Traditional cybersecurity is proving an increasingly inadequate response to the modern cyber threat landscape. It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organization’s resilience to these attacks—identifying and responding to security breaches—will become a critical survival trait in the future.
Cyber resilience is a key principle underpinning ISO 27001, and the wider issue of ICT’s role in business continuity is covered by ISO 27031. Continue reading as we explain a cyber resilience strategy in more detail.
Figures from the Department for Business, Innovation and Skills (BIS) 2015 Information Security Breaches survey show that 90% of large organizations and 74% of small organizations suffered a data breach in 2014. Now that suffering a breach is almost inevitable, cybersecurity methods can no longer be completely relied upon to secure an organization’s operations. The only sensible response is to adopt a robust cyber resilience strategy.
Cyber resilience = cybersecurity + business resilience
Cyber resilience is a broad approach, encompassing cybersecurity and business resilience, and aims to not only defend against potential attacks but also to ensure your survival following a successful attack. An effective approach to cyber resilience is twofold:
Ensure your cybersecurity is as effective as possible without compromising the usability of your systems.
Ensure you have robust business continuity plans in place that cover your information assets, so that you can resume normal operations as soon as possible if an attack is successful.
Two International Standards provide the main guidance you need:
ISO27001, which details the implementation of an information security management system (ISMS)
ISO22301, which details the implementation of a business continuity management system (BCMS).
Within the bounds of the broader ISO22301 standard, it is also worth considering the guidance in ISO27031, which applies specifically to information and communication technology business continuity. The requirements of ISO27001 and ISO22301 are mutually compatible.
Cyber Essentials Scheme
The Cyber Essentials Scheme was developed by the UK Government to help businesses deal with the business-critical issue of cybersecurity and cyber resilience. The scheme provides a set of controls that organizations can implement to achieve a basic level of cybersecurity.
ISO 27001 offers a cohesive approach, recognizing that effective cybersecurity is a cultural issue as much as a technological one, and it addresses people, processes, and technology. An ISMS will help you coordinate your security efforts across your organization, will ensure that your systems are as safe as possible, and will reassure your customers, suppliers, stockholders, and stakeholders that you are following international best-practice guidelines.
For more detailed information about ISO 27001, please click here >>.
For all products and services relating to ISO 27001, please visit our webshop.
Business continuity for information and communication systems is fundamental to an ISMS. ISO 27031 (Guidelines for ICT Readiness for Business Continuity) provides detailed and valuable guidance on how this critical aspect should be tackled.
While development of a broad business resilience strategy should fit within an organization's enterprise risk management framework, you should not delay dealing with cyber resilience simply because a wider business resilience strategy is yet to be developed. If you’re not in a position to implement a standard-based approach, there are other means of addressing your cyber resilience requirements.
Published by GCHQ, the 10 Steps to Cyber Security framework sets out a simple approach to handling cyber risk, help you secure your information, and ensure your business thrives in the Internet Age. IT Governance can carry out a robust assessment of your performance in each of the ten areas, providing you with a tailored and usable action plan that will help you to close the gap between recognized good practice and what you’re actually doing.
The 20 Critical Controls is a set of additional controls developed for organizations involved in critical national infrastructure and has much to offer larger organizations. Of the 20 controls, there are five “critical tenets.”
IT Governance can provide a range of cyber resilience solutions to help you ensure your organization is best placed to mitigate unexpected situations or events.
Visit the following pages for more information: