Epyy is the name of the new icon and mascot of my open ISMS document workflow on Codeberg.1 The name comes from the Greek ἐπισκοπεῖν (episkopeîn), which translates to inspect or monitor. Think of it as a friendly, and more importantly “living”, document that guides you through the ISO 27001 and TISAX maze. The ISMS workflow is free and open source. If you need professional support or custom adjustments, feel free to reach out. PRs are welcome! Read more

Over the past few days, I once again disappeared down the proverbial rabbit hole. But let’s start from the beginning. On Saturday, I wrote a blog post to outline an automated and deterministic document workflow.1 To make it easier to follow, I also set up a Codeberg repository.2 The feedback was unexpectedly overwhelming and raised many valid points. The repository itself had been put together quickly rather than thoroughly, so I ended up revising it significantly and renaming it in the process. It is no longer just a demo. It now represents a complete, highly flexible, and at the same time very simple document workflow. Read more

Over the weekend, I published a sample repository on Codeberg.1 It proposes treating ISMS documentation like code. The concrete example is an ISO 27001 risk assessment for organizational assets. The focus is less on the document itself and more on the underlying concept. Everything is written in a universal, text-only format that will still be editable in any editor 50 years from now: Markdown.2 Markdown comes with a few practical advantages: Read more

“Ship fast, fail fast”, sometimes shortened to “fail cheap”, is a common mantra in agile environments.1 It addresses real problems with rigid processes, hierarchies, and tech stacks. For years, the industry has promised higher speed through agile methods. That sounds good. Still, when people ask if I work in an agile way, I avoid a straight answer. People confuse speed with maturity. Moving faster does not fix a wrong direction. Speed as replacement for clarity. Read more

As a follow-up to my blog “What Really Measures IT Success”, today I am writing about a related topic.1 It deals with the promises made by cloud and service providers and how they entice customers with availability figures beyond 99%. Anexia/Netcup, the infrastructure provider where I operate, among other things, my mail server, VPN gateway, and a few other hosts, states an availability of 99.6% on its website.2 That means a theoretical downtime of up to 40 minutes per week or up to 35 hours per year. Read more

A typical day in a mid-sized company. The already overworked developer, deep in crunch mode1 gets a quick note: “Would you please make the open invoices visible in the overview of all customers for this project?” Dutifully, he nods. He knows it’s an important project, the task isn’t technically difficult and the boss likes quick and simple solutions. So somehow “in between” late in the afternoon, he “enhances” the UI, “adds” extra queries to the frontend, “adjusts” the corresponding logic in the backend, and “builds” new views for tje resulting lists. He even goes the extra mile by making the invoices click- and viewable. Tired but satisfied, the developer leans back shortly before midnight with the good feeling of having improved the application. Read more

A typical crisis meeting scenario: The Management and myself as an external consultant or information security officer sitting in a conference room: Our processes are being slowed down by too many security requirements. Employees are complaining. ‘Your’ IT security is becoming a risk to our business. Such statements mark an important turning point for IT in small and medium-sized enterprises. They reflect concerns about change and loss of control. Where collaboration used to be shaped by proximity and hierarchy before, successful companies rely on teamwork, clear processes, modern management tools, and automation today. A few examples: Read more

I need to admit: I really love writing audits. It has a certain degree of scientific working to falsify statements. So I was recently confronted with the following quote from a responsible IT manager: We are not concerned with security, but with liability. If Microsoft promises security, this is enough for us. Well, unfortunately I did not attend a judicial exam but when I read the Microsoft EULA1 regarding risks and liability, I consider the circumstances slightly more differentiated: Read more

My rant showed some effect ;-) Coming Friday, 2nd October 2020 from 7pm on, I will give a presentation covering IT risk assessment and information security. Everything will be hands-on with realistic (live) examples from the web for an audience of developers, project managers, independent consultants and anyone interested in technology. Have a look at the original announcement here. Friday, 02.10.2020, 1900 (CEST, local time) Room: https://meet.jakobs.systems/b/tom-hwb-uzi-mo0 Password: 350533 Everybody is welcome but you should have at least a microphone for discussion after the webinar. Read more