6 minute read
TACKLING THE NEW REALITY OF INFORMATION AND CYBER SECURITY
It is important to update and revise your Infosec posture, with the new ISO/IEC 27001 standard in operation. In this article BSI Group explore how implementing the new, upgraded standard can help businesses respond to three intertwining challenges that headline today’s digital landscape.
by David Mudd, Global Head of Digital Trust Assurance, BSI Group
The new ISO/IEC 27001 standard is now in operation. The importance of updating and revising your Infosec posture cannot be over-emphasized. The reason is simple: the old standard was created to address the information and cyber security challenges that existed a decade ago. However, things have changed dramatically since then, and faster than anyone anticipated.
Whilst you have three years to complete the transition, there is a pressing need to update your ISMS to reflect your current business practice and the associated risks. The time to start is now. Let’s explore how implementing the new, upgraded standard can help you respond to three intertwining challenges that headline today’s digital landscape.
The acceleration of digitalisation
As a result of the COVID-19 pandemic, businesses worldwide were forced to adapt or perish. More digital transformation happened in those two years than in the decade before. Switching to cloud services enabled easier remote working, more effective business continuity and faster disaster recovery. However, new services bring their own risks to security, with large amounts of often very sensitive data being stored by multiple third parties, potentially held, and accessed all around the world.
As a result of these risks and challenges, ISO/IEC 27001 has made several changes to ensure organisations can accommodate the latest information and cyber security requirements into their existing management standards. That includes new requirements for defining, communicating, and implementing processes to ensure the safety of data.
The removal of the physical perimeter
The old days of a self-contained network of hardware are long gone. Even before 2020, every part of our life was becoming intertwined, but the pandemic accelerated that further. More employees are now working from their own devices at home, at the airport, and anywhere else you might imagine, raising the risk of them using potentially insecure devices and connecting through unsecured personal routers, public Wi-Fi, or worse.
This entirely new way of working is now accounted for in the new standard, providing updated context for the security controls covering information, cyber, physical, environmental, asset management and human resources considerations.
The industrialisation of Cybercrime
The rise of cloud services also gave rise to the concept of Software-asa-Service. Unfortunately, innovation does not just favour the good guys, and it was only going to be a matter of time before cybercriminals caught onto the benefits of offering Ransomware-as-a-Service (RaaS). The dark web is awash with ready-made malware, removing the requirement for malicious actors to have any technical knowledge to target businesses.
The regrettable truth is that cybercrime has gone through the same rapid transformation we are seeing in our organisations, and it is a pattern that will continue with the ongoing rapid evolution of threats and attacks.
This is a key driver behind the inclusion of cyber security threat response frameworks within the new guidelines for the updated standard, such as identify, detect, protect, respond, and recover. By moving beyond traditional information security frameworks, it ensures your organisation has the processes in place to manage ever-evolving cyber threats.
Your urgency when it comes to addressing these challenges will vary depending on the risks associated with your data, the likelihood of attack, and the potential impact should one occur. However, thanks to the ubiquity of RaaS and its ease of application, it is fair to say companies of any size and industry should consider themselves vulnerable.
How the new standard has changed
In February 2022, the new ISO/IEC 27002:2022 standard was published to reflect the reality of how we now live and work. Those changes are reflected in the newly published ISO/IEC 27001.
The revised ISO/IEC 27001 standard includes the new ISO Harmonized Structure, which brings consistency, clarity, and simplicity, as well as new security categories and controls, with their associated new guidance and attributes, so take a moment to explore the key changes via our one-page summary.
Why the new standard matters
In short, the new standard ensures you have an information management system that is compliant with global best practice. It enables you to align your information security posture with the way you operate within the current threat landscape.
It helps you to more effectively manage the data associated with your information and cyber security, and it has been rationalised to make it easier for more people to access and implement the right controls.
Overcoming the challenges of implementation
Implementing the new standard requires you to revisit your statement of applicability and your risk assessment. But implementation will be more about people than anything else. From BYOD to remote working, responsibility for information and cyber security now sits with every stakeholder within your organisation, so the key to success lies in getting their buy-in.
It is about challenging people’s expectation that they can simply rely on technology to deliver the right level of security. Instead, it becomes a discussion about responsibility.
These conversations should not just be internal. Maintaining the security of global supply chains is often complex, with multiple third-party providers of cloud service platforms, technologies, and information management systems to contend with. Implementation will require you to work closely with the supply chain and procurement managers across your network.
Effective coordination does not just mean helping them understand how and what they need to do, but also why. You need to be able to explain how the new standard directly impacts each party, which is why engaging with the transition process as early as possible is so important. It provides you with an opportunity to properly educate yourself on the threats, weaknesses and opportunities facing each stakeholder, so you can help them to embrace the necessary changes.
Continuous improvement is the ultimate goal
We are seeing an increasingly complex regulatory landscape. As new regulations come in around the world on a regular basis, this in turn increases the complexity of compliance. However, this is only one part of a wider issue, which is risk management.
It is impossible to build a wall big enough to keep your organisation safe. There is no single technological or process-related solution. The only way to maintain the optimum level of information and cyber security is by ensuring everyone, from the CEO to temporary workers, has ownership of it.
From awareness, to training, to compliance and beyond, the effectiveness of your management system requires continual assessment and improvement. The only certainty is that everything is going to change, and fast. Taking a holistic, iterative view of your organisation and everything it interacts with will be the only way to stay ahead.
ABOUT THE COMPANY
David Mudd is responsible for BSI’s portfolio of services across all business lines. He builds solutions for Digital Trust Assurance including cybersecurity, privacy, IT governance and risk, supply chain, data management and Artificial Intelligence. Find out more about BSI Group at www.bsigroup.com/en-SG/