Improving Cyber-Risk Management with ISO 27001 and the 10 Steps to Cybersecurity

With over four billion worldwide internet users, there is little doubt that the power of online communication is recognized by organizations and individuals alike. It is also clear that we are in a period of unprecedented risk, fueled by a growing reliance on technology and data.

According to the 2020 Global Risk Report developed by the World Economic Forum, cyber-attacks and data breaches now feature in the top 10 most likely risks to businesses, while also featuring prominently in relation to potential impact.

As the frequency and disruptive potential of cyber-attacks increases each year, so does the cost. According to the 2019 Cost of Cybercrime study carried out by Accenture, the total cost of cybercrime in 2018 increased by 12% over the prior year and 72% over the previous five years.

10 Steps to Cybersecurity

Recognizing the threat posed by cyber-attacks, the National Cyber Security Centre (NCSC) – the information assurance arm of the UK Government – released ‘10 steps to cybersecurity.’

These guiding principles offer business leaders advice on how to improve cybersecurity and how to protect their information assets. They can be applied to almost all organizations regardless of their size, location or sector.

The central message of the guidance is the need for businesses to establish an effective information risk management regime or culture, supported by top management.

Importantly, top management needs to continue to engage with the risk management regime. This ensures it remains a strong focus and that resources needed to meet threats from a dynamic risk environment are provided.

Relationship Between ISO 27001 and 10 Steps to Cybersecurity

The NCSC guidance relates closely to that of an information security management system (ISMS). An ISO 27001 certified ISMS identifies the assets you value, like personal and customer data or financial information, and seeks to protect them.

An organization that implements an ISMS compliant to ISO 27001 has gone through the process of identifying assets, undergone a vulnerability and threat analysis, determined the level of risk and treatment required, and established controls to minimize, or where possible, eradicate vulnerabilities.

We’ve mapped the ‘10 steps to cybersecurity’ with some of the requirements highlighted within ISO 27001.

Home and mobile working: It’s important to ensure that information is kept secure even when an employee is working from home, at client premises or on the move.

User education and awareness: All employees and third-party contractors need to be aware of key risks and how to report incidents. This can be achieved through security briefings as part of a new starter induction program which is followed-up regularly throughout their time with the company.

Incident management: The ability of any organization to contain an incident and then return to business as usual as quickly as possible is vital following an information security event. ISO 27001 requires organizations to include information security within their information security continuity management process. This also helps to demonstrate compliance with the EU General Data Protection Regulation (GDPR).

Information risk management regime: Management sets the tone in any organization. Where top management take information security management seriously, it will help instill a risk-aware culture throughout the company. ISO 27001 is explicit in requiring top management to give their support and clear direction.

Managing user privileges: Users can be a major source of information leakage and only allocating access based on roles will reduce errors and support the responsibilities incumbent on the user to ensure they follow good security practices.

Removable media controls: With the rise in availability of memory sticks and other portable devices, it is critical for organizations to have procedures in place for managing their use, but we should not overlook wider issues such as ensuring safe disposal of media.

Monitoring: Keeping an eye out for unexpected activity makes good business sense. Audit logging of user activities gives valuable evidence in the event of a breach and can help in any future investigation.

Secure configuration: Understanding your systems and controlling changes to them helps to maintain their integrity and ensure that they are appropriately protected.

Malware protection: Ensuring your systems are patched and up-to-date will reduce the potential for malicious or mobile code to exploit known vulnerabilities.

Network security: Knowing and controlling who has network access and what it is used for reduces the potential for unauthorized access by individuals or devices.

The ‘10 steps to cybersecurity’ give practical advice and act as a useful first step for companies looking to establish an ISMS.

Brought to you by

What’s hot on Infosecurity Magazine?