Cyber Security Standards
When identifying the most useful best-practice standards and guidance for implementing effective cyber security, it is important to establish the role that each fulfils, its scope and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organisations regardless of their size or the industry and sector they operate in. This page provides generic information on each of the standards that are usually recognised as essential components of any cyber security strategy.
On this page:
The UK’s Department for Business, Innovation and Skills (BIS) published its “Ten Steps to Cyber Security" in 2012 as an overview of cyber security for executives. This guidance recognises that information is at the centre of business today, and that cyber space exists as the whole digital architecture of society: both the internet in general and the information systems that support and maintain infrastructure, business and services.
The Ten Steps is an excellent framework for top level understanding of cyber security. It relies on broader descriptions and objectives to explain the risks, defences and solutions, which can then be approached across the whole organisation, rather than defining specific controls that may require specialised skills or experience to implement. As such, the Ten Steps can be achieved through the application of other standards, and the organisation that can tick off all of the points raised in the Ten Steps can be reasonably confident in the state of their cyber security.
IT Governance offers a cyber security risk assessment service which is based on the above framework.
PAS 555 was released by the British Standards Institution (BSI) in 2013. While most guidance and standards identify problems and offer solutions, PAS 555 takes the approach of describing the appearance of effective cyber security. That is, rather than specifying how to approach a problem, it describes what that solution should look like. In itself, this is difficult to reconcile against a checklist of threats and vulnerabilities but, in conjunction with other standards, it can be used to confirm that the solutions are comprehensive.
PAS 555 specifically targets the organisation’s top management and is deliberately broad in its scope. PAS 555 is primarily intended as a framework for the governance of cyber security which allows executives and senior management to compare the organisation’s cyber security measures against the established descriptions at a high level. When implemented, this provides an ‘umbrella’ under which other standards and guidance can fit to flesh out the results described.
ISO/IEC 27001 is the international standard for best practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity and availability. The standard offers a set of best practice controls that can be applied to your organisation based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
By fulfilling the requirements of ISO/IEC 27001, you will be fulfilling the majority of the requirements of the other standards and guidance relating to cyber security. Any remaining gaps identified by other guidance can then be plugged with a minimum of fuss.
ISO/IEC 27032 is the international standard focusing explicitly on cyber security. While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this standard recognises the vectors that cyber attacks rely upon, including those that originate outside cyber space itself. Further, it includes guidelines for protecting your information beyond the borders of your organisation, such as in partnerships, collaborations or other information sharing arrangements with clients and suppliers.
As part of the 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organisation needs.
The Cloud Security Alliance’s Cloud Controls Matrix (CCM)
is a set of controls designed to maximise the security of information for organisations that take advantage of cloud technologies. The benefits of cloud technologies are well known, but there has been resistance to the uptake from some organisations due to the perceived risks of storing and processing data beyond their own physical and logical perimeter. The CSA developed the matrix in order to offer organisations a set of guidelines that would enable them to maximise the security of their information without relying solely on the cloud provider’s assurances.
is the international standard for incident management. Incident management forms the crucial first stage of cyber resilience. While cyber security management systems are designed to protect your organisation, it is essential to be prepared to respond quickly and effectively when something does go wrong. This standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimising the risk of recurrence.
Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of certification for both ISO/IEC 27001 and PCI DSS.
is the international standard for ICT readiness for business continuity. This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. As part of the profile of a cyber attack, it is essential that your organisation is prepared for a cyber attack beating your first line of defence and threatening your information systems as a whole.
This standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
ISO/IEC 22301 is the international standard for business continuity management systems (BCMS), and forms the final part of cyber resilience. This standard not only focuses on the recovery from disasters, but also on maintaining access to and security of information, which is crucial when attempting to return to full and secure functionality.
A BCMS completes the requirements of cyber resilience by closing the final stage in the profile of an overwhelming cyber attack.
At IT Governance we can help you implement effective cyber security through our coherent set of product and services. Find out more >>>