, 27701) I love this job, but I’ve noticed that many companies fail to manage their security programs for various reasons. flickr.com The main reason I s https://certi360.com/en/new-edition-of-iso27002-version-2022/ https://certi360.com/en/new-edition-of-iso27002-version-2022/ Thu, 17 Feb 2022 00:00:00 GMT On February 15, 2022, a revision of the ISO/IEC 27002 standard is published and available to all. You can get it here: https://www.iso.org/standard/75652.html This is really good news, as the standard really needed a refresh and modernization. Here’s a reminder of the changes Number of safety measur https://certi360.com/en/how-to-combat-listener-fatigue/ https://certi360.com/en/how-to-combat-listener-fatigue/ Fri, 11 Feb 2022 00:00:00 GMT During this festive period of exchange and discussion about our mental health, I’d like to bring you a subject that isn’t often discussed in the auditing community, but which I believe is a major issue both in terms of the quality of the work carried out and the results obtained. Beware of listener https://certi360.com/en/how-do-you-structure-your-corporate-cybersecurity-program/ https://certi360.com/en/how-do-you-structure-your-corporate-cybersecurity-program/ Tue, 08 Feb 2022 00:00:00 GMT What you need to know to manage a minimal information security program in a corporate context. Source: https://www.cam.ac.uk/news/cambridge-to-host-transatlantic-cyber-security-competition Before getting started, it’s important to note that there is no single structure or model for information secur https://certi360.com/en/pci-dss-credit-card-management/ https://certi360.com/en/pci-dss-credit-card-management/ Wed, 02 Feb 2022 00:00:00 GMT Do your customers pay you with their credit cards? Then the PCI DSS standard is for you! The origin of the standard : Before PCI DSS, credit card companies (Visa, MasterCard, etc.) had their own independent security programs. These security programs, which differed from one organization to another, https://certi360.com/en/quebec-bill-64-year-1-of-3-here-are-the-articles-that-come-into-force/ https://certi360.com/en/quebec-bill-64-year-1-of-3-here-are-the-articles-that-come-into-force/ Mon, 17 Jan 2022 00:00:00 GMT We’re in the first year of a three-year implementation period. Here’s what you need to know about this first year! Given the fluid nature of information, the ease with which it can be shared from one provider to another, and the reputational losses and issues involved. The government (and your autho https://certi360.com/en/what-is-a-soc2-report/ https://certi360.com/en/what-is-a-soc2-report/ Mon, 10 Jan 2022 00:00:00 GMT Your company provides services to its customers? and your customers ask you for a SOC 2 type 2 report? Your customers want this report to validate your security compliance, to reassure their customers, or perhaps because they themselves have to comply with information security standards. A SOC (Serv https://certi360.com/en/what-is-iso-iec-27001/ https://certi360.com/en/what-is-iso-iec-27001/ Fri, 07 Jan 2022 00:00:00 GMT ISO/IEC 27001 formally defines an information security management system (ISMS) as a set of activities designed to manage information security risks. An ISMS is a management framework through which the organization identifies, analyzes and addresses information security risks. The ISMS ensures that https://certi360.com/en/writing-a-cybersecurity-incident-report/ https://certi360.com/en/writing-a-cybersecurity-incident-report/ Mon, 03 Jan 2022 00:00:00 GMT When a cybersecurity incident occurs, it’s important to record all the details so you can remember it and prevent it from happening again. This includes information such as who was involved, who was affected by the event, when the incident occurred and why. The more detail you provide in your report https://certi360.com/en/28-questions-to-assess-your-teleworking-policy/ https://certi360.com/en/28-questions-to-assess-your-teleworking-policy/ Tue, 28 Dec 2021 00:00:00 GMT Here we are again, in a period of confinement due to Covid-19. I thought it was time to evaluate its telecommuting policies. It’s important to remember that telecommuting refers to any work performed outside the traditional office setting. This includes, of course, working from home, but also at fri https://certi360.com/en/my-best-reads-of-2021/ https://certi360.com/en/my-best-reads-of-2021/ Fri, 24 Dec 2021 00:00:00 GMT Source: Flikr.com Here we are again at the end of the year, and the confinement and sanitary measures have only increased my love of reading, which I must admit was already very strong! Anyway, here’s my list of the reads I’ve enjoyed most in this year 2021. Liberté 45 – By Pierre-Yves McSween Of co https://certi360.com/en/6-steps-to-managing-information-security-incidents/ https://certi360.com/en/6-steps-to-managing-information-security-incidents/ Tue, 21 Dec 2021 00:00:00 GMT In the course of my work, I come across all kinds of companies, but too many have no procedures or methods for managing incidents. So I’m writing this article for them. So that they can get a complete picture of the process and take control of it. Photo by Elisa Ventur on Unsplash First things […]