As explained on the program page “MVPs, are technology experts who passionately share their knowledge with the community.” It’s an award for your Microsoft community work of the past year… you can find more details on the MVP website mentioned earlier.
But building community is not a one-person activity, not a job, …
It’s a passion, it’s fun, sharing knowledge and best practices with many people over the world, all eager to build community.
And last year (or longer) has been very challenging to keep the community running without face-2-face events, shifting to online only. It was hard work. And the MVP award renewal cycle has been very special this year, taking into account the Corona conditions.
But nevertheless, I can’t keep up this work without support of you, my dearest colleagues, partners, technology experts, community fellows, my audience, … I won’t list any specific person, because I would not do honor to all the rest… too many to list.
Therefor a big shout out of gratitude for your support.
Thank YOU for supporting me, making this possible.
I dedicate this award to you, to your support. This is your award.
In the world of security, cyber- and cloud security, sharing knowledge is one of the most important principles to win the battle against cybercrime. Learn from the mistakes others have made.
I’m doing my best to keep up the work and to meet the bar of excellence, to be an community lead, to build community and to share knowledge.
This award and your appreciation gives me the extra motivation to keep going and do better next year!
Thank you … for supporting me … for supporting us … for not giving up … for keeping a positive spirit … for the constructive critics … for the creative solutions … finding and creating opportunities … for making things possible … for keeping us at the edge … for being direct, open and honest
because that allows us to evolve, to develop, to grow, to learn and to become better
despite difficult times.
I wish each of you and your family the best for 2021,
with a lot of fun, joy and success, a lot of exciting new things…
And sometimes just a bit of luck.
Looking forward to work with you for another exciting year… And beyond.
Because your support keeps me sharp.
Looking forward to the first opportunity to meet, physically, in person and to catch up all the things we missed.
And of course, a good health. Keep safe and secure!
Dank je … om mij te steunen … om ons te steunen … om het niet op te geven … om een positieve mindset te behouden … voor de constructieve kritiek … voor de creatieve oplossingen … om kansen te vinden en te creëren … om dingen mogelijk te maken … om ons scherp en alert te houden … omdat je direct, open en eerlijk bent
omdat dat ons in staat stelt om te evolueren, ons te ontwikkelen, te groeien, te leren en beter te worden
ondanks moeilijke tijden.
Ik wens ieder van jullie en je gezin het beste voor 2021,
met veel plezier, vreugde en succes, veel spannende nieuwe dingen …
En soms gewoon een beetje geluk.
Ik kijk er naar uit om weer met je samen te werken voor nog een spannend jaar … en daarna.
Zonder jouw steun kan ik mijn ding niet doen… .
Ik kijk uit naar de eerste gelegenheid om elkaar fysiek en persoonlijk te ontmoeten en om alle dingen die we hebben gemist in te halen.
En natuurlijk een goede gezondheid. Hou het veilig en goed beveiligd!
The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks. The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.
Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)
FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping. And after review, a new version (1.1) with updates has been published on the CIS workbench.
You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.
But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)
But the license for use of the CIS controls mapping does not allow redistribution of modified materials…
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”
So I CANNOT distribute the XLS as modified material (Why not?).
Extending the mapping
If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:
CIS section
Coverage
ISO27001 Control
2.2
=
A.12.5.1
2.5
=
A.8.1.1
2.8
small subset
A.12.5.1
2.10
small superset
A.9.4.1/A.8.2
3.1
small subset
A.12.6.1
3.2
small subset
A.12.6.1
3.4
small subset
A.12.6.1
3.5
small subset
A.12.6.1
3.6
small subset
A.12.6.1
4.1
small superset
A.8.1.1/A.9.2.3
6.5
small subset
A.12.4.1
6.6
small subset
A.12.4.1
6.8
small subset
A.12.4.1
7.3
small subset
A.12.2.1
7.5
small superset
A.8./A.13.1.1
7.6
small subset
A.13.1.1
8.3
small subset
A12.2.1
9.5
small subset
A.13.1.1
10.2
small subset
A.12.3.1
10.5
=
A.12.3.1
11.1
small subset
A.13.1.1
11.2
small subset
A.13.1.1
11.6
small subset
A.13.1.1
12.1
small subset
A.13.1.1
12.5
small subset
A.13.1.1
12.10
small subset
A.13.1.1
13.2
small subset
A.11.2.5
14.7
small subset
A.8.2.3
16.2
small subset
A.9.3.1
16.3
small subset
A.9.3.1
16.9
small subset
A.9.2.1
16.10
small subset
A.9.2.1
16.12
=
A.12.4.1
16.13
=
A.12.4.1
17.1
=
Clause 7.2
18.3
=
A.12.5.1
18.4
=
A.12.5.1
18.7
=
A.14.2.9
18.10
small subset
A.14.2.5
18.11
small subset
A.14.2.5
19.3
small subset
A16.1.1
19.6
small subset
A16.1.2
19.7
small subset
A16.1.1
19.8
small subset
A16.1.4
20.1
small subset
A18.2.3
20.2
small subset
A18.2.3
20.3
small subset
A18.2.3
20.4
small subset
A18.2.3
20.5
small subset
A18.2.3
20.6
small subset
A18.2.3
20.7
small subset
A18.2.3
20.8
small subset
A18.2.3
Planning for ISO Certification using CIS Controls?
When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.
And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls. CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer. If you compare both systems in a table the story gets clear:
The “red” areas require extra work to make it ISO27001 compliant.
And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.
(quote, feb 2020) “I am Annie from CIO Applications Europe magazine and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the Information Security arena and have shortlisted them to be featured as one of the “Top 10 Information Security Consulting/Service Companies 2020”, <…> being one of them.”
(quote, apr 2020) “I am Annie from CIO Applications Europe magazine, and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the GDPR arena and have shortlisted them to feature as one of the “Top 10 GDPR Consulting/Service Companies 2020”, <…> being one of them.”
Version anno 2023, replace
Annie BG Mathews with “Nina Campbell”
“CIO Applications Europe” with “CIO Review Europe”
“2500 EUR”, now indexed to 3000 EUR for a a 2 pager,
“Top 10 Information Security Consulting/Service Companies” with “Top 10 Cyber Security Service Providers in Europe 2023” in the “Cyber Security” edition.
Did you also get the same mail from “CIO Applications Europe” or “CIO Review Europe”, with their fabulous “Top 10” marketing, asking a small fee of €2500,- (2023: 300 Euro’s) to be featured as top-player in the <see below> field, for which you get a fabulous … eh.. 1 single pager PDF. And using their top 10 logo in your marketing.
Top, you make me feel so special!
Just.. ehm… radio couloir says lots of my sector contacts and LinkedIn network contacts got the exact same mail.. So, top 10, my @§§.
Marvelous quick win
Just a bit of 12y-old math says: that is a smart turnover of 25.000 EUR per top 10 published. Knowing that they have published roughly 30 of their “top 10” articles for 2019, this means a quick win of €750.000 on one-pagers only.
Agile Technology, Asset management, Automotive, Blockchain, Blockchain Solutions, Business Intelligence, CEM solution, Contact center, Cognitive consulting, ERP, FinTech Solution, GDPR Solutions, GDPR consulting, IBM Solution, Information Security, IoT solution, IT services management, Legal technology, Mar tech, Microsoft solution, Microsoft Consulting, Procurement, Proptech, Salesforce, Smart City Tech,…
Forgive me if I forgot another €25.000,- in the 30x Top 10 of 2019 they listed.
But some important categories missing, so you can do that too, some ideas below.
If the “Top 10” on GDPR is completed, you create new categories like “GDPR consulting”, “GDPR legal advice”, “GDPR breach specialist”, “GDPR expert”, “GDPR Services”, that’s another 125K of revenue, easy deal to fill the 1 million bucket.
So, you can buy yourself a list in the Top 10.
So here’s the deal, for 2499 EUR, you can get listed in the 2020 Top 10 spam and scam companies, you get a full A6 print page (special 7pt Wingdings font) with a 3 minute made-up interview with your CSSO. (Chief Spam’n Scam Officer.)
Legit business??
For €2499,- you get an interview, a one pager and a logo for display.
I quote: “We want to work with you towards a single page article after an interview with the senior management projecting the unique story of your company. For a nominal amount of 2,500 Euros, you will own complete print and digital rights to use the pdf of profile in your process of acquiring new clients along with many other prominent benefits like rights to use the Top 10 logo in your communications, single page complimentary advertisement placement and many more which I would love to explain when we connect. “
It’s not forbidden to make you a ridiculous offer, but do you really want to sponsor this scam and spam practice and keep it alive?
Fact is, this is not ‘just a spam’ campaign.. It’s setup as legitimate business, at first sight.
You can still ask yourself why CIO Applications “EUROPE” would have a phone number in the US.
#GDPR!
It’s not only about the scam, they are using personal data without notification.
And you can argue they can use “legitimate interest”. Yes, for sure. But still they need to apply article 13 and 14, when collecting personal data. Their privacy notice (https://www.cioapplicationseurope.com/privacy-policy/) is not mentioned in the mail communication, it does not mention how they collect my data and how the process it. Neither do they refer to the required legal GDRP mentions (like DPA contact and so on…).
There is no reference how to file a subject-data access request… you can always spam their marketing department as mentioned in their privacy notice.
So, this could even be a valid reason for contacting your DPA and file a complaint.
I don’t want to unsubscribe to spam mail, because I don’t want to give you just more information if you don’t respect me from the beginning.
What’s the real problem then?
What do you think of a “Top-10” ranking, that is only based on the fee you pay? The first 10 that pay, are in the top 10. Number 11, bad luck. Oh wait, we’ll setup another top 10.
This feels like bribery. And mental pressure.
They send out the requests to new companies, struggling to conquer the market. They make your feel important, but it’s only about the money.
This type of practice puts other legitimate rankings in such a bad daylight… the smell of money on a “Top 10 …something”. This destroys the reputation of other communities, value papers and IT or security sectors. It’s not isolated to this one bad apple.
Be smart
Think. If it doesn’t feel right, it is not right. For a bare €2499,- you can achieve a lot more than a single page PDF and a top 10 logo.
For the same money and the support of a real marketing specialist, and some smart channel management, you can create real impact.
But most important of all, do what you do best. Create impact. Create great stuff, create buzz, let customers tell your story…
Stay out of the pile of bad apples.
#justthinking
Year
Company
Website
Contact
Award
2023
CIO Review Europe CIO Tech Outlook
cioreview.com ciotechoutlook.com
Nina Campbell
Top 10 Cyber Security Service Providers in Europe 2023
Afgelopen vrijdag 21 februari, organiseerde Agentschap Innoveren & Ondernemen een praktisch webinar over Cybersecurity.
We toonden een vernieuwende aanpak die de zelfredzaamheid en veerkracht bij KMO’s inzake cybersecurity helpt vergroten.
Cybersecurity wordt beschouwd als één van de grootste bekommernissen in het huidige ondernemerschap. De veiligheid van (klanten)gegevens is een topprioriteit en een beleid hieromtrent uitwerken is noodzakelijk. Als adviseur zult u wel vaker de vraag krijgen van uw klanten over hoe ze hiermee aan de slag moeten gaan.
Hartelijk dank Melissa Gasthuys als gastvrouw en Eveline Borgermans voor de perfecte begeleiding en opname bij Agentschap Innoveren & Ondernemen
Hier de link naar de slides
De link naar de opname:
En je kan altijd nog even gaan kijken op cybervoorkmo.be voor meer tips en hints.
OP 6 feb jongstleden, presenteerde ik een sessie bij Privatum, voor hun avondsessies van “Privacy After Work”.
Dat is een lichte, interessante aanpak om mensen bij elkaar te brengen ivm privacy en gegevensbescherming, dus ideaal voor netwerking en interessante dingen te leren.
Microsoft heeft een open-source mapping gepubliceerd tussen de controles in ISO / IEC 27701 (de nieuwe uitbreiding van de gegevensbescherming van ISO 27001 en 27002) en verschillende wettelijke regels, waaronder de GDPR (Europese Unie).
Het project bevat een Excel-bestand met de onbewerkte gegevens: zie https://github.com/microsoft/data-protection-mapping-project/raw/master/src/assets/database.xlsx
It’s a yearly award granted by Microsoft to community leaders and influencers who passionately share their knowledge and drive the MS community.
For some it’s the ultimate goal to get in the MVP program, but as the reward is granted year after year again, based on your impact of last year, it’s never sure you’re in for the next round.
It’s not about the award, but about the drive and mindset to build community. You can’t simply keep up if you don’t have the drive.
But more important, you simply can’t keep up without support.
So I’m proud to receive this award.
And I’m utterly grateful that lots of people around support me in this, very close and very far.
Thank you, my dearest wife and kids to keep me alive.
Thank you, dearest Microsoft TechNet Wiki Geeks (TOO MANY to list here), you keep me going.
Thank you, Ed Price, the greatest Wiki Wizz Kid,
Thank you Tina for supporting the MVP BeNelux and Nordic Community manager.
And many many others, … without you I could not do this!
I dedicate this award to you.
Identity Underground 
You must be logged in to post a comment.