Information Security Management: Aligning Security Controls to Standards
Should you implement ISO 27001 or align with security controls such as ASD’s Essential Eight or NCSC’s Top 10? Often businesses struggle when deciding which security standards or compliance requirements should be adopted.
One piece of advice might suggest you need to use ISO 27001, leading to the implementation of what’s called an Information Security Management System (ISMS), while another might warn you off going down the ISO route and say NIST or COBIT is much better suited to your industry. While this might seem problematic, it’s not, since most of their controls overlap. The trick is in implementing a version of these controls that is right for your business.
Choosing the right set of Security Controls
A further consideration (and some might say complication) is in selecting the best set of security controls for your business, since there are various baseline sets proffered by governments and industry bodies. Organisations such as Australia’s ASD and the UK’s GCHQ (and its public facing counterpart in the National Cyber Security Centre) have their own sets of minimum standards for cyber security. ASD published its paper on the ‘Essential Eight’ in February 2017, while the ‘NCSC’s 10 Steps to Cyber Security’ was published in 2016. You might also have heard of the Center for Internet Security (CIS), a non-profit organisation which also has a bunch of technical standards and controls for cyber security best practice.
All this information is helpful, there is no doubt. But it’s also, for most people who are not in the cyber security industry, incredibly overwhelming. Ideally your business needs to take the time to understand its security landscape and decide what suits best. However, do bear in mind that any Government and industry advice is a strong base to start with.
Why not check against the NCSC’s 10 Steps to Cyber Security by using Huntsman’s Essential Guide to measure your cyber security strength against the 10 steps and develop a plan to complete them all.
The purpose of an ISMS
An Information Security Management System (ISMS) is the fundamental process model for your information security management, or to be plain, how you run your security practices. ISO 27001 lists over 100 things you should consider, known as controls, some of which might apply and some of which may not.
It’s up to you, as the manager of your business’s security to decide what the scope of your ISMS is, since it may not be appropriate to focus too much energy on certain aspects of your business, especially if they have no valuable information, are not business critical or are run by a third-party. If you outsource, for example, your payroll services to a service provider, put the onus on them to be compliant with a security standard and don’t try and do it yourself.
Delivering Security Controls using your ISMS
If someone tells you that ASD’s Essential Eight is the best set of controls for your business, it doesn’t mean you don’t use an ISMS. Your ISMS is simply your security procedures manual for how you keep your business secure.
You can use your ISMS to deliver the Essential Eight series of controls – which include obvious things, such as taking good backups and patching your IT systems – where the ISMS may have processes defined for the backup engineers to take the tapes (or SSDs) offsite and store them in a fireproof safe. The ISMS is the management system, delivering the outcome of a well-managed backup capability, involving people, processes and technology.
Choosing the Right Security Technology
There are always things that you need when you build any kind of Internet connected business solution, such as a firewall to protect you from external hackers. Some of these basic design patterns transcend the advice of standards or compliance frameworks since they are so fundamental to safe and secure operations. However, other technology choices are not so obvious. For example, Security Information and Event Management (SIEM) systems.
The Power of SIEM
SIEM technology can ingest millions upon millions of security events from operating systems, applications, network devices, and even cloud-based systems, and uses specially crafted algorithms to look for attacks. An attack might not be obvious from any one or even a small number of events, but correlating across many devices and endpoints, and using behavioural analysis, a SIEM can notify you that something suspicious is going on. This sounds great, but it also sounds expensive and complicated to set up, right? Well, not really.
What’s interesting is that the SIEM does all the heavy lifting for you. You’ll find that one line in the ISO 27001 ISMS standard suggests you should monitor system and security logs for signs of an attack and keep those logs, so that you can investigate issues in the future, should you need to.
What you might find strange, though, is that the Essential Eight doesn’t mention auditing at all. No mention of monitoring logs or events and no requirement to store these logs for retrospective investigations. This seems like an oversight but if you consider that, like the other fundamental technologies such as firewalls and antivirus products, that they are simply required, then there is a reason for this apparent omission.
Choose Security Controls to improve your Cyber Security Posture
When you decide to pursue a better security posture, security controls recommended by governments provide a very strong base from which to build. You should approach any strategy in the context of your organisation’s needs: people, processes, the industry you are in, compliance obligations and technology, not just one or two of these lenses.
Huntsman Security solutions can form an integral part of the controls established to meet the standards and compliance frameworks that best suit your business. We have extensive experience with customers in Government, Defence & Intelligence, Critical Infrastructure and Telecommunications; in the UK, Japan and Australia. Please contact us if you would like more information on aligning the right standards and controls for your business, we’d be delighted to talk with you.