I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully 😉)

I'm curious what tools, SaaS, or other solutions are being used for vulnerability assessments?

DOD calls it ACAS, which is just an acronym for required assessment program of record they currently fullfil with Nessus scanner and related vender solutions.

Anyone have Nessus experience that can compare to another vendor? Good, bad, etc?

TL;DR: Is ISO27001 easy or am I just too dumb to see the complexity?

Hi!

Just wanted to start some conversation on a standard that's sorta kinda infamous where I'm currently at, the ISO27001 standard.

I got tasked with "polishing up an ISMS" for a company and while I can't go into details, I got basically a control name (from 27002:2022) and a description of "what we need it to do." Now that I got into it, I feel that I may be missing something. Most of their controls are "Limit access to server room" or "Make sure access is logged and not permanent."

Like, the standard is not difficult reading, but if they can explain to ME how the controls should look in the end, what am I missing? Is there some extremely difficult part? Or can I just say "Just make the creds timeout after a month. Source: dude trust me?"

If you were tasked with implementing ISO27001, did you encounter any specific hurdles that I may not see from where I'm standing? The only thing I can see after I got through all the controls was a feeling that this will be more expensive on time for the security teams.

Thank you for coming to my TED(x) talk.