In a global survey conducted by ISACA in 129 countries, only 38 % of respondents felt they were prepared for a cyber-attack – even though 83 % believed these are among the top three threats facing organizations today. With so much personal and sensitive information being handled electronically, there is a lot at stake if it were to be compromised.
Prof. Edward Humphreys, Convenor of the working group responsible for ISO’s information security management systems (ISMS) standards, emphasizes, “To ensure security in today’s digital landscape, all organizations, irrespective of size, should put in place a management framework as a starting point to manage cyber risks. ISO/IEC 27001 was designed to help organizations do just that. The standard is the world’s ‘common language’ when it comes to assessing, treating and managing information-related risks.”
Below are the latest revisions and additions to the ISO/IEC 27000 series – all published in 2015 – which form part of the ISO/IEC 27001 “cyber-risk toolbox”, to help keep these risks in check.
Protecting information in the cloud (ISO/IEC 27017)
A new code of practice for information security controls for cloud services, ISO/IEC 27017, has just been published. The cloud is one of the most widely used innovations in today’s fast-paced world of commerce and business. As the service gains currency, users are demanding assurances that data stored and processed in the cloud is safe. Because of its very nature, the marketplace for cloud services is global, with providers dispersed across wide geographical areas, and data is routinely transferred across national boundaries. International guidance is therefore key.
According to Satoru Yamasaki, one of editors who worked on the standard, “ISO/IEC 27017 will help service providers come to a common understanding with their customers regarding adequate security controls and their implementation guidance. This international standard for cloud security controls will facilitate the development and expansion of secure cloud computing systems.”
Integrated solutions for services (ISO/IEC 27013)
More organizations are choosing to combine an information security management system (ISO/IEC 27001) with a service management system (ISO/IEC 20000-1). An integrated system means an organization can efficiently manage the quality of its services, handle customer feedback and solve problems, while keeping information safe.
ISO/IEC 27013 offers a systematic approach to facilitate the integration of an information security management system with a service management system, which results in lower implementation costs and avoids duplication efforts as only one audit, instead of two, is needed when seeking certification.
Inter-sector and inter-organizational communications (ISO/IEC 27010)
When an organization shares information with another organization, how can they be sure that their data will be kept safe? ISO/IEC 27010 is a sector-specific addition to the ISO/IEC 27000 toolbox, which guides the initiation, implementation, maintenance and improvement of information security in inter-organizational and inter-sector communications. It includes general principles on how to meet these requirements using established messaging and other technical methods. The standard is expected to encourage the growth of global information-sharing communities.
As Dr. Mike Nash, an editor of ISO/IEC 27010, explains, “ISO/IEC 27010 basically customizes and applies ISO/IEC 27001 and ISO/IEC 27002 to communication between organizations. Having the standard in place gives an organization confidence that the information it has shared with another organization will not be inadvertently disclosed.” The standard is particularly relevant for the protection of critical national infrastructure, where exchanging sensitive information securely is of utmost importance. It is also widely used by security incident response teams.
Detecting and preventing cyber-attacks (ISO/IEC 27039)
How can organizations detect and prevent cyber intrusions to their networks, systems and applications? Best practice shows that they have to be able to know when, if and how an intrusion into their network, system or application occurs. They should also be ready to identify what vulnerability was exploited and what controls should be implemented to prevent similar intrusions from taking place in the future. One way to do this is through an Intrusion Detection and Prevention Systems (IDPS).
ISO/IEC 27039 gives guidelines to prepare and deploy an IDPS, covering such crucial aspects as selection, deployment and operation. The standard is particularly useful in today’s market where there are many commercially available and open-source IDPS products and services based on different technologies and approaches. ISO/IEC 27039 will guide organizations throughout the process.
Audit and certification (ISO/IEC 27006)
More and more organizations are turning to third-party certification audits to demonstrate that they have in place a solid information security management system (ISMS) that conforms to the requirements of ISO/IEC 27001. ISO/IEC 27006 gives the requirements that certification and registration bodies need to meet to be accredited, so they can offer ISO/IEC 27001 certification services.
“ISO/IEC 27006 is an accreditation benchmark for certification bodies that offer ISO/IEC 27001 services,” explains Prof. Humphreys, adding, “This is important because accreditation of certification bodies provides added confidence in the audit process and credibility in the certificate they award.”