MIM 2016 SP2 Troubleshooting: MIM2016 setup System Error MSVCR120.dll was not found


  1. Issue
  2. Error info
  3. Solution
  4. Download

Issue

When installing MIM 2016 on Windows Server 2022, you encounter an error:

Error info

The code execution cannot proceed because MSVCR120.dll was not found. Reinstalling the program may fix this problem.

Solution

Install the Visual C++ Redistributable Packages for Visual Studio 2013 from the Microsoft Download center.

Download

Download Visual C++ Redistributable Packages for Visual Studio 2013 from Official Microsoft Download Center


Quick tip: Microsoft PowerPoint short cuts (and the gems that are missing from the manual)

If you want to quickly move around Microsoft PowerPoint, this list of short cut key combinations come in very handy:

https://support.microsoft.com/en-us/office/use-keyboard-shortcuts-to-create-powerpoint-presentations-ebb3d20e-dcd4-444f-a38e-bb5c5ed180f4

Like using

  • fuction button F5 to start a presentation from the first page
  • alt + F5 to start in presentor mode (even on a single screen)

But.. it looks like some interesting combinations are missing.

Like

  • Shift + F5, to start the presentation from the current slide you have open (not from slide 1, but somewhere in the middle)
  • Shift + alt + F5: start presenter mode from the current slide page.

Just a quick tip…

Overview of cybersecurity relevant European laws, directives, regulations and policies…

  1. Credits
  2. Applicability to your business
  3. More info on the list below
  4. Difference between EU Directive and EU Regulation
  5. EU primary law
    1. CFREU (Charter of Fundamental Rights of the EU)
    2. ECHR (European Convention of Human Rights)
  6. Regulations and directives
    1. GDPR Regulation
    2. The NIS 2 Directive
      1. The NIS 1 Directive (repealed by NIS 2)
    3. The Digital Operational Resilience Act (DORA) – Financial sector
    4. The Critical Entities Resilience Directive (CER)
    5. EU Digital Services Act (DSA)
    6. EU Digital Markets Act (DMA)
    7. Directive on attacks against information systems
    8. European Data Governance Act (DGA)
    9. European ePrivacy directive
      1. Current versions (updated 2009)
    10. European Cyber Defence Policy
    11. EU Cyber Diplomacy Toolbox
    12. Cybersecurity Act (EU 881 / 2019) 
    13. Cybersecurity services for Radio Equipment Directive (RED)
    14. Medical Devices Regulation
    15. eIDAS Regulation (see Art 19(1))
    16. Digital Content Directive (DCD) (see Arts 7 and 8)
    17. European Communications Code (ECC) (see Art 40(1))
    18. Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres
    19. Intelligent Transport Systems  (ITS) directive (2010/40/EU)
  7. EU strategy documents
    1. The Strategic Compass of the European Union
    2. A European strategy on Cooperative Intelligent Transport Systems
    3. AI Strategy
  8. Recommendations
    1. Recommendation on coordinated response to large-scale cybersecurity incidents and crises
  9. Other proposed and upcomping acts
    1. (Proposal) EU Cyber Resilience Act (CRA)
    2. Proposed EU Cyber Solidarity initiative and cyber reserve
    3. (Proposal) Artificial Intelligence Act (AIA)
    4. (Proposal) European Data Act
    5. The proposed Machinery Reg (see Annex III)
    6. (Proposal) European Health Data Space (EHDS)
    7. (Draft/proposal) European Chips Act
  10. Some more great stuff
  11. Your feedback and suggestions

Credits

Georg Philip Krog started a post on LinkedIN with an interesting overview of EU policies, directives and regulations…

While the post is still under development (and growing), it might be interesting to get some more information on the list that Georg Philip created.

Furthermore the original list is not clear on which legislation is in force or in proposal / draft state.

Applicability to your business

Please consider that many of the rules and regulations below might apply directly to your business.

If not , then you might be impacted indirectly via the supply chain where your customer or supplier is impacted by the legislations. In that case, it’s very likely that you will be forced to apply the rules by delegation or obligation of your customer/supplier.

In many cased the supply chain security will impose these rules to you, one way or another. Be ready.

The chapters below contain, in most cases, a short description or extract of introduction to evaluate what

  • the act is about and
  • if it applies to your business

More info on the list below

The list below is not maintaining the same positioning as originally posted by Georg Philip.

There is a split in

  • laws, regulations and directives focusing on cybersecurity
  • strategy documents & EU policies
  • proposed (not yet active) laws

Difference between EU Directive and EU Regulation

Source: https://european-union.europa.eu/institutions-law-budget/law/types-legislation_en

A “regulation” is a binding legislative act. It must be applied in its entirety across the EU.

For example: GDPR (General Data Protection Regulation

A “directive” is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.

EU primary law

CFREU (Charter of Fundamental Rights of the EU)

Reference by Georg Philip: Articles 7 and 8 CFREU

Article 7 – Respect for private and family life

“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

Article 8 – Protection of personal data

“1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”

Source :

ECHR (European Convention of Human Rights)

Art 8 ECHR:
Source: Guide on Article 8 of the European Convention on Human Rights

Regulations and directives

GDPR Regulation

Code number: Regulation 2016/679

Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj

The NIS 2 Directive

Code number: EU Directive 2022/2555

Source: https://eur-lex.europa.eu/eli/dir/2022/2555/oj

Important note, the NIS 2 Directive is repealing NIS (also called NIS 1 now)

The NIS 1 Directive (repealed by NIS 2)

Code number : Directive 2016/1148

Source: http://data.europa.eu/eli/dir/2016/1148/oj

The Digital Operational Resilience Act (DORA) – Financial sector

Code name: EU Directive 2022/2554

Source: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

DORA =  digital operational resilience for the financial sector

More info and interesting reads:

The Critical Entities Resilience Directive (CER)

Code name : EU Directive 2022/2557

http://data.europa.eu/eli/dir/2022/2557/oj

EU Digital Services Act (DSA)

Code: Regulation 2022/2065

Source: http://data.europa.eu/eli/reg/2022/2065/oj

More Info: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package

“The Digital Services Act (DSA) and the Digital Market Act (DMA) form a single set of rules that apply across the whole EU. They have two main goals:

  1. to create a safer digital space in which the fundamental rights of all users of digital services are protected;
  2. to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.”

EU Digital Markets Act (DMA)

Code: Directive 2020/1828

Source: https://eur-lex.europa.eu/eli/dir/2020/1828/oj

“The Digital Markets Act (DMA) establishes a set of narrowly defined objective criteria for qualifying a large online platform as a so-called “gatekeeper”. This allows the DMA to remain well targeted to the problem that it aims to tackle as regards large, systemic online platforms.

These criteria will be met if a company:

  • has a strong economic position, significant impact on the internal market and is active in multiple EU countries
  • has a strong intermediation position, meaning that it links a large user base to a large number of businesses
  • has (or is about to have) an entrenched and durable position in the market, meaning that it is stable over time if the company met the two criteria above in each of the last three financial years”

Directive on attacks against information systems

Code number: Directive 2013/40/EU

Source: https://eur-lex.europa.eu/eli/dir/2013/40/oj

European Data Governance Act (DGA)

Code number: Regulation (EU) 2022/868 

Source: http://data.europa.eu/eli/reg/2022/868/oj

More info : https://digital-strategy.ec.europa.eu/en/policies/data-governance-act

Article 1

“1.   This Regulation lays down:

(a)conditions for the re-use, within the Union, of certain categories of data held by public sector bodies;
(b)a notification and supervisory framework for the provision of data intermediation services;
(c)a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and
(d)a framework for the establishment of a European Data Innovation Board.

European ePrivacy directive

Original Code number: Directive 2002/58/EC

Source: http://data.europa.eu/eli/dir/2002/58/oj

Ammended :

Current versions (updated 2009)

http://data.europa.eu/eli/dir/2002/58/2009-12-19

European Cyber Defence Policy

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6642

More info: https://ccdcoe.org/incyder-articles/eu-cyber-defence-policy-framework-presents-more-than-40-action-measures/

EU Cyber Diplomacy Toolbox

https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2020)651937

https://www.consilium.europa.eu/en/press/press-releases/2017/06/19/cyber-diplomacy-toolbox/

More info: https://www.enisa.europa.eu/events/artificial-intelligence-an-opportunity-for-the-eu-cyber-crisis-management/workshop-presentations/20190603-eeas-eu-cyber-diplomacy-toolbox.pdf/view

Cybersecurity Act (EU 881 / 2019) 

Code: Regulation (EU) 2019/881

Source:  http://data.europa.eu/eli/reg/2019/881/oj

Cybersecurity services for Radio Equipment Directive (RED)

Code name: Directive 2014/53/EU

Source: http://data.europa.eu/eli/dir/2014/53/oj

More info: https://single-market-economy.ec.europa.eu/sectors/electrical-and-electronic-engineering-industries-eei/radio-equipment-directive-red_en

Medical Devices Regulation

(see Art 10(1), together with paragraph 17(2) in Annex I)

Code: Regulation (EU) 2017/745

Source: http://data.europa.eu/eli/reg/2017/745/oj

eIDAS Regulation (see Art 19(1))

Code name: Regulation 910/2014,

eIDAS = Regulation on electronic identification and trust services (EIDAS)

Source: https://eur-lex.europa.eu/eli/reg/2014/910/oj

Digital Content Directive (DCD) (see Arts 7 and 8)

Code name: Directive (EU) 2019/770 

Source: http://data.europa.eu/eli/dir/2019/770/oj

European Communications Code (ECC) (see Art 40(1))

Code: Directive 2018/1972

Source: http://data.europa.eu/eli/dir/2018/1972/oj

Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres

Source: https://eur-lex.europa.eu/eli/reg/2021/887/oj

Special reference by Georg Philip: Art 4(2)(b)

Article 4

Objectives of the Competence Centre

1.   The Competence Centre shall have the overall objective of promoting research, innovation and deployment in the area of cybersecurity in order to fulfil the mission as set out in Article 3.

2.   The Competence Centre shall have the following specific objectives:

(a)enhancing cybersecurity capacities, capabilities, knowledge and infrastructure for the benefit of industry, in particular SMEs, research communities, the public sector and civil society, as appropriate;
(b)promoting cybersecurity resilience, the uptake of cybersecurity best practices, the principle of security by design, and the certification of the security of digital products and services, in a manner that complements the efforts of other public entities;
(c)contributing to a strong European cybersecurity ecosystem which brings together all relevant stakeholders

Intelligent Transport Systems  (ITS) directive (2010/40/EU)

under revision 2021/0419(COD): https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM%3A2021%3A813%3AFIN

Code: Directive 2010/40/EU

Source: http://data.europa.eu/eli/dir/2010/40/oj

EU strategy documents

The Strategic Compass of the European Union

https://www.eeas.europa.eu/eeas/strategic-compass-security-and-defence-1_en

A European strategy on Cooperative Intelligent Transport Systems

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52016DC0766

AI Strategy

European AI Strategy

Recommendations

NIS 2 also points to some interesting references like the one below.

EC recommendation 2017/1584Recommendation on coordinated response to large-scale cybersecurity incidents and criseshttp://data.europa.eu/eli/reco/2017/1584/oj
Regulation 2019/881Regulation on information and communications technology cybersecurity certificationhttp://data.europa.eu/eli/reg/2019/881/oj
EC recommendation 2019/534Recommendation on Cybersecurity of 5G networkshttp://data.europa.eu/eli/reco/2019/534/oj

Recommendation on coordinated response to large-scale cybersecurity incidents and crises

Code number: EC recommendation 2017/1584

Source: http://data.europa.eu/eli/reco/2017/1584/oj

Other proposed and upcomping acts

(Proposal) EU Cyber Resilience Act (CRA)

Code name: Regulation 2019/1020

Source: http://data.europa.eu/eli/reg/2019/1020/oj

More info: https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2022/0272(COD)&l=en

More info: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.”

Proposed EU Cyber Solidarity initiative and cyber reserve

More info: https://www.euractiv.com/section/cybersecurity/news/eu-sets-out-plan-for-cyber-defence-policy/

(Proposal) Artificial Intelligence Act (AIA)

Source: https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-laying-down-harmonised-rules-artificial-intelligence

More info: https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence

(Proposal) European Data Act

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0068

More info:

The proposed Machinery Reg (see Annex III)

Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7741

(Proposal) European Health Data Space (EHDS)

Source: https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_2712

EHDS “is a health-specific data sharing framework establishing clear rules, common standards and practices, infrastructures and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes

(Draft/proposal) European Chips Act

EU information: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-chips-act_en

Info: https://sciencebusiness.net/news/ICT/act-three-chips-act-heads-negotiation-phase

Some more great stuff

You don’t want to miss this chart, compiled by Nicolas Amaye.

Source: this LinkedIN post by Nicolas Ameye (PDF orginal download source here)

Your feedback and suggestions

As legislation is continuously on the move, this article is never finished.
If you have great ideas to add, feedback or suggestions, let me know.

Microsoft Identity Manager online resources (#MIM2016)

  1. Quick note on Microsoft Learn & Docs
  2. Microsoft news and announcements
    1. Microsoft Product support lifecycle
    2. Feeds
  3. Official documentation – Microsoft
    1. Getting prepared
    2. Best practices
    3. Deployment documentation
    4. MIM for developers
    5. MIM reference material
  4. Github
    1. (Microsoft) MIM Configuration Documenter
    2. (Microsoft) Workflow Activity Library (WAL)
    3. MIM projects
  5. Microsoft Community
    1. Forums (Active)
    2. Microsoft Answers
    3. Forums (Achive)
    4. Technet blogs archive
    5. Experts Exchange
    6. Microsoft Wiki
      1. FIM/MIM related content (check the tags)
      2. ILM/FIM/MIM article overview
      3. ILM/FIM/MIM Troubleshooting
    7. The FIM/MIM geek blogs & posts…
  6. Social Media
    1. Facebook
    2. Twitter
  7. Books
    1. Online Companion guide for MIM 2016 book
  8. Visio Stencils
  9. Archives
    1. Microsoft Learn – previous versions

Quick note on Microsoft Learn & Docs

A while ago Microsoft moved from Docs (Docs.microsoft.com) to Learn (Learn.microsoft.com), but still some older information might point to the Docs links. In case the redirect fails, replace the docs prefix in the URL to learn an try again.
If it still fails, Bing it and let me know.

Microsoft news and announcements

Microsoft Product support lifecycle

https://docs.microsoft.com/en-us/lifecycle/products/?terms=Identity

Feeds

Official documentation – Microsoft

Getting prepared

Supported platforms: https://learn.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-supported-platforms

Best practices

https://learn.microsoft.com/en-us/microsoft-identity-manager/mim-best-practices

Deployment documentation

MIM for developers

MIM reference material

Github

(Microsoft) MIM Configuration Documenter

https://github.com/microsoft/MIMConfigDocumenter

(Microsoft) Workflow Activity Library (WAL)

https://github.com/microsoft/MIMWAL

MIM projects

https://github.com/search?q=mim2016

Microsoft Community

Forums (Active)

Microsoft Answers

Forums (Achive)

Technet blogs archive

Technet blogs archive: https://learn.microsoft.com/en-us/archive/blogs/

Experts Exchange

Microsoft Wiki

ILM/FIM/MIM article overview

https://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-mim-2016-related-wiki-articles.aspx

ILM/FIM/MIM Troubleshooting

https://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-mim-2016-related-wiki-articles.aspx#FIM_Troubleshooting_Article

The FIM/MIM geek blogs & posts…

Below you’ll find some interesting and helpful articles and posts (some of the are old/archived… But still valid for MIM too.)

In alphabetic order (on last name)

Social Media

Facebook

Twitter

Books

Online Companion guide for MIM 2016 book

Visio Stencils

https://github.com/PeterGeelen/Microsoft-Identity-Manager/tree/main/FIM-MIM%20stencils

Archives

Microsoft Learn – previous versions

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/forefront-2010/ee652263(v=vs.100)

PECB ISO27005:2022 Lead Implementer course – collateral material

Table of contents

  1. PECB Course info
  2. Day 1
  3. Day 2
  4. Day 3
  5. Day 4
    1. OCTAVE
      1. CMU – Carnegie Mellon University
      2. ENISA
      3. PECB
    2. OCTAVE Allegro
    3. MEHARI
      1. Clusif
      2. ENISA
  6. Exam reference material
    1. Exam candidate handbooks ISO27005
  7. References
    1. Toolkits
      1. PECB
    2. ISO 27005 downloads
      1. PECB
      2. ISO
  8. Free tools (open source)
    1. Monarc.lu
  9. Other useful material – add-on
    1. My Github

Below you’ll find some useful collateral (add-on, extra) information for the #PECB #ISO27005 Lead Risk manager course, that you can use for extra learning, deep dive, or educational support.

PECB Course info

Check: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005

Course categories

  • Intro (1d)
  • Foundation (2d)
  • Manager (3d)
  • Lead manager (5d)

Day 1

(in progress)

Day 2

(working on it)

Day 3

(yes, also)

Day 4

OCTAVE

CMU – Carnegie Mellon University

ENISA

https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html

PECB

https://pecb.com/whitepaper > Search for OCTAVE

OCTAVE Allegro

https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419

MEHARI

Clusif

Clusif: https://clusif.fr/wp-content/uploads/2015/10/mehari-2010-risk-analysis-and-treatment-guide.pdf

ENISA

https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html

Exam reference material

For specific information about exam type, languages available, and other details, please visit the List of PECB Exams and the Examination Rules and Policies.

Exam candidate handbooks ISO27005

More info: https://help.pecb.com/index.php/list-of-pecb-exams/

(Search for ISO27005 and sort on your preferred language)

References

Toolkits

PECB

https://store.pecb.com/toolkits

ISO 27005 downloads

PECB

ISO

https://www.iso.org/search.html?q=27005

Free tools (open source)

Monarc.lu

Other useful material – add-on

My Github

https://github.com/PeterGeelen/ISO27001

Including:

#ISO27001:2022 transition requirements update published (MD 26:2023, Issue 2) – What has (not) changed?

  1. TLDR
  2. Ch1. Introduction
  3. Ch2. Summary of key changes
    1. §2.1 Background
    2. §2.2 Key changes (in ISO27001)
    3. $2.3 Impact
  4. Ch3. Key time scale
    1. AB
    2. CAB
  5. Ch4. Transition action process
    1. §4.1 AB Action
    2. §4.2 CAB Action
    3. §4.3 Other

IAF (the International Accreditation Forum), has published updated requirement for the transition of ISO 27001 from 2013 to the fresh 2022 version.

TLDR

  • transition period did not change (kept 3 years from publication)
  • (update) initial certification and recertification of ISO 27001:2023 until 30 april 2024
  • After 30 april 2024 you can only certify against the ISO27001:2022.
  • All ISO 27001:2013 shall expire or be witdrawn at the end of the transition period (3 years, october 2025)
  • (update) Certification transition assessment shall include minimum
    • an additional 1/2 day for recertification audit
    • an additional 1 day for surveillance or separate audit

Sources and milestones

Just you know

The MD:26 Issue 2 is published on 15 feb 2023, a few months after the publication of ISO 27001:2022 in October 2022.
Main issue: the previous issue was already published in august, before the final version of ISO 27001…

So obviously an update was required.

[For your info: If you need some help on acronyms, see the end of this article…]

Some thing were updated, but some were not.

The key topics to remember

What changed (green highlight) and what did not change (red highlight)?

  • Transition period is kept 3 years (36 months)
  • Initial certification and recertification by CAB to begin no later than 18 months (was: 12 months) after end of month of publication, (oct 2022).
    • This means that you can still certify against the old standard (ISO 27001:2013) until 30 April 2024
    • After 30 april 2024 you can only certify against the ISO27001:2022.
  • (4.2 CAB actions)
    • Certification transition assessment shall include minimum
      • an additional 1/2 day for recertification audit
      • an additional 1 day for surveillance or separate audit
  • All ISO 27001:2023 shall expire or be witdrawn at the end of the transition period (3 years, October 2025)

But of course, I don’t need to tell you : as soon as your CAB is ready, better upgrade your current certification to the newest version 2022.

A quick recap

A bit more details of the MD 26 document

Ch1. Introduction

Normative Document:ISO/IEC 27001:2022
Replacing:ISO/IEC 27001:2013
Current Status (at time of MD publication):IS
Transition Period:3 Years (36 months)

Ch2. Summary of key changes

§2.1 Background

Contains overview of ISO publication agenda from FDIS to IS

Did you know that

No more than two separate documents in the form of amendments shall be published modifying a current International Standard (see ISO/IEC Directive Part 1, 2022, Clause 2.10.3), therefore, the new edition of ISO/IEC 27001 had to be published after the preparation of ISO/IEC 27001:2013/DAmd1.

Source: IAF MD 26:2023

§2.2 Key changes (in ISO27001)

Source: MD26:2023

  1. Annex A references the information security controls in ISO/IEC27002:2022, which includes the information of control title and control.
  2. The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”.
  3. The wording of Clause 6.1.3 d) is re-organized to remove potential ambiguity.
  4. Adding a new item 4.2 c) to determine the requirements of the interested parties addressed through an information security management system(ISMS).
  5. Adding a new subclause 6.3 – Planning for changes, which defines that the changes to the ISMS shall be carried out by the organization in a planned manner.
  6. Keeping the consistency in the verb used in connection with documented information, for example, using “Documented information shall be available as evidence of XXX” in clauses 9.1, 9.2.2, 9.3.3 and 10.2.
  7. Using “externally provided process, products or services” to replace “outsourced processes” in Clause 8.1 and deleting the term “outsource”.
  8. Naming and reordering the subclauses in Clause 9.2 – Internal audit and 9.3- Management review.
  9. Reorder of the two subclauses in Clause 10 – Improvement.
  10. Updating the edition of the related documents listed in Bibliography, such as ISO/IEC 27002 and ISO 31000.
  11. Some deviations in ISO/IEC 27001:2013 to the high-level structure, identical core text, common terms and core definitions of MSS are revised for consistency with the harmonized structure for MSS, for example, Clause 6.2 d)

$2.3 Impact

  • New annex A (as ISO 27002:2022 is published)
  • Annex is normative
  • Updated harmonized structure

Ch3. Key time scale

AB

  • ready to assess : 30 apr 2023
  • initial assessment by AB: 30 apr 2023
  • AB transition of CAB completed by 31 oct 2023

CAB

  • initial and recert of ISO27001:2022 no later than 30 april 2024
  • transition of certified clients: 36 months, 31 october 2025

Ch4. Transition action process

§4.1 AB Action

Only interesting if you are an AB, see MD 26

§4.2 CAB Action

Is extra time likely to be needed for the transition? Yes.

  • 1) Minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.
  • 2) Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with
    • a surveillance audit or
    • as a separate audit.

Important note:

When the certification document is updated because the client successfully completed only the transition audit, the expiration of its current certification cycle will not be changed.

All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.

§4.3 Other

TLDR…

Acronyms

AB = Accreditation Body

CAB = Conformity Assessment Body, certification body

IAF: International Accreditation Forum

FDIS: Final Draft International Standard

IS: International standard

Outlook Lifehack: Anticipating phishing test mails

Ever thought to outsmart phishing exercises and have Microsoft Outlook alerting you for phishing, upfront?

You can.

In short

Set a mail rule that

  1. inspects the mail headers for X-PHISH and/or PHISHINGTEST tags…
  2. Moves the incoming mail to a folder
  3. Optionally flag the mail or set a category

Steps

Create a mail rule

Step 1: Select condition

Set : “specific words in the message header”

Set the tags

  • X-PHISH
  • PHISHTEST

There might be some variations on these tags.

Additionally, if you know phishing test mails are sent from specific domains… add the domain/mail server

Step 2: move it to specified folder in your mailbox

Other options

Some other ideas: set mail alerts or use Power Automate to alert you… (but that’s for another article)

Disclaimer

Obviously it only works for these specific mail header tags, if phishing tests use different headers or other approach, you’ll need to adapt. Don’t take this solution for granted.

And worse, the real stuff… is still out there attacking you.

Stay alert, don’t click on mails and links you don’t expect!

Advanced

While you never should click on any suspicious mail, suspicious links or links in these mails… it still might be a good exercise and learning item to inspect the mail header info.

Look for anomalies in

  • mail sender name and published address mismatch with mailbox listed
  • sender vs reply-to mismatch
  • mail server mismatch with originating server
  • mail domain mismatch with originating domain

Advisory – Best practice

If you suspect a mail to be the real thing, actual phishing, better report the mail as spam and forward it to your local CERT or local cybersecurity authority for analysis (and domain URL blocking)…

And message your security team they failed the phishing test 😉

See also

Some info for mail server administrators 😉

There is nothing new in the 2022 version of ISO27001 and ISO27002. [aka: How to match 2022 with 2013 version and easily fix your Statement of applicability (SoA).]

  1. Introduction
  2. The quick and dirty overview
  3. A bit more details
  4. Extra reading material
    1. So, what IS new then??
  5. Background info
  6. Conclusion
  7. It’s not perfect, send your feedback.
  8. Need more?

Introduction

Early last year ISO updated the ISO27002 to version 2022, putting the previous version to rest after almost 10 years.

The ISO27002:2022, “Information security, cybersecurity and privacy protection — Information security controls”; This document provides a set of guidelines for generic information security controls.
And in fact, it’s the foundation of the ISO27001 Annex (remember the annex is derived from the ISO27002).

The ISO27001:2022, published in october 2022, is a new land mark for information security and governance best practices and basics.

With the launch, there has been a lot of articles explaining what changed.

In numbers we went from 114 controls to 93, which looks like a compression but there are also 11 new controls added.

I explained this situation in an article I wrote early last year in #PECB Insights Magazine: here is the link

How Does the New Revision of ISO/IEC 27002 Affect ISO/IEC 27001 (PECB Insights Magazine, 25 mar 2022)

Most important : section “New controls in ISO/IEC 27002:2022”:

New as in, new named controls in ISO27002 version 2022… with explicit requirements.
But if you look into them, you’ll discover you can perfectly fit them in the existing ISO27001:2013 version to protect your environment.

And you should have them implemented already a long time ago.

They are not new to protect your current environment against the current cyber threats.

But how do you map these new ISO27002/ISO27001:2022 controls in the existing 2013 implementation?

The quick and dirty overview

A bit more details

A bit more explanation needed, check this XLS Spread Sheet.

Extra reading material

The various controls and clauses in the new ISO27002 provide some interesting references to other standards, you could check:

  • Additional information relating to cloud services to be found in
    • ISO/IEC 17788,
    • ISO/IEC 17789 and
    • ISO/IEC 22123-1.
  • Cloud portability support and exit strategies
    • ISO/IEC 19941.
  • information security and public cloud services
    • ISO/IEC 27017.
  • PII protection in public clouds
    • ISO/IEC 27018.
  • Supplier relationships for cloud services
    • ISO/IEC 27036-4 and
  • cloudservice agreements
    • ISO/IEC 19086 series,
  • security and privacy specifically covered by
    • ISO/IEC 19086-4
  • guidance on ICT readiness for business continuity :
    • ISO/IEC 27031.
  • guidance on business continuity management systems
    • ISO 22301 and
    • ISO 22313.
  • guidance on BIA
    • ISO/TS 22317.
  • information on ICT security evaluation
    • ISO/IEC 15408 series.

Some free stuff: https://ffwd2.me/FreeISO

So, what IS new then??

For the hardcore perfectionistas: yes, the ISO27002 does update and change some the security controls, to be more modern.

Also the structural approach in the ISO27002 is now PPT, correction PPPT: Physical, People, Process and Technology (logical security tools).

But more important, major changes are actually present in the ISO27001 management clauses, not really in the ISO27002 (considering a reshuffle).
The most important update on the level of governance, compliance and audit DOES contain some important updates.

And it will be more result based, related to risk.

Do you want to know what has changed significantly, in de management processes, have a look at the presentation I hosted with PECB:

https://youtu.be/Vm8d-vIBNvo

You can download the presentation from slideshare:

ISO/IEC 27001:2022 – What are the changes? from PECB (at SlideShare)

And there is more interesting stuff as extra, on this LinkedIN article:

Background info

Conclusion

So, there is some work to do, moving from ISO27001:2013 to ISO27001:2022…

But make your life easy, fix the ISMS implementation now, update your SoA using the ISO27002 translation tables.
Watch out for the extra requirements in ISO27001 (As Koenraad Béroudiaux rightfully mentions on LinkedIn: check clause 4.4 and 8.1).

More info in the webinar.

Get ready!

It’s not perfect, send your feedback.

If you got improvement suggestions, let me know.

We can always make it better, together.

I’ll update the blog post and files with constructive suggestions.

Need more?

If you are curious about the topics below, let me know.

  • personal use spreadsheet for SoA mapping 2022 and 2013 version
  • personal use spreadsheet ISO27002:2022 categories to keep using the ISO27001, the same way you did before (organizing your ISMS with 14 business functions like management, HR, CISO, dev, legal, operations, …)

You know were to find me here on LinkedIn, here on Twitter, by mail, or direct messaging via Signal and other.

Note-to-self: redirect DNS bypass over your DNS blackhole server

When you have smart devices at home, like smart TVs, you might notice that they are bypassing your internal DNS server, by using public internet DNS (like Google DNS).

And if you use a DNS black hole server like PI-Hole, to protect your network against adware, malware, phishing this is not a healthy situation, as these smart devices bypass your security.

Resources:


Originally, I tried to implement the solution proposed and documented by Scott Helme.

But I ended up with DNS lockdown (and killing my entire internet connection, due to blockage of DNS.)

The solution documented by “Fiction becomes Fact” on this page, did the trick.

Apparently, since the 2018 version, some configuration items like the folder locations have changed…

Important: carefully verify the site folder location mentioned in the posts, to upload the config file. It has changed in newer Ubiquity versions. (Currently : unifi/unifi/data/sites/default/)

Older articles might point to wrong folders (I suppose it has recently changed with new versions of Ubiquiti…)

Just a few more important attention points:

  • in the newer version (dd oct 2022) of the Ubiquity interface, it looks like the topology does not support upload of maps anymore… so you can’t auto-create the site folder… (to be confirmed). You need to create the folders manually. And set the owner/group permission of the folders and config file yourself.
  • explicitly verify the owner settings of the newly created folders too

You can of course, apply this approach to other security solutions.

In essence:

  • all DNS traffic through your firewall must come from your (PiHole) DNS server
  • DNS traffic from any other device is redirected to the DNS server
  • DNS server logs and manages and filters (blocks/allow) the DNS requests

10x times thank you for your support! #mvpbuzz

If you’re in my community and professional network you must have witnessed a wave of Microsoft MVP #mvpbuzz announcements and notifications, early july on the various social media, Twitter, LinkedIN, blogs… a bit later than usual this year.

I was part of it, but due to personal reasons and summer vacation early July, I only had time till now to process it…

Certainly this year is a special year for me, a lot of things have changed professionally.
And when another special award disk dropped in the mail box just a few days ago, I can proudly announce that I’m honored to be awarded the Microsoft MVP award for the 10th time.
You work hard for it, hope for it, but never know if you have met the tough expectations.

[If you want to know more about the Microsoft MVP award, check this page on the MVP site. It’s a reward for a select expert community with great passion for Microsoft technologies, for all community efforts for last year.]


Honestly, it’s not about these white and blue glass disks, but appreciation for the passion and effort in the Microsoft community, to be recognized for the passion in Microsoft Security, more specifically Identity & Access.

And I certainly welcome the program change where the group of MVP “Enterprise Mobility” now moved to MVP Security, which aligns better with reality, what I stand for.

But I could never have achieved this with the great help and support of you, my audience.
So want to thank you, more than 10x for this.

Thank you!