ISO27001, the standard for information security, has recently had a face-lift. It is claimed that ISO27001 is the second largest selling management systems standard in the world and one might assume that this means there has been a significant uptake in its global implementation. The numbers of standards sold is not too surprising. It has been around since 2007 and was essentially derived from BS7799 (1995) and ISO17799 (2000), so information security professionals have had two decades to get used to it. How influential it has been in changing attitudes to security is less clear, some see it as the most important landmark in getting to topic on the management agenda; others see it as too inflexible and procedure based to help counter the real threats posed today by cyber criminality.
Given the strength of some arguments about the value of ISO27001 in a modern context, the need for a face-lift seemed obvious. Many argue that we need a whole new and more agile approach to dealing with cyber threats— and perhaps rigid frameworks like ISO27001 are counterproductive. An analogy that has been made is that the minute tsetse fly is now the biggest threat to human life in Africa, killing the victim slowly following an almost imperceptible bite. Is ISO27001 the equivalent of rifles designed for shooting lions and rhinos when we what we need is new preventative measures and changes in human behaviour? Organizations must be as agile and proactive as the attackers. Frameworks developed for the old world may make this harder.
If this criticism is valid then we have to question whether the revisions to ISO27001 address the main concerns. I think it is fair to say that they do not; there are very little changes and those that have been made are mainly to bring it in line with the administrative requirements now required by ISO. All management systems standards need to follow a structure defined by Annex S1 which is part of a wider ISO directive. In fact old our friend ISO22301 was the first standard to be built against that directive so all the older standards have to play catch-up. The new format for ISO27001 will thus appear very familiar to BC professionals. There are a couple of areas of improvement; beefing up the requirements for performance monitoring and bringing in the outsourced operations. Both additions are very positive improvements in my view.
Perhaps one of the real issues we need to consider is what we mean by information security and cyber resiliency. I do not believe they are necessarily the same thing, although you can’t really have one without the other. A cyber resilient organisation is one that goes beyond compliance. It is one that requires strong, clear leadership and a business model that is flexible, adaptable and agile. It needs to be multi-functional and operate outside of the traditional information security technical expert silo. It must to work closely with all other resilience disciplines as well as understanding business priorities and the key executive concerns.
So does another standard ISO/IEC 27032 provide a better approach? ISO/IEC 27032 claims to address cybersecurity, which it defines as the “preservation of confidentiality, integrity and availability of information in the cyberspace”. In turn cyberspace is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form”. So, in reality this standard is purely about internet security. It does not address cyber-safety, cybercrime, internet safety, internet related crime or protection of critical information infrastructure, although there are oblique references to these aspects. It is also not a specification, only a guidance document so it provides some valuable insights but does not replace the need for or do the work of ISO27001.
Clearly, there are no shortages of formal approach to cyber security but resilience requires more than a traditional information security framework. Compliance against ISO27001 gives baseline protection against conventional cyber-threats, but it might not be agile enough to handle the ever changing landscape. Professionals need to beyond compliance and create organisations that are more pro-active in understanding threats and more flexible in response capability. ISO27001 is a useful tool but more fundamental cultural shifts are needed in the way organizations behave.