ISO 27001 and Cyber Defense in Depth

Alan Calder is the Group CEO of GRC International Group PLC, the parent company of IT Governance USA, and an ISO 27001 pioneer.

He led the world’s first successful implementation of ISO 27001, and has been involved in developing a wide range of information security management training courses.

Alan has also consulted for clients across the globe, and is a regular media commentator and speaker.


In this interview

  • Why organizations should implement ISO 27001
  • The importance of defense in depth
  • The intersection of ISO 27001 and defense in depth
  • The ISO 27000 family of standards
  • How ISO 27001 helps you meet your regulatory requirements
  • How to leverage CyberComply

For organizations new to the Standard, why should they consider implementing it?

ISO 27001 is the world’s foundational information security standard. Its core ideas lie at the heart of every other cybersecurity standard and regulation.

Those ideas include:

  • The CIA triad
  • Risk assessment
  • Control selection
  • Legal compliance
  • Policies and procedures
  • Continual improvement
  • Incident response and ICT continuity

Particularly that CIA triad – confidentiality, integrity, and availability – can be found in every other cybersecurity framework and law.

ISO 27001 is, in effect, the framework for a cyber-defense-in-depth model. If organizations want genuine cyber defense in depth, they need to implement the Standard.

Why is cyber defense in depth so important?

It’s long been clear to me that cyber attacks are multi-pronged. The idea that you can repulse them with a single line of defense is just bonkers.

Millennia of human history teach that attackers will find their way through multiple lines of defense. Survival – or what we call ‘resilience’ in business and cyber terms – depends on having more lines of defense than an attacker can overcome.

But it’s not just about numbers. You must also diversify your types of defense.

There are three ‘pillars’ to cybersecurity and resilience: people, processes, and technology.

Cyber attacks are about more than just overcoming technical defenses. A lot of the time, the attacker also needs a person to click a malicious link. Or a breach of a best-practice process, like regularly updating software.

History also tells us that security isn’t limited to technology.

Many years ago, the way to get into a well-defended, multi-walled fortress was to subvert a gatekeeper to let you in. Even further back, the tactics involved a wooden horse.

Understanding the need for an intelligent, risk-based approach to cybersecurity drives my view that cyber defense in depth is the secret to survival for organizations.

How do these defense-in-depth principles apply to ISO 27001?

For starters, you need competent people – an explicit ISO 27001 requirement.

Human beings are a key vector for cybersecurity and privacy issues. They’re also key to solving those issues.

In other words, you need people with the right skills to do their jobs. That can include lead implementers and lead auditors, but also other appropriate qualifications, like CISM®, CISSP®, and CISA®.

Then there are roles like privacy managers and DPOs [data protection officers], and incident responders.

On top of such specialist skills, I recommend putting a staff awareness program in place to train non-technical staff on a regular basis. That’s not just for ISO 27001, but also for common threats like phishing and general cybersecurity awareness.

What else should organizations consider around ISO 27001?

Remember that ISO 27001 is supported by a family of standards, including:

  • ISO 27017 [guidelines for security controls around providing and using Cloud services]
  • ISO 27018 [code of practice for protecting personal data in public Clouds]
  • ISO 27701 [specification for a PIMS – privacy information management system]

You can add all these – pick and choose as you see fit – to the scope of your ISMS.

That way, you enable your organization to deal more effectively with information security and data privacy, including in the Cloud.

What about the regulatory side of things?

The penalties for cybersecurity failure are potentially catastrophic – for organizations and senior managers. You can’t insure against catastrophic risks.

The laws you can be fined under almost always tie into ISO 27001 – because of the CIA triad, if nothing else.

Furthermore, the Standard requires you to identify what laws apply to you.

Clause 4.2.b specifically tells you to determine the relevant requirements of interested parties to the ISMS. The Standard also has a note saying that those requirements can include “legal and regulatory requirements and contractual obligations.”

This can include a wide range of requirements, including:

ISO 27001 aside, how can organizations best meet such requirements?

I suggest they take advantage of technologies that can automate processes and help them manage their ISMS cost-effectively.

IT Governance has built a platform to achieve precisely that: CyberComply.

CyberComply offers cybersecurity and data privacy solutions for organizations aiming to demonstrate compliance with multiple regulatory requirements and stakeholder expectations.

Even though this is a technological solution, it also addresses the two other security pillars: people and processes, in part through the included documentation toolkits.