Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organizations face. And the consequences can be huge. Most organizations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help.
For any organization, information is one of its most valuable assets and data breaches can cost heavily in terms of lost business and cleaning up the damage. Thus, controls in place need to be rigorous enough to protect it, and monitored regularly to keep up with changing risks.
Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the controls in place to ensure they are fit for purpose, effective and efficient, and in line with company objectives.
The technical specification (TS) has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls), all of which are referenced within.
Prof. Edward Humphreys, leader of the working group that developed the standard, said ISO/IEC TS 27008 will help organizations to assess and review their current controls that are being managed through the implementation of ISO/IEC 27001.
“In a world where cyber-attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organization’s business processes,” he said.
“ISO/IEC TS 27008 can help give organizations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organization faces.”
ISO/IEC TS 27008 is of benefit to organizations of all types and sizes, be they public, private or not-for-profit, and complements the information security management system defined in ISO/IEC 27001.
It was developed by ISO technical committee ISO/IEC JTC 1, Information security, subcommittee SC 27, IT security techniques, the secretariat of which is held by DIN, ISO’s member for Germany. It can be purchased from your national ISO member or through the ISO Store.
- Information technologySecurity techniquesInformation security management systemsOverview and vocabulary
- Information technologySecurity techniquesInformation security management systemsRequirements
- Information technologySecurity techniquesCode of practice for information security controls
- Information technologySecurity techniquesGuidelines for the assessment of information security controls