International Management Standards and the Cyber Risk ... · ISO/IEC JTC 1/SC 27. Dr Andreas WOLF...
Transcript of International Management Standards and the Cyber Risk ... · ISO/IEC JTC 1/SC 27. Dr Andreas WOLF...
International Security Management Standards and the Cyber Risk Landscape
Prof. Edward Humphreys(SC 27 /WG 1 Convenor)
SC27-NORWEGIAN BUSINESS FORUM @ 4th Sept 2018
Global Risk
4th Industrial RevolutionSupply Chain
Digital EconomyInternet Governance
IoTAI and Robotics
Big DataAutonomous Systems
Disruptive Technology and Innovation
Smart Cities, Systems and Devices
Cyber Security and Privacy
Healthcare Supply
Financial SystemsTransportation Systems
Food SupplyInsurance
Asset ManagementNuclear
International Trade
Global risk
economic
environment
societalgeopolitical
technological
Cyber Security Risk• THREATS AND RISKS
• Risks to operations, information, people, processes, services, applications, and technology
• Threats to society and consumers• Threats to national infrastructure
• IMPACT• Financial loss, disruption or damage to systems and
services due to the destructive power of cyber attack/incident
• Leakage, theft, destruction of critical and sensitive information
• CYBER SECURITY RISK THRESHOLDS• Limiting the disruptive and destructive power and energy
of the cyber attack• Cyber defence/preparedness, response and recovery
International Standards for Cyber RiskThe aim of the global international standards community, developers and interested parties is to develop international CYBER SECURITY and PRIVACY standards to help fight against CYBER CRIME and GLOBAL RISKS
Implementation of international cyber standards can help organisations, governments to:• Reduce and minimise the cyber risks• Minimise the impact and destructive effects of cyber attacks• Protect their investment in the IT-based systems, services and
infrastructure they use and to protect their sensitive and critical information
Sustainable versus Disruptive Innovation and TechnologyChallenges for Information Security and Privacy
• Disruptive innovation/technology replaces and disrupts existing technology, services and processes creating new business opportunities and new industries, and also creates new cyber risks.
• Being responsive and adaptable to disruption, innovation and associated risks
• Sustainable strategy towards disruptive innovation – embrace disruptive innovation in a manageable and adaptive way – MANAGING CHANGE AND REVIEW
ISO/IEC JTC 1/SC 27Dr Andreas WOLF (Chair), Dr Marijke DE SOETE (Vice-Chair), Krystyna PASSIA (Secretary DIN)
WG 1
Information security
management systems
WG 2
Cryptography and security mechanisms
WG 3
Security evaluation, testing and
specification
WG 4
Security controls and service
WG 5
Identity management
and privacy technologies
75 countries (NSB) involved (51 P-members and 25 O-members)36 external liaison bodies (L-members), 32 internal liaisons 950+ experts (NSB + Liaison Bodies)
Total number of projects = 264, Number of active projects = 88, Published standards = 182
Prof. Edward HUMPHREYS Prof. Kai RANNENBERGJohann AMSENGATakeshi CHIKAZAWA Miguel BAÑÓN
ISO
/IEC
JTC
1/SC
27 WG1
WG1
WG1
WG2
WG3WG4 WG5
ISO/IEC 27001 ISMS – Cyber Ready Business
identify
review
execute
plan
ISMS Strategy Identify and Anticipate
Plan and PrepareExecute and Protect
Review, Measure and Detect
Reactive & ResponsiveAdaptive (business plasticity)
CONTINUAL IMPROVEMENTCYBER READY
BUSINESS
27001 Managing
Cyber Risk
Business Context, Risk
Strategy
Monitoring, Review and
Improvement of Cyber Risk Management
Implement Cyber Risk Controls,
Processes and Procedures
Risk Assessment
and Treatment
ISO/IEC 27001 ISMS
ISO/IEC 27001 specifies requirements to facilitate the on-going management of Cyber Risk through the process of continual improvement
identify
review
execute
plan
ISO/IEC 27001 ISMS -Managing Cyber Risk
ISMS CONTINUAL IMPROVEMENTIdentifyPlanExecute
Monitor/review
Reactive/adaptive
CYBER DEFENCE FUNCTIONSIdentifyProtectDetectRespond
Recover
IDENTIFY Business Environment and ContextRisk AssessmentRisk Management StrategyGovernanceAsset management
PROTECT Access ControlAware and TrainingData SecurityInformation Protection Policies, Processes and ProceduresMaintaining Controls
DETECT Monitoring and Detection ProcessesIncident Handling Management Processes
RESPOND Response Planning and Management ProcessContinual ImprovementsCommunications
RECOVER Recovery Planning and Management ProcessesContinual ImprovementsCommunications
ISMS continual improvement
Reduce cyber risks
ISMS Continual Improvement
Framework
ISO/IEC 27103
identify
review
execute
plan
Application of the ISO/IEC 27001 Family (horizontal and vertical standards)
ISO/IEC 27001 (ISMS reqs.)ISO/IEC 27002ISO/IEC 27003ISO/IEC 27004
ISO/IEC 27005te
leco
ms
ener
gy
Heal
thca
re
SECTOR SPECIFIC APPLICATION SPECIFIC SERVICE SPECIFIC
IoT
Clou
d se
rvic
es
guidelines
Smar
tt C
ities
Tran
spor
tatio
n
International Conformity Assessments
The development of INTERNATIONAL CYBER STANDARDS through cooperation, joint sharing and learning, and consensus building, provides:
• Improved protection, security and safety for all interested parties • Basis for CONFORMITY ASSESSMENTS (CERTIFICATION, TESTING
AND INSPECTION)• Basis of mutual understanding and a common language to
facilitate communications, innovation, trading and global governance
• Complements and supports national cyber policies and programmes
Cyber Certification, Testing and Evaluation• ISO/IEC JTC 1/SC 27 WG 1
• MANAGING CYBERSECURITY RISKS (ISO/IEC 27000 family)• Information Security Management System (ISMS) (ISO/IEC 27001)• Guidelines (ISO/IEC 27002-27005)• Sector Specific (ISO/IEC 27010-27019)• Security Controls and Services (ISO/IEC 27031-27045)• Cyber Standards (ISO/IEC 27100-27103)
• CERTIFICATION (ISO/IEC 27006-27008)• ISO/IEC JTC 1/SC 27 WG 3 (Miguel Bañón – Convenor)
• SECURITY EVALUATION AND TESTING (ISO/IEC 15408 Common Criteria Family and related standards) - IT systems, components, and products
27001
CYBER RISK ASSESSMENT
CYBER RISK TREATMENT
CONTROLS FROM
Sector standard
Application standard
Service standard …
Application of 27001 certification to sectors, applications and services
ISO/IEC 27009 -Sector specific application of ISO/IEC 27001 – ISMS requirements
27001 cyber
related standards
Cyber application of 27001
27001
cyber related
standards
Cyber risk management certification
Managing Cyber Risk
ISO/IEC 27001 and ISO/IEC 27009
AUDIT ACTIONS TO CHECKBusiness context, requirements, risk strategy
Risk management processes• Risk assessment• Risk treatment• Determination of controls
Implementation processes and operations
Monitoring and review processes
Improvement process
AUDIT ACTIONS TO CHECKPolicies, procedures, processes
Management commitment
Awareness and training
Business Context, Risk
Strategy
Monitoring, Review and
Improvement of Cyber Risk Management
Implement Cyber Risk Controls,
Processes and Procedures
Risk Assessment
and Treatment
ISO/IEC 27001 ISMS – Global Certifications
year Total number of certifications
2008 15,0002010 20,0002012 29,0002014 41,0002016 63,000
On-line services
Telecoms
Financial
IT services
Utilities
Healthcare
Transport
Asia (38%)
Europe (31%)
Americas (20%)
MEA (11%)
THANKS FOR LISTENINGProf. Edward Humphreys
(SC 27 /WG 1 Convenor)
SC27-NORWEGIAN BUSINESS FORUM --- 4th Sept 2018