When identifying the most useful best-practice standards and guidance for implementing effective cyber security, it is important to establish the role that each fulfils, its scope and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organisations regardless of their size or the industry and sector in which they operate. Following are some standards currently in use in the industry:
- PAS 555
PAS 555 was released by the British Standards Institution (BSI) in 2013. While most guidance and standards identify problems and offer solutions, PAS 555 takes the approach of describing the appearance of effective cyber security. That is, rather than specifying how to approach a problem, it describes what the solution should look like. In itself, this is difficult to reconcile against a checklist of threats and vulnerabilities but, in conjunction with other standards, it can be used to confirm that the solutions are comprehensive. It specifically targets the organisation’s top management and is deliberately broad in its scope.
- ISO/IEC 27001
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity and availability. The Standard offers a set of best-practice controls that can be applied to your organisation based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
- ISO/IEC 27032
ISO/IEC 27032 is the international Standard focusing explicitly on cyber security. While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this Standard recognises the vectors that cyber attacks rely upon, including those that originate outside cyber space itself. Further, it includes guidelines for protecting your information beyond the borders of your organisation, such as in partnerships, collaborations or other information-sharing arrangements with clients and suppliers. As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organisation needs.
The Cloud Security Alliance’s Cloud Controls Matrix (CCM) is a set of controls designed to maximise the security of information for organisations that take advantage of Cloud technologies. The benefits of Cloud technologies are well known, but there has been resistance to the uptake from some organisations due to the perceived risks of storing and processing data beyond their own physical and logical perimeter. The CSA developed the matrix in order to offer organisations a set of guidelines that would enable them to maximise the security of their information without relying solely on the Cloud provider’s assurances.
- ISO/IEC 27035
ISO/IEC 27035 is the international Standard for incident management. Incident management forms the crucial first stage of cyber resilience. While cyber security management systems are designed to protect your organisation, it is essential to be prepared to respond quickly and effectively when something does go wrong. This Standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimising the risk of recurrence. Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of certification for both ISO/IEC 27001 and the PCI DSS.
- ISO/IEC 27031
ISO/IEC 27031 is the international Standard for ICT readiness for business continuity. This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. As part of the profile of a cyber attack, it is essential that your organisation is prepared for a cyber attack beating your first line of defence and threatening your information systems as a whole. This Standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
- ISO/IEC 22301
ISO/IEC 22301 is the international Standard for business continuity management systems (BCMSs), and forms the final part of cyber resilience. This Standard not only focuses on the recovery from disasters, but also on maintaining access to, and security of, information, which is crucial when attempting to return to full and secure functionality. A BCMS completes the requirements of cyber resilience by closing the final stage in the profile of an overwhelming cyber attack.