Security toolbox protects organizations from cyber-attacks
Geneva, Switzerland, 2015-12-17– Cyber-attacks are among the greatest risks an organization can face. Having standards and systems in place to keep information safe has therefore never been more importantthan in today’s digital world. This is why the ISO/IEC 27000 series on security techniques for information technologyhas been updated to provide organizations with that added value and confidence.
In a global survey conducted by ISACAin 129 countries, only 38% of respondentsfeltthey were prepared for a cyber-attack– even though 83% believed these are among the top three threatsfacing organizations today.With so much personal and sensitiveinformation being handled electronically, there is a lot at stake if it were to be compromised.
Prof. Edward Humphreys,convenor of ISO/IEC Joint Technical Committee (JTC) 1SC 27: IT security techniques, WG 1: Information security management systems (ISMS),emphasizes,“To ensure security in today’s digital landscape, all organizations, irrespective of size, should put in place a management framework as a starting point to manage cyberrisks. ISO/IEC 27001 was designed to help organizations do just that. The Standardis the world’s ‘common language’ when it comes to assessing, treatingand managinginformation-related risks.”
Below are the latest revisions and additions to the ISO/IEC 27000 series– all published in 2015– whichform part of the ISO/IEC 27001 “cyber risk toolbox”,to help keep these risks in check.
Protecting information in the cloud (ISO/IEC 27017)
A new code of practice for information security controls for cloud services,ISO/IEC 27017, has just been published. The cloud is one of the most widely used innovations in today’s fast-paced world of commerce and business. As the service gains currency, users are demanding assurances that data stored and processed in the cloud is safe.
Because of its very nature, the marketplace for cloud services is global, with providers dispersed across wide geographical areas, and data is routinely transferred across national boundaries. International guidance is therefore key.
According to Satoru Yamasaki, one of editors who worked onthe Standard, “ISO/IEC 27017 will help service providers come to a common understanding with their customers regarding adequate security controls and their implementation guidance. This International Standard for cloud security controls will facilitate the development and expansion of secure cloud computing systems.”
The new guidelines arethe result of a joint initiative by the world’s main developers of International Standards–IEC,ISO, and ITU– to guarantee maximum outreach.
Integrated solutions for services (ISO/IEC 27013)
More organizations are choosing to combine an information security management system (ISO/IEC 27001) with a service management system (ISO/IEC 20000-1).An integrated system means an organization can efficiently manage the quality of its services, handle customer feedback and solveproblems, whilekeeping information safe.
ISO/IEC 27013 offers a systematic approach to facilitate the integration of an information security management system with a service management system, which results in lower implementation costs and avoids duplication efforts as only one audit, instead of two, is needed when seeking certification.
Inter-sector and inter-organizational communications (ISO/IEC 27010)
When an organization shares information with another organization, how can they be sure that their data will be kept safe? ISO/IEC 27010 is a sector-specific addition to the ISO/IEC 27000 toolbox, which guides the initiation, implementation, maintenance and improvement of information security in inter-organizational and inter-sector communications. It includes general principles on how to meet these requirements using established messaging and other technical methods. The Standard is expected to encourage the growth of global information-sharing communities.
As Dr. Mike Nash, an editor of ISO/IEC 27010, explains, “ISO/IEC 27010 basically customizes and applies ISO/IEC 27001 and ISO/IEC 27002 to communication between organizations. Having the Standard in place gives an organization confidence that the information it has shared with another organization will not be inadvertently disclosed.”
The Standard is particularly relevant for the protection of critical national infrastructure, where exchanging sensitive information securely is of utmost importance. It is also widely used by security incident response teams.
Detecting and preventing cyber-attacks (ISO/IEC 27039)
How can organizations detect and prevent cyberintrusions to their networks, systems and applications? Best practice shows that they have to be able to know when, if and how an intrusion into their network, system or application occurs.
They should also be ready to identify what vulnerability was exploited and what controls should be implemented to prevent similar intrusionsfrom taking place in the future. One way to do this is through an Intrusion Detection and Prevention Systems (IDPS).
ISO/IEC 27039 gives guidelines to prepare and deploy an IDPS, covering such crucial aspects as selection, deployment and operation. The Standard is particularly useful in today’s market wherethere are many commercially available and open-source IDPS products and services based on different technologies and approaches. ISO/IEC 27039 will guide organizations throughout the process.
Audit and certification (ISO/IEC 27006)
More and more organizations are turning to third-party certification audits to demonstrate that they have in place a solid information security management system (ISMS) that conforms to the requirements of ISO/IEC 27001. ISO/IEC 27006 gives the requirements that certification and registration bodies need to meet tobe accredited, so theycan offer ISO/IEC 27001 certification services.
“ISO/IEC 27006 is an accreditation benchmark for certification bodies that offer ISO/IEC 27001 services,” explains Prof. Humphreys, adding,“This is important because accreditation of certification bodies providesadded confidence in the audit process and credibility in the certificate they award.”
About JTC1
ISO/IEC JTC 1 is the Joint Technical Committee of IEC and ISO for International Information Technology Standards. Created in 1987, JTC 1 currently has 20 Subcommittees, one Study Group and three Working Groups. It has published more than 2800 International Standards.
JTC 1 is a consensus-based, globally relevant, voluntary International Standards group. Since 1987, it has brought about a number of very successful and relevant information and communication technologies (ICT) International Standards in many fields: IC cards (smart cards), automatic identification and data capture (AIDC) technologies, information security, biometrics, cloud computing, multimedia (MPEG), database query and programming languages as well as character sets, to name just a few.
About the IEC
The IEC (International Electrotechnical Commission) is the world’s leading organization that prepares and publishes globally relevant International Standards for all electric and electronic devices and systems. It brings together 167 countries, representing 98% of the world population and 96% of world energy generation. Close to 20000 experts cooperate on the global IEC platform and many more in each member country. They ensure that products work everywhere safely and efficiently with each other. The IEC also supports all forms of conformity assessment and administers four Conformity Assessment Systems that certify that components, equipment and systems used in homes, offices, healthcare facilities, public spaces, transportation, manufacturing, explosive environments and during energy generation conform to them.
IEC work covers a vast range of technologies: power generation (including all renewable energy sources), transmission, distribution, Smart Grid & Smart Cities, batteries, home appliances, office and medical equipment, all public and private transportation, semiconductors, fibre optics, nanotechnology, multimedia, information technology, and more. It also addresses safety, EMC, performance and the environment.