Industry experts estimate that annual losses from cybercrime could rise to USD 2 trillion by next year1). With countless new targets added every day, especially mobile devices and connected “things”, a joined-up approach is essential.
The attraction of cybercrime to criminal hackers is obvious: tangled webs of interactions, relatively low penalties, disjointed approaches on money laundering and potentially massive payouts. The key is preparation and seeing vulnerabilities, and resilience, in terms of interactions with overall management systems, and that’s where information security management systems (ISMS) standard ISO/IEC 27001 comes in.
This is the flagship of the ISO/IEC 27000 family of standards, which was first published more than 20 years ago. Developed by ISO/IEC JTC 1, the joint technical committee of ISO and the International Electrotechnical Commission (IEC) created to provide a point of formal standardization in information technology, it has been constantly updated and expanded to include more than 40 International Standards covering everything from the creation of a shared vocabulary (ISO/IEC 27000), risk management (ISO/IEC 27005), cloud security (ISO/IEC 27017 and ISO/IEC 27018) to the forensic techniques used to analyse digital evidence and investigate incidents (ISO/IEC 27042 and ISO/IEC 27043 respectively).
These standards are not only about helping to manage information security but will also help to identify and bring criminals to justice. For example, ISO/IEC 27043 offers guidelines that describe processes and principles applicable to various kinds of investigations, including, but not limited to, unauthorized access, data corruption, system crashes, or corporate breaches of information security, as well as any other digital investigation.
Staying ahead of the game
Keeping this family applicable to the needs of businesses small and large through a process of constant evolution is a serious responsibility for ISO/IEC JTC 1’s subcommittee SC 27 on IT security techniques. It’s in large part thanks to the contribution of people like Prof. Edward Humphreys, who chairs the working group responsible for developing ISMS, that it remains one of the most effective risk management tools for fighting off the billions of attacks that occur each year2), which likewise continue to evolve in their targeting and methods.
I spoke with Prof. Humphreys, a specialist in information security and risk management with more than 37 years of experience in consulting and academia. I began by asking him about the fundamentals of ISMS. Just how can they can keep ahead of the criminals to protect businesses and consumers? “It’s true that risks that threaten information, business processes, applications and services are continually evolving. ISO/IEC 27001 is a continual improvement standard, which means the built-in risk management process allows businesses to keep up to date in their fight against cybercrime.”
According to Prof. Humphreys, the continual improvement aspect of ISO/IEC 27001 means that an organization can assess its risks, implement controls to mitigate these, and then monitor and review its risks and controls, improving its protection as necessary. In that way, it’s always on the ready and prepared for attacks: “If used properly, ISMS enable the organization to keep ahead of the game, responding to the evolving risk environment that the Internet and cyberspace present.”
From threats to opportunities
At the business level, it remains a formidable task to model and mitigate threats from all conceivable angles. There’s a clear need to use a unified, integrated security system across the whole business and, given the complexity of interrelationships, I asked Prof. Humphreys whether ISMS could apply to small and medium-sized enterprises (SME). “ISMS are applicable to all types of organization and all types of business activities, including those of SMEs. Many SMEs are part of supply chains, so it’s essential that they are in control of, and manage, their information security and cyber-risks in order to protect themselves and others.” Prof. Humphreys explains that a business’s obligations are typically defined in service-level agreements (SLA), contracts between partners of the supply chain that detail service obligations and requirements and establish legal liabilities, and that ISMS often form an integral part of such agreements.
Of course, there are challenges attached to online business for SMEs, but they are far outweighed by the enormous potential that has been opened up by the Internet. It could be argued that it is smaller businesses that have been the most enabled by technology, a point made recently by Ambassador Alan Wolff from the World Trade Organization. Speaking at the 2018 ISO General Assembly, Wolff observed that “anybody – who has a design; who has a computer; who can get on the Web; has access to a platform – can become a part of international trade.”
The upsides for social and economic development are enormous: the Internet brings global reach to growing numbers of previously isolated individuals and communities. However, a proven and prudent approach such as ISMS is needed to mitigate the downsides. As Prof. Humphreys reminds me, “a cyber-attack on one part of the supply chain could disrupt the whole of the chain” and the impacts can reach way beyond your own business, or even your direct clients. That’s as true for artisan toymakers from Bali as it is for government national health services in Europe.
The right to privacy and the need for confidence
Our private lives may be less complex than global business, but just as much is at stake. For many of us, simply following best practices for passwords and security updates (and bearing in mind that if it smells fishy, or looks too good to be true, then it almost certainly is) should help keep us safe from cybercriminals, much of the time. But people are increasingly asking questions about the way that institutions and companies store, analyse and monetize the vast amounts of data that we hand over more or less voluntarily.
I asked Prof. Humphreys if the ISO/IEC 27000 family provide answers to these sorts of unknowns? “Recently, subcommittee SC 27 has embarked on a new development – ISO/IEC 27552 – which further extends ISO/IEC 27001 to address specific needs of privacy.” Currently at the draft stage, the document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving privacy management within the context of the organization.
When privacy, finances, individual or corporate reputation are threatened, it undermines confidence and impacts our behaviour, both online and in real life. The role of the ISO/IEC 27000 family in allowing us to continue to advance is paramount. With many reasons to feel anxious as almost every aspect of our lives becomes digitized, it’s reassuring to know that there’s a family of standards to count on for information security management systems, and a global group of experts like Prof. Humphreys working to keep us one step ahead.
1) Steve Morgan, “Cyber Crime Costs Projected To Reach $2 Trillion by 2019”, Forbes Online
2) “Internet Security Threat Report”, Volume 23, Symantec, 2018
- Information technologySecurity techniquesInformation security management systemsOverview and vocabulary
- Information technologySecurity techniquesInformation security management systemsRequirements
- Information technologySecurity techniquesInformation security risk management
- Information technologySecurity techniquesCode of practice for information security controls based on ISO/IEC 27002 for cloud services
- Information technologySecurity techniquesCode of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC DIS 27552 [Under development]Security techniquesExtension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information managementRequirements and guidelines