Traditional cyber security is proving an increasingly inadequate approach to the modern cyber threat landscape. It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience in identifying and responding to security breaches will become a critical survival trait in the future.
The idea of cyber resilience is a key principle underpinning ISO27001, and the wider issue of business continuity is covered by ISO27031. Continue reading where we explain a cyber resilience strategy in more detail.
Figures from the Department for Business, Innovation and Skills (BIS) 2013 Information Security Breaches survey show that 93% of large organisations and 87% of small organisations suffered a data breach in 2012. Now that suffering a breach is almost inevitable, cyber security methods can no longer be solely relied upon to secure an organisation’s operations. The only sensible response is to adopt a robust cyber resilience strategy.
Cyber resilience = cyber security + business resilience
Cyber resilience is a broader approach which encompasses cyber security and business resilience, and aims not only to defend against potential attacks but also to ensure your survival following a successful attack. An effective approach to cyber resilience is twofold:
Ensure your cyber security is as effective as possible without compromising the usability of your systems.
Ensure you have robust business continuity plans in place which cover your information assets so that if an attack is successful you can resume normal operations as soon as possible.
Two International Standards provide the main guidance you need:
ISO27001, which details the implementation of an information security management system (ISMS); and
ISO22301, which details the implementation of a business continuity management system (BCMS).
Within the bounds of the broader ISO22301 standard, it is also worth considering the guidance in ISO27031, which applies specifically to information and communication technology business continuity, and the requirements of ISO27001 and ISO22301 are mutually compatible.
ISO27001 offers a cohesive approach, recognising that effective cyber security is a cultural as much as a technological issue, and addresses people, processes and technology. An information security management system (ISMS) helps you coordinate your security efforts across your organisation, will ensure that your systems are as safe as possible, and will reassure your customers, suppliers, shareholders and stakeholders that you are following international best practice guidelines.
For more detailed information about ISO27001, please visit our information pages.
For all products and services relating to ISO27001, please visit our webshop.
Business continuity for Information and Communication Systems is fundamental to an effective information security management system (ISMS). ISO27031 (Guidelines for ICT Readiness for Business Continuity) provides detailed and valuable guidance on how this critical aspect should be tackled.
While development of a broad business resilience strategy should fit within an organisation's enterprise risk management framework, there is no reason to delay dealing with cyber resilience because a wider business resilience strategy has still to be developed. If you’re not yet in a position to implement a standard-based approach, there are other means of addressing your cyber resilience requirements.
Published by GCHQ, the 10 Steps to Cyber Security framework sets out a simplistic approach to handling cyber risk in order to help secure your information and ensure your business thrives in the internet age. IT Governance can carry out a robust assessment of your performance in each of these 10 areas, providing you with a tailored and usable action plan that will help you close the gap between recognised good practice and what you’re actually doing.
The 20 Critical Controls is a set of additional controls developed for organisations involved in critical national infrastructure, and has much to offer larger organisations. Of those 20, there are five ‘critical tenets’.
IT Governance can provide a range of cyber resilience solutions to help you ensure your organisation is best placed to mitigate unexpected situations or events.
Visit the following pages for more information: