Are all Information Security standards equal?
Todd Gifford, CISSP, shares his thoughts on Information Security standards.
Information Security standards are good news for many reasons, not least of which is what I believe is their primary purpose – they offer assurance. The reason they offer assurance is that they have been drafted, reviewed and implemented by very competent, experienced and certified individuals, and are recognised in industry and public sector. They are used in supplier management frameworks, to help ensure that any given supplier is acting in a professional and responsible way when it comes to Information Security and, moving forwards, compliance with GDPR. Standards should also guide organisations, such that they implement appropriate controls across people, process and technology to minimise risk. Increasingly, organisations are turning to standards, such as ISO27001, as a way of demonstrating they are security conscious and are not exposing any of their clients to undue risk.
All this sounds great – a supplier with an accredited standard is secure, right? Well, there’s a question… Based on some of the supplier audits we have carried out for clients, this doesn’t always ring true. I do believe that standards are a good thing and should be treated appropriately during any supplier management process. However, like anything, they are not flawless. Let me explain, by offering my thoughts on two common standards in the market place:
‘Cyber Essentials’ and ‘Cyber Essentials plus’
Effectively, these are the same standard, the main difference being that the ‘plus’ requires organisations to undergo security testing on their infrastructure. For me, the clue is somewhat in the title: it is the very basic, absolutely essential things any organisation that connects its computer network to the outside world should do, in order to protect said computers and networks. If it were called ‘basic technical controls for computers and networks that connect to the internet’, I doubt very much that it would have caught on – Cyber is a great marketing term used to good effect in this instance.
What is good about it?
If implemented correctly and appropriately maintained, it does contain good controls for basic mitigation and reduction of risk from internet based threats, or hackers as they are commonly known.
What is not so good about it?
There are multiple implementations of the standard. There is more than one organisation that can certify organisations to Cyber Essentials. This means that there are different levels and different numbers of questions, depending on which organisation is chosen. From a purchase perspective, there is also another potential issue: The Cyber Essentials standard relies on the review of a submitted questionnaire, and can be thought of almost as self-certification in that respect. You can get Cyber Essentials without any more diligence than someone reading a questionnaire you have filled out. Now, I don’t want to suggest that any organisation would wilfully fill out such a questionnaire, just to get the certification, without actually implementing any of the controls (or just a few of them), but based on my own experience carrying out security reviews, this may unfortunately be a practice that some organisations are following.
Known as the gold standard for Information Security, ISO27001 is a respected and globally implemented standard. Many organisations are turning to 270001 as it’s known in the trade, as a way of providing a framework to help demonstrate compliance with GDPR. I have been involved with the standard in its various forms for twelve years and its implementation in many organisations – it is well thought out and focuses on a risk based approach.
What is good about it?
It’s a comprehensive standard on which to base and certify your organisations Information Security Management System. If offers a good framework, and if you use it in conjunction with the guidance in the form of ISO27002, then it does offer any organisation a great way of helping them to reduce their Information Security risk. As it’s a global standard and implemented the world over, so will also help suppliers and purchasers alike make informed decision about risk.
What is not so good about it?
This may seem like a contradiction, but, as a standard for Management System based on risk, it is perfectly possible to attain ISO27001 (which by the way can only happen by an official organisation, accredited by UKAS auditing you), without implementing some, or indeed many basic cyber controls. That’s not to say it isn’t a good standard, in my opinion it is, but like all things, you need to be aware of its limitations. You can also define a narrow scope for an Information Security Management System, or ISMS for short, meaning that it may not apply to the whole of an organisation – possibly not even the part you are looking to use as a supplier. This practice is being tightened up on by the various accreditation body auditors, but it is still out there. The other thing to be aware of is that because the standard focusses on risk, and risk treatment, it is possible for an accredited organisation to carry a high risk, as long as someone senior has approved it. Their risk appetite may be different to yours – so worth checking out.
Should I trust these information security standards?
I believe the appropriate phrase is ‘trust, but verify’. Depending on the level of Information Security risk, and your organisations risk appetite, you very well may need to garner further external verification on your own organisation, or any organisations which supply your organisation services and have access to your data and/or networks. The one last thing to consider around risk however – outside influence. GDPR will change the risk landscape for many organisations, most notably due to the potential fines of up to 4% of global turnover or €20 million, whichever is higher. These fines can be imposed on both the controller and processor (read customer and supplier, respectively) which I suggest should be on the risk register for all organisations. Well executed, documented and sustained Information Security practice, including good supplier management, will enable you to demonstrate you are doing everything you can should the worst happen and you do suffer a breach.
Optimising IT carry out extensive Information Security reviews for and behalf of many organisations as part of their Information Security Management Systems, including internal auditing and supplier reviews. If you are concerned about Cyber Security and your organisation, please get in touch to see how we can help.