Nissim Bracha, CISO

Who Am I?

My name is Nissim Bracha, and I'm a seasoned Information Security Professional and a certified CISSP with an intense passion for cybersecurity. My expertise is built on a strong foundation of both technical hands-on skills and strategic GRC.

 I’ve managed global IT and security operations, building departments from the ground up. My background includes implementing complex compliance and standards, such as SOC 2 and ISO 27001. I also possess extensive technical expertise in DevSecOps and Cloud Security. 

I don't just write policies; I've architected the systems that govern them. Now that we've found AI, I'm focused on this critical question: How will AI fundamentally contribute to and challenge the cybersecurity world? 

I'm here to find the answer.

 The ISO 27001:2022 podcast: why and what? - My very first AI made podcast. 

You can listen in Apple Podcast.

These sources provide a comprehensive, clause-by-clause overview of the ISO/IEC 27001:2022 standard, which outlines the requirements for establishing an Information Security Management System (ISMS). The explanation follows the logical Plan-Do-Check-Act (PDCA) cycle, starting with the foundational requirements of Context (Clause 4) and Leadership (Clause 5). The sources then detail the operational core, including Planning and risk management (Clause 6), Support elements like competence and documentation (Clause 7), and the day-to-day Operation and execution of controls (Clause 8). Finally, they cover the crucial review steps of Performance Evaluation (Clause 9) and Improvement (Clause 10), while also explaining the vital role of supporting standards ISO/IEC 27005 (risk management guidance) and ISO/IEC 27002 (the detailed catalogue of security controls).

All about GDPR: the podcast that covers everything related to GDPR

You can listen in Apple Podcast.

The collection of sources provides a comprehensive overview of the General Data Protection Regulation (GDPR), covering its legal basis, core principles, and practical application. Multiple documents detail the seven core principles (such as lawfulness, data minimization, and accountability) and the six lawful bases for processing personal data, emphasizing the strict requirements for obtaining valid consent. Furthermore, the texts explain the practical aspects of compliance, including the necessity of conducting a Data Audit, performing Privacy Impact Assessments (PIAs) for high-risk processing, and implementing strong technical and organizational security measures, such as encryption and user authentication. Finally, the sources document the GDPR's global reach and the severe administrative fines for non-compliance, citing recent enforcement actions and highlighting emerging challenges in areas like Artificial Intelligence (AI) governance and the privacy rights of children.

NIST every CISO Should Meet : This podcast cover some important NIST docs.

You can listen in Apple Podcast.

These sources primarily consist of excerpts from National Institute of Standards and Technology (NIST) Special Publications, which detail comprehensive frameworks and guidelines for managing security and privacy risks within federal information systems and organizations. NIST SP 800-53 Revision 4 provides a vast catalog of security and privacy controls, organizing them into families like Access Control (AC) and Identification and Authentication (IA), and outlines the three-tiered risk management approach. Complementing this, NIST SP 800-30 Revision 1 focuses on the methodology for conducting risk assessments, emphasizing the identification of threats, vulnerabilities, and potential impacts across organizational tiers. NIST SP 800-137 introduces the Information Security Continuous Monitoring (ISCM) program, detailing a systematic process for ongoing risk management and maintaining situational awareness of security posture. Finally, NIST SP 800-61 Revision 2 provides guidelines for computer security incident handling, outlining a lifecycle that includes preparation, detection, containment, and post-incident activities, reinforcing the necessity of proactive security measures and coordination.

Freeze, Fight, Flight, or CUSTOM GPT: How AI Assists in Incident Response.  GlobalSec magazine, April 2025