Protecting information assets

Common terminology for information security management just revised

By Janice Blondeau

Cyber-attacks are estimated to cost businesses between USD 400 and USD 500 billion a year, without counting the large number of attacks which go unreported [ ]. As cybercrime continues to rise, companies and CEOs are paying more attention to this threat – cyber-attacks can be damaging to corporate reputation and stock performance.

iStock_000028751446_Full_data_centre
Cyber-attacks are estimated to cost businesses between USD 400 and USD 500 billion a year

Serious threat to business

Today, all information held and processed by an organization is subject to risk of attack, as well as error, natural disaster and other vulnerabilities inherent to its use. Analyst firm Gartner estimated that worldwide information security spending reached USD 75.4 billion in 2015. The global cybersecurity market will grow to an estimated $170 billion by 2020, according to a report from MarketsandMarkets [ ]. 

Managing information assets’ security

Information security focuses on information considered a valuable “asset” requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity.

The family of IEC and ISO International Standards on information security management systems (ISMS) enables organizations to implement a robust framework for managing the security of their information assets, including financial data, intellectual property, employee details, and information otherwise entrusted to them by customers or third parties. 

ISO/IEC 27000

The recently revised ISO/IEC 27000, Information technology – Security techniques – Information security management systems – Overview and vocabulary, provides a comprehensive view of information security management systems covered by the ISMS family of Standards and defines related terms and definitions. 

Keeping information secure

For an organization to meet its objectives and strengthen its legal compliance and image, the protection of its information assets is essential. The coordinated activities needed to direct the implementation of suitable controls and mitigate unacceptable information security risks are part of what is known as information security management. 

Common language

ISO/IEC 27000 gives an overview of the ISMS family of Standards (ISO/IEC 27001), how they support the implementation of ISO/IEC 27001Information technology – Security techniques – Information security management systems – Requirements, and how they relate to each other.

ISO/IEC 27000 also provides a brief introduction to the information security area and information security management systems, describing how to implement, operate, maintain and improve the ISMS.

It provides an understanding of how the ISO/IEC 27001 family fits together through its multi-faceted approach, clarifying the Standards’ scopes, roles, functions and relationship to each other. In addition, ISO/IEC 27000 gathers in one place all the essential terminology used in the ISO/IEC 27001 family.

ISO/IEC 27000:2016 revises the 2010 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001 and other Standards of the family that are currently under review. It was developed by Subcommittee (SC) 27: IT security techniques, of the Joint Technical Committee ISO/IEC JTC 1: Information technology.

[1] The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics, Forbes magazine, Steve Morgan, 16 Oct 2015

[2] Cyber Security Market, MarketsandMarkets report + press release

Gallery
iStock_000028751446_Full_data_centre Cyber-attacks are estimated to cost businesses between USD 400 and USD 500 billion a year
Portrait Edward Humphreys Prof. Edward Humphreys, Convenor of Working Group 1 of ISO/IEC JTC 1/SC 27, that developed the Standard
Organizations have to implement framework to thwart cyberattacks The family of IEC and ISO International ISMS Standards enables organizations to implement a robust framework for managing the security of their information assets