However, in a global survey conducted by ISACA across 129 countries, only 38% of respondents felt they were prepared for a cyberattack – even though 83% believed these are among the top three threats facing organizations today.
To provide organizations with added value and confidence in the face of growing cyberattacks, the ISO/IEC 27000 series on security techniques for information technology has been updated. It forms a cyber risk toolbox to help keep these cybersecurity risks in check.
Common language for IT-related threats ISO/IEC 27001
To ensure greater security in today’s digital landscape, all organizations, regardless of their size, should put in place a management framework as a starting point to manage cyber risks. ISO/IEC 27001 is designed to help organizations to do just that. This Standard is the world’s common language when it comes to assessing, treating and managing information-related risks.
Here are the latest revisions and additions to the ISO/IEC 27000 series, all published in 2015, through the ISO/IEC Joint Technical Committee (JTC) 1 for International Information Technology Standards.
Protecting information in the cloud (ISO/IEC 27017)
The marketplace for cloud services is global, with providers dispersed across geographical areas and data routinely transferred across national boundaries. Therefore international guidance is key. A new code of practice for information security controls for cloud services, ISO/IEC 27017, is now available.
ISO/IEC 27017, an International Standard for cloud security controls, will facilitate the development and expansion of secure cloud computing systems. It is the result of a joint initiative by the world’s main developers of International Standards – IEC, ISO, and ITU – to guarantee maximum outreach.
Integrated solutions for services (ISO/IEC 27013)
More organizations are choosing to combine an information security management system (ISO/IEC 27001) with a service management system (ISO/IEC 20000-1). An integrated system means an organization can efficiently manage the quality of its services, handle customer feedback and solve problems, while keeping information safe.
ISO/IEC 27013 offers a systematic approach to facilitate the integration of an information security management system with a service management system. This results in lower implementation costs and avoids duplication efforts as only one audit is needed for certification.
Inter-sector and inter-organizational communications (ISO/IEC 27010)
ISO/IEC 27010 is a sector-specific addition to the ISO/IEC 27000 toolbox. It guides the initiation, implementation, maintenance and improvement of information security in inter-organizational and inter-sector communications. The Standard is expected to encourage the growth of global information-sharing communities, and it includes general principles on how to meet these requirements using established messaging and other technical methods.
ISO/IEC 27010 is particularly relevant for the protection of critical national infrastructure, where exchanging sensitive information securely is of utmost importance. It is also used by security incident response teams.
Detecting and preventing cyberattacks (ISO/IEC 27039)
Best practice shows that organizations have to be able to know when, if and how an intrusion into their network, system or application occurs, in order to detect and prevent these cyberattacks. Organizations also need to be ready to identify what vulnerability was exploited and what controls need to be implemented to prevent similar intrusions in the future. An Intrusion Detection and Prevention Systems (IDPS) is one way to do this – ISO/IEC 27039 provides guidelines to prepare and deploy an IDPS.
Audit and certification (ISO/IEC 27006)
Increasing numbers of organizations are turning to third-party certification audits to demonstrate that they have a solid information security management system (ISMS) in place which conforms to the requirements of ISO/IEC 27001. ISO/IEC 27006 provides the requirements that certification and registration bodies need to meet to be accredited, so they can offer ISO/IEC 27001 certification services.
While organizations must continue to be vigilant in regards to cybersecurity, this new toolbox from JTC 1 can accompany their efforts.