International Security Management Standards and the Cyber Risk Landscape

Prof. Edward Humphreys(SC 27 /WG 1 Convenor)

SC27-NORWEGIAN BUSINESS FORUM @ 4th Sept 2018

Global Risk

4th Industrial RevolutionSupply Chain

Digital EconomyInternet Governance

IoTAI and Robotics

Big DataAutonomous Systems

Disruptive Technology and Innovation

Smart Cities, Systems and Devices

Cyber Security and Privacy

Healthcare Supply

Financial SystemsTransportation Systems

Food SupplyInsurance

Asset ManagementNuclear

International Trade

Global risk

economic

environment

societalgeopolitical

technological

Cyber Security Risk• THREATS AND RISKS

• Risks to operations, information, people, processes, services, applications, and technology

• Threats to society and consumers• Threats to national infrastructure

• IMPACT• Financial loss, disruption or damage to systems and

services due to the destructive power of cyber attack/incident

• Leakage, theft, destruction of critical and sensitive information

• CYBER SECURITY RISK THRESHOLDS• Limiting the disruptive and destructive power and energy

of the cyber attack• Cyber defence/preparedness, response and recovery

International Standards for Cyber RiskThe aim of the global international standards community, developers and interested parties is to develop international CYBER SECURITY and PRIVACY standards to help fight against CYBER CRIME and GLOBAL RISKS

Implementation of international cyber standards can help organisations, governments to:• Reduce and minimise the cyber risks• Minimise the impact and destructive effects of cyber attacks• Protect their investment in the IT-based systems, services and

infrastructure they use and to protect their sensitive and critical information

Sustainable versus Disruptive Innovation and TechnologyChallenges for Information Security and Privacy

• Disruptive innovation/technology replaces and disrupts existing technology, services and processes creating new business opportunities and new industries, and also creates new cyber risks.

• Being responsive and adaptable to disruption, innovation and associated risks

• Sustainable strategy towards disruptive innovation – embrace disruptive innovation in a manageable and adaptive way – MANAGING CHANGE AND REVIEW

ISO/IEC JTC 1/SC 27Dr Andreas WOLF (Chair), Dr Marijke DE SOETE (Vice-Chair), Krystyna PASSIA (Secretary DIN)

WG 1

Information security

management systems

WG 2

Cryptography and security mechanisms

WG 3

Security evaluation, testing and

specification

WG 4

Security controls and service

WG 5

Identity management

and privacy technologies

75 countries (NSB) involved (51 P-members and 25 O-members)36 external liaison bodies (L-members), 32 internal liaisons 950+ experts (NSB + Liaison Bodies)

Total number of projects = 264, Number of active projects = 88, Published standards = 182

Prof. Edward HUMPHREYS Prof. Kai RANNENBERGJohann AMSENGATakeshi CHIKAZAWA Miguel BAÑÓN

ISO

/IEC

JTC

1/SC

27 WG1

WG1

WG1

WG2

WG3WG4 WG5

ISO/IEC 27001 ISMS – Cyber Ready Business

identify

review

execute

plan

ISMS Strategy Identify and Anticipate

Plan and PrepareExecute and Protect

Review, Measure and Detect

Reactive & ResponsiveAdaptive (business plasticity)

CONTINUAL IMPROVEMENTCYBER READY

BUSINESS

27001 Managing

Cyber Risk

Business Context, Risk

Strategy

Monitoring, Review and

Improvement of Cyber Risk Management

Implement Cyber Risk Controls,

Processes and Procedures

Risk Assessment

and Treatment

ISO/IEC 27001 ISMS

ISO/IEC 27001 specifies requirements to facilitate the on-going management of Cyber Risk through the process of continual improvement

identify

review

execute

plan

ISO/IEC 27001 ISMS -Managing Cyber Risk

ISMS CONTINUAL IMPROVEMENTIdentifyPlanExecute

Monitor/review

Reactive/adaptive

CYBER DEFENCE FUNCTIONSIdentifyProtectDetectRespond

Recover

IDENTIFY Business Environment and ContextRisk AssessmentRisk Management StrategyGovernanceAsset management

PROTECT Access ControlAware and TrainingData SecurityInformation Protection Policies, Processes and ProceduresMaintaining Controls

DETECT Monitoring and Detection ProcessesIncident Handling Management Processes

RESPOND Response Planning and Management ProcessContinual ImprovementsCommunications

RECOVER Recovery Planning and Management ProcessesContinual ImprovementsCommunications

ISMS continual improvement

Reduce cyber risks

ISMS Continual Improvement

Framework

ISO/IEC 27103

identify

review

execute

plan

Application of the ISO/IEC 27001 Family (horizontal and vertical standards)

ISO/IEC 27001 (ISMS reqs.)ISO/IEC 27002ISO/IEC 27003ISO/IEC 27004

ISO/IEC 27005te

leco

ms

ener

gy

Heal

thca

re

SECTOR SPECIFIC APPLICATION SPECIFIC SERVICE SPECIFIC

IoT

Clou

d se

rvic

es

guidelines

Smar

tt C

ities

Tran

spor

tatio

n

International Conformity Assessments

The development of INTERNATIONAL CYBER STANDARDS through cooperation, joint sharing and learning, and consensus building, provides:

• Improved protection, security and safety for all interested parties • Basis for CONFORMITY ASSESSMENTS (CERTIFICATION, TESTING

AND INSPECTION)• Basis of mutual understanding and a common language to

facilitate communications, innovation, trading and global governance

• Complements and supports national cyber policies and programmes

Cyber Certification, Testing and Evaluation• ISO/IEC JTC 1/SC 27 WG 1

• MANAGING CYBERSECURITY RISKS (ISO/IEC 27000 family)• Information Security Management System (ISMS) (ISO/IEC 27001)• Guidelines (ISO/IEC 27002-27005)• Sector Specific (ISO/IEC 27010-27019)• Security Controls and Services (ISO/IEC 27031-27045)• Cyber Standards (ISO/IEC 27100-27103)

• CERTIFICATION (ISO/IEC 27006-27008)• ISO/IEC JTC 1/SC 27 WG 3 (Miguel Bañón – Convenor)

• SECURITY EVALUATION AND TESTING (ISO/IEC 15408 Common Criteria Family and related standards) - IT systems, components, and products

27001

CYBER RISK ASSESSMENT

CYBER RISK TREATMENT

CONTROLS FROM

Sector standard

Application standard

Service standard …

Application of 27001 certification to sectors, applications and services

ISO/IEC 27009 -Sector specific application of ISO/IEC 27001 – ISMS requirements

27001 cyber

related standards

Cyber application of 27001

27001

cyber related

standards

Cyber risk management certification

Managing Cyber Risk

ISO/IEC 27001 and ISO/IEC 27009

AUDIT ACTIONS TO CHECKBusiness context, requirements, risk strategy

Risk management processes• Risk assessment• Risk treatment• Determination of controls

Implementation processes and operations

Monitoring and review processes

Improvement process

AUDIT ACTIONS TO CHECKPolicies, procedures, processes

Management commitment

Awareness and training

Business Context, Risk

Strategy

Monitoring, Review and

Improvement of Cyber Risk Management

Implement Cyber Risk Controls,

Processes and Procedures

Risk Assessment

and Treatment

ISO/IEC 27001 ISMS – Global Certifications

year Total number of certifications

2008 15,0002010 20,0002012 29,0002014 41,0002016 63,000

On-line services

Telecoms

Financial

IT services

Utilities

Healthcare

Transport

Asia (38%)

Europe (31%)

Americas (20%)

MEA (11%)

THANKS FOR LISTENINGProf. Edward Humphreys

(SC 27 /WG 1 Convenor)

SC27-NORWEGIAN BUSINESS FORUM --- 4th Sept 2018