Cyber Security Standards
When identifying the most useful best-practice standards and guidance for implementing effective cyber security, it is important to establish the role that each fulfils, its scope and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organisations regardless of their size or the industry and sector in which they operate. This page provides generic information on each of the standards that is usually recognised as an essential component of any cyber security strategy.
Want to know more about a specific standard?
For more information and advice on cyber security standards, and which would be best for your organisation, speak to one of our experts today.
Ten Steps to Cyber Security
The UK’s Department for Business, Innovation & Skills (BIS) published its ‘Ten Steps to Cyber Security’ in 2012 as an overview of cyber security for executives. This guidance recognises that information is at the centre of business today, and that cyberspace exists as the whole digital architecture of society: both the internet in general and the information systems that support and maintain infrastructure, business and services.
The Ten Steps provide an excellent framework for top level understanding of cyber security. It relies on broader descriptions and objectives to explain the risks, defences and solutions that can then be approached across the whole organisation, rather than defining specific controls that may require specialised skills or experience to implement. As such, the Ten Steps can be achieved through the application of other standards, and the organisation that can tick off all of the points raised in the Ten Steps can be reasonably confident in the state of their cyber security.
IT Governance offers a cyber security risk assessment service based on the above framework.
PAS 555 was released by the British Standards Institution (BSI) in 2013. While most guidance and standards identify problems and offer solutions, PAS 555 takes the approach of describing the appearance of effective cyber security. That is, rather than specifying how to approach a problem, it describes what the solution should look like. In itself, this is difficult to reconcile against a checklist of threats and vulnerabilities but, in conjunction with other standards, it can be used to confirm that the solutions are comprehensive.
PAS 555 specifically targets the organisation’s top management and is deliberately broad in its scope. It is primarily intended as a framework for the governance of cyber security which allows executives and senior management to compare the organisation’s cyber security measures against the established descriptions at a high level. When implemented, this provides an ‘umbrella’ under which other standards and guidance can fit to flesh out the results described.
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity and availability. The Standard offers a set of best-practice controls that can be applied to your organisation based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
By fulfilling the requirements of ISO/IEC 27001, you will be fulfilling the majority of the requirements of the other standards and guidance relating to cyber security. Any remaining gaps identified by other guidance can then be plugged with a minimum of fuss.
IT Governance has created four fixed price packaged solutions that enable any organisation to achieve certification to ISO/IEC 27001. Each solution contains a set of products and services than are delivered online, meaning any organisation in the world can utilise our expertise.
ISO/IEC 27032is the international Standard focusing explicitly on cyber security. While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this Standard recognises the vectors that cyber attacks rely upon, including those that originate outside cyber space itself. Further, it includes guidelines for protecting your information beyond the borders of your organisation, such as in partnerships, collaborations or other information-sharing arrangements with clients and suppliers.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organisation needs.
The Cloud Security Alliance’s Cloud Controls Matrix (CCM) is a set of controls designed to maximise the security of information for organisations that take advantage of Cloud technologies. The benefits of Cloud technologies are well known, but there has been resistance to the uptake from some organisations due to the perceived risks of storing and processing data beyond their own physical and logical perimeter. The CSA developed the matrix in order to offer organisations a set of guidelines that would enable them to maximise the security of their information without relying solely on the Cloud provider’s assurances.
ISO/IEC 27035 is the international Standard for incident management. Incident management forms the crucial first stage of cyber resilience. While cyber security management systems are designed to protect your organisation, it is essential to be prepared to respond quickly and effectively when something does go wrong. This Standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimising the risk of recurrence.
Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of certification for both ISO/IEC 27001 and the PCI DSS.
ISO/IEC 27031 is the international Standard for ICT readiness for business continuity. This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. As part of the profile of a cyber attack, it is essential that your organisation is prepared for a cyber attack beating your first line of defence and threatening your information systems as a whole.
This Standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
ISO/IEC 22301 is the international Standard for business continuity management systems (BCMSs), and forms the final part of cyber resilience. This Standard not only focuses on the recovery from disasters, but also on maintaining access to, and security of, information, which is crucial when attempting to return to full and secure functionality.
A BCMS completes the requirements of cyber resilience by closing the final stage in the profile of an overwhelming cyber attack.
Speak to an expert
Please contact our team for advice and guidance on our products and services.