Based on recent events, the cyber-world is not getting any safer, and an organisation operating online today faces threats from a wide variety of sources, with new ones joining the fray on a regular basis. So if you have a role such as Chief Information Security Officer (CISO) then you have what we can comfortably call a challenge.
There are many different ways in which information security can be approached, and much of the battle can be to get senior management to really understand the high-level direction that your company is taking. In order to make it easier to grasp, most organisations define what they term their โcyber security strategyโ and brief the board on what this means.
What are the choices for a strategy?
If youโve reached the point where everyone is agreed that a strategy is needed, but no one really knows what it should be, then it can often help to base it around one of a number of frameworks that exist within the industry at the moment, rather than making it up yourself.
Based partly on which country you are based in and the industry you operate within, the choices are fairly wide, but itโs certainly not an endless list. The main suspects are usually:
The ISO/IEC 27001 international standard for information security
Cyber Essentials (a UK government-backed scheme)
NIST Special Publication 800-53 (a framework of controls published by the US National Institute of Standards and Technology โ NIST)
NIST Cyber Security Framework (US only)
SOC2 โ an audit standard often used for data centres
CIS Controls framework โ a set of safeguards, now at V8
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
COBIT โ a well-known framework from ISACA
National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) (UK only)
PCI DSS โ required if credit card information is processed
This can be a difficult choice. Letโs explore why the first on the list, the ISO/IEC 27001 standard, is a good option to go for.
What is ISO27001?
ISO27001 is a standard published by the ISO (International Organisation for Standardisation). The current version was published in October 2022, runs to nineteen pages and comes in basically two parts:
1. The management system
2. The Annex A controls
The management system consists of a set of requirements grouped into seven main clauses, 4 to 10 (0 to 3 are basically intro):
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
If you do everything it says, then you will be creating an information security management system (ISMS) which sets clear objectives, assesses risk, has defined roles and responsibilities, documents things well and measures its own success, to name but a few aspects. This means you start to treat information security as an ongoing process, rather than a one-off exercise.
The Annex A controls are a set of 93 good ideas to secure your organisation, not just from a technical viewpoint, but also from a physical, organisational and people viewpoint too.
So letโs talk about why ISO27001 is a sensible choice to base your strategy around.
Why choose ISO27001?
Itโs international
Some of the alternatives on the previous list are UK or US-only, and each country will have its own equivalents. The advantage of ISO27001 is that it is internationally recognised around the world so it has credibility not just in your home country, but in those of your international customers also.
It provides a great framework for improvement
Youโll never get your cyber security completely right first time, and the threats change rapidly anyway, so you need to be continually reviewing and improving your defences or they will soon be out of date. ISO27001 has what is basically an improvement engine that makes you strive to be better week in, week out.
Thereโs a useful list of controls to choose from
Annex A of the ISO27001 standard is a goldmine of best practice ideas to improve your information security. If you combine it with the more detailed guidance in ISO27002 then you have a well-rounded approach to building your defences. And the risk-based aspect of ISO27001 means that you only implement the controls that make sense for your organisation.
Certification keeps the focus up
You can become externally certified to ISO27001 which means that a third party validates that you have implemented your ISMS properly, and other people can trust that this is the case. Annual audits are a strong incentive to keep the focus on your management system and your controls so that you never let your guard down.
It gives you credibility
The ISO27001 standard has a good reputation internationally and is generally accepted as an indication that your organisation takes information security seriously and has a strong approach in place. This can save a lot of time when answering questions for tenders, as certification many boxes automatically.
It emphasises a risk-based approach
Many of the alternative frameworks are simply a set of controls that can be implemented; ISO27001 emphasises the need to assess your organisationโs risk and only put in place those controls that make sense for your organisation, so saving time and money and maximising benefit.
In summary
These are just some of the reasons why basing your cyber security strategy around ISO27001 is a great idea. Of course, the other frameworks can add significant value too and itโs not uncommon for an organisation to use two or more to guide them, for example ISO27001 and PCI DSS. The key thing is to establish a structure for your strategy; one which meets your compliance goals, but also helps your senior management team understand whatโs going on.
