Security standards and frameworks are used as a mechanism to prove that an organisation is at a certain state of maturity in regard to their security posture. However, they are also used as a mechanism to pass supplier checks, apply for Cyber insurance and a requirement in some cases to work with government organisations.
Nevertheless, the frameworks themselves are purposely created at a high level and vague so that they can be utilised by multiple organisations and in different scenarios with little to no advice on how the controls should be implemented.
This leaves much room for interpretation and opens potential gaps that controls might not be covering or advising their readers to implement.
The Oxford Dictionary defines "standards" as "a level of quality or attainment." When it comes to standards for cyber security, the following definition offers several useful principles (CGI, 2019):
“Cybersecurity standards can be defined as the critical means by which the direction described in an enterprise's cybersecurity strategy and policies are translated into actionable and measurable criteria.”
You’ll be posting loads of engaging content, so be sure to keep your blog organized with Categories that also allow visitors to explore more of what interests them.
Create Relevant Content
One of the most prominent Information Security standards is ISO:27000 (Culot, 2021) (Milicevic, 2010), a series of Information Security standards with the certification being provided by ISO:27001. However, ISO:27002 is a complementary set of controls that can be chosen to suggest which controls are needed to be at the correct standard of certification. This is a large subset of controls, broken down into specific areas. These sections are broken down into various domains that are all interconnected. Whilst discussed in more depth later in this thesis; it is important to set the scene on the highlights.
The ISO:27001 Framework covers multiple areas from legislative, governance and technical elements. The Security Policy section focuses on leadership and business and security culture. The Corporate Security portion looks at the best practices of implementing an internal security team and other more specific focus areas like creating a Secure Mobile Device Management process. The Personnel Security domain focuses on HR security practices and reviews the Joiner, Mover and Leaver process. Furthermore, the Organisations Assets section focuses on best practices around Data Classification and the implementation of physical data rules and responsibilities.
There are also more practical areas to the Framework like Information Assets that review Identity and Access Management and Cryptography that looks after essential Management Control. Further to this, there is also a domain on Physical Security; Physical Security reviews protected areas and access and securing organisations assets like hardware and devices.
Technical areas are also covered reviewing items like Operational Security; this is a large section of the Framework that reviews the organisation's day-to-day running. Areas covered in the domain are reviewing documented responsibilities, malware protection, disaster recovery, software inventory, vulnerability management, logging and access control. Network Security is also covered, focusing on networking best practices, with System Security reviewing operating system hardening and Secure Development best practices.
There are also business practice processes such as Supplier Relationship that cover supplier Management, Incident Management and business continuity, which implements the creation of playbooks, sometimes referred to as run books and incident logs and registers. Further to this, there are Security Legal requirements based on scope and jurisdictions covered in this Framework; Alongside looking at ISO:27001, I will also be researching the Cyber Essentials Framework. Cyber Essentials is a simple but effective, Government-backed scheme that will help to protect organisations, whatever its size, against a whole range of the most common cyber-attacks (NCSC, 2020).
In recent years, there has been a slight change in perceived bias towards reviewing an organisation's security posture, from a less academic and defensive mindset to a more offensive assessment. The MITRE Att&ck Framework has become one of the more popular methods and has created a better understanding of the "Cyber Kill Chain" (Lockheed Martin, 2020). Providing this more practical understanding from a hackers' perspective provides a different set of priorities and controls to protect organisations.
Whilst this blog post has provided a very high-level overview of these frameworks, it is clear that there are many pieces to put together to make a well-rounded security posture. Nevertheless, the three chosen frameworks are very good at creating a baseline or a standard blueprint to follow; however, they are not suggesting that organisations would become invulnerable to a cyber attack by following these controls. As various organisations are changing their controls to mitigate cyber attacks, hackers are ever-changing their tactics to counteract these defensive controls.
“This raises the question of are these well-documented frameworks still relevant today, and are they updated frequently enough to stay current in this digital age?”
CGI, 2019. Understanding Cybersecurity Standards, , s.l.: CGI.
Culot, G. N. G. P. M. S. M., 2021. The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda. Tqm Journal, 33(7), pp. 76-105.
Milicevic, D. G. M., 2010. Ontology-Based Evaluation of ISO 27001. Software Services for E-World, Volume 341, pp. 93-102.
NCSC, 2020. https://www.ncsc.gov.uk/cyberessentials/overview. [Online] Available at: https://www.ncsc.gov.uk/cyberessentials/overview
lockheed Martin, 2020. [Online] Available at: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html