If you run a business, you should know that you have an obligation to take care of sensitive data of any kind. In order to make sure you do this, there are a lot of different regulations and compliance frameworks out there for you to follow. From how to take in data, how you store it and how you need to protect your systems to ensure they aren’t compromised.
On that last point, there are a lot of different IT, cyber and information security frameworks and standards you should be aware of, especially if you are a business owner handling any sort of sensitive data for your clients. But we couldn’t fit all of them into 1 post without diminishing them. So instead, we’re going to focus on 4 main areas in 4 different posts – ISO27001, Cyber Essentials, CIS Critical Security Controls and ISO27032. We’ll start with ISO27001.
What Is An ISO Standard?
Starting at the beginning, ISO standards are international standards set out by the ISO, which stands for International Organisation for Standardisation. This body (which has a membership of over 163 other national standards bodies) creates documents that provide each industry with requirements, specifications, guidelines and characteristics that can be used consistently to ensure that materials, products, processes and services are truly fit for their purpose. This ensures that customers are getting a consistent minimum standard of products or services. These standards are developed by the industry that needs them, using experts from all fields and geographical locations to ensure everyone can adhere easily. Almost every sector you can think of has their own set of ISO standards, and these are identified by a series of numbers. Some standards relevant to IT Security are ISO 27001, 27002, ISO 15408, ISO27018 and ISO27032.
What Is ISO 27001?
ISO/IEC 27001:2013 (formerly known as ISO/IEC 27001:2005) is a specification for any information security management system (or ISMS). To break that down, an ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management process. According to the International Organisation for Standardisation, ISO 27001 was developed in order to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system”. ISO 27001 has been designed to be technology neutral, and uses a top down, risk based approach to help businesses plan for risk. The standard breaks down into a six part process for business owners to follow. The standard itself has a series of clauses, which are to be implemented by organisations, and then a series of controls contained with Annex A, which are further supported in ISO27002. Think of ISO27001 as telling you what to do, and ISO27002 providing you information on how to do it.
Some of the core components to be implemented by businesses are to;
- Define a security policy.
- Have and be able to demonstrate senior leadership support
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
- These areas bring us nicely onto our next point about ISO 27001 – the controls.
ISO 27001 Controls – Annex A
Within the ISO 27001 framework there are currently 114 controls, separated into 14 groups and 35 control objectives defined within Annex A. The controls are there to help an organisation choose the correct method for mitigating risk and protecting their business through the implementation of these controls. The list below defines the main Annex Control areas within ISO27001:
- A.5: Information security policies (2 controls)
- A.6: Organisation of information security (7 controls)
- A.7: Human resource security (6 controls)
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (2 controls)
- A.11: Physical and environmental security (15 controls)
- A.12: Operations security (14 controls)
- A.13: Communications security (7 controls)
- A.14: System acquisition, development and maintenance (13 controls)
- A.15: Supplier relationships (5 controls)
- A.16: Information security incident management (7 controls)
- A.17: Information security aspects of business continuity management (4 controls)
- A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
These controls are updated periodically to keep up with changing technologies. In order to be complaint with ISO 27001, business owners need to identify which of these controls are applicable to them, and implement them.
What Are CIS Controls?
Yet another area of security framework that focuses on cyber security within businesses are those published by The Centre for Internet Security Controls for Effective Cyber Defence, otherwise known as CIS controls. In this post, we will go into the basics of what CIS controls are and how they impact your business.
Put simply, the CIS Critical Security Controls are a recommended set of actions for cyber defence that provide specific and actionable ways to stop today’s most pervasive cyber criminals. Note we say recommended – there is no legal obligation for businesses to abide by or implement CIS controls, but it is considered a best practice. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work - NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organisations and some of the nation's top forensics and incident response organisations - to answer the question, "what do we need to do to stop known attacks?"
That group of experts reached consensus and today we have a set of controls that can cover businesses and organisations from cyber attacks on all fronts.
What Are The Controls
The current CIS controls can be broken down into 2 categories – the essential 5 and the recommended 15. The first 5 CIS controls mean that a business should undertake the following:
- Inventory of Authorised and Unauthorised Devices
- Inventory of Authorised and Unauthorised Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administration Privileges
These 5 controls are in place to eliminate the vast majority of your organisation’s vulnerabilities. This is the absolute minimum standard that any business handling sensitive data, should be aiming for.
On top of that there are 15 more controls, these are:
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defences
- Limitation and Control of Network Ports
- Data Recovery Capability
- Secure Configurations for Network Devices
- Boundary Defence
- Data Protection
- Controlled Access - Based on the need to know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
These 20 controls, when implemented, will work together to secure your entire organisation against today’s most pervasive threats. You can download a comprehensive guide to all 20 CIS controls directly from the CIS website – just click here.
At Bridewell, we specialise in helping businesses understand their obligations under different IT, cyber and information security frameworks like ISO 27001. This includes full end-to-end implementation of an ISMS, taking businesses from nothing straight through to ISO 27001:2013 certification. We offer fully managed, partially managed (but fully supported) ISO 27001 consultancy services, as well as internal audits to help you identify risk points and comply with the requirements of the standard. For more information, get in touch with one of our experts today.