ISO: Download over 600 Standards for free! (No, it is not piracy!)

A few days ago I reposted an old article on how to get a legit copy of ISO 27000 free of charge. Well, in truth, there are several other

How about downloading over 600 ISO standards free of charge? No subscription, no paywall, no strings attached! Simply over 600 Freely Available ISO Standards!

that that you can download and put to good use!

The complete list includes OVER 600 STANDARDS. Obliviously some may be quite outdated (like the ones from 1988!), but I was surprised to find out very recent publications on relevant topics such as ITInformation SecurityCloud Computing, and IT Service Management:

  • ISO/IEC 2382:2015 Information technology — Vocabulary
  • ISO/IEC 2382-37:2017 (E) Information technology — Vocabulary — Part 37: Biometrics
  • ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary
  • ISO/IEC 17789:2014 Information technology — Cloud computing — Reference architecture
  • ISO/IEC 19395:2015 Information technology — Sustainability for and by information technology — Smart data centre resource monitoring and control
  • ISO/IEC 19678:2015 Information Technology — BIOS Protection Guidelines
  • ISO/IEC TR 20000-10:2015 Information technology — Service management — Part 10: Concepts and terminology
  • ISO/IEC TR 20000-11:2015 Information technology — Service management — Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: ITIL
  • ISO/IEC TR 20000-12:2016 Information technology — Service management — Part 12: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: CMMI-SVC
  • ISO/IEC 27036-1:2014 Information technology — Security techniques — Information securityfor supplier relationships — Part 1: Overview and concepts
  • ISO/IEC 27000:2016(E) Information technology — Security techniques — Information security management systems — Overview and vocabulary

For the complete list, follow this link:

Cybersecurity excellence builder: A free download from NIST

KNOWING IS HALF THE BATTLE. I never expected a cliché quote from my Saturday morning childhood cartoons (Yo Joe!) to be a solid recommendation that I use on a day-to-day basis. This advice is particularly true whenever dealing with strategic disciplines such as cybersecurity, risk management, IT service management, corporate governance or business continuity. Yet, the absence of structured information is one of the most usual concerns for organizations.


So, what is the excuse? In terms of good practices / standards there are more than enough publications that can be used by most organizations ensure a great/practical benefit for business.

For instance, COBIT 5 is one of the most reliable frameworks for measuring information security maturity/capabilities. Putting COBIT DSS05 (Manage Security Services) process to practice is one of the most effective ways to enable business in achieving an adequate data protection level.



Cobit 5 – Enabling processes – DSS05 RACI Chart

Aside from time-tested solutions, a new and free publication recently captured my attention. If you want a quick look at your cybersecurity maturity level, NIST’s Baldrige Cybersecurity Excellence Builder is a great self-test tool.

The current draft version was published by the National Institute of Standards and Technology (NIST) last September, and even as a draft, it has a simple yet very pragmatic approach. The whole idea is enabling organizations to better understand the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations identify opportunities for improvement based on their cybersecurity needs and objectives, as well as their larger organizational needs, objectives, and outcomes.

Using the self-assessment it is possible to:

  • determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
  • prioritize your investments in managing cybersecurity risk;
  • determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
  • assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
  • assess the cybersecurity results you achieve;
  • identify priorities for improvement.

The publication is straightforward, with easy to follow practices. Just one word of advice: as with any self-test, it is necessary to have some basic understanding on the evaluated topic, so someone with a reasonable cybersecurity experience should validate any results in order to avoid any misinterpretation or errors.


As mentioned before, the Baldrige Cybersecurity Excellence Builder is a free publication, and it can be downloaded HERE (warning: PDF).



ISACA CISM: Why you should do it and how to pass the certification exam!

ISACA CISM: Why you should do it and how to pass the certification exam!

The current state of cybersecurity is quite simple: each day presents a new set of threats/vulnerabilities. Business have discovered – the hard way – the costs of not investing in an experienced InfoSec Team, and certifications such as ISACA’s CISM, Certified Information Security Professional.

This new perspective has been gradually changing the information security market, and papers like ISACA’s State of Cybersecurity: Implications for 2015 show that cybersecurity in general has been getting more support from upper management (really?) and bigger budgets (R U SERIOUS?). Paradoxically, there is a huge cybersecurity skill crisis, experienced professionals are short on the market.


ISACA – 2014

I agree that experience is something you only get on the field, but there are countless options in terms of professional certifications that should make you stand out in the infosec crowd. Personally, I always invested my time and resources on vendor free certifications, mostly from internationally recognized institutions like, ISC², EXIN e APMG. The results have been much better than I expected.


Source: ISACA

ISACA’s CISM, Certified Information Security Professional is one such case and one of most in demand certifications of 2016. Still unsure? Ok, look at this quick list of open positions that mention information security certifications:



If you already have some years of experience with information security and began thinking it is time for a managerial role, this certification is one of the best ways you could improve your resume. The exam itself may still looks a bit scary, but let me be clear: With adequate preparation and some dedication, anyone can achieve a great result on the first try.

I attended the CISM examination last June (2015), and here I share the methods and some practical tips I used for my preparation. Again, the results were excellent!

Read more

Corporate Culture: It is a great information security tool. This is why you should not overlook it.

CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.

The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.


Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.

Read more

ISO 27000 – free and legal download!

IF YOU ARE AN INFOSEC PROFESSIONAL, STUDENT OR HAVE ANY INTEREST ON THE SUBJECT you are very likely to have heard about ISO/IEC 27001: 2013. What you may not know is that the 27K family is much, much bigger.

Currently there are 16 publications dedicated to the implementation and operation of an ISMS (Information Security Management System) aligned to international standards, and suitable for business of all sizes and verticals. According to the Brazilian National Information Security Survey, which I published last year, more and more Brazilian companies have been investing and adopting the standard.

Read more