APPLICABLE STANDARDS FOR CYBER SECURITY

The international standards, a set of best practices to help organisations improve their information security. It also defines the Information Security Management System (ISMS) requirements for a systematic approach of the cyber risk and it can provide the framework needed for the implementation of Information Governance in the organisation. The family contains 46 individual standards, where in most of the cases, the following would be appropriate and should suffice for the description, implementations steps and the operation of an appropriate ISMS:

- ISO 27000 Overview and vocabulary

-      ISO 27001:2013 Information security management systems (ISMS), which groups the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining an ISMS within the organisation

- ISO 27005:2018 Information security risk management, a guide for a process-oriented risk management approach to assist in implementing the ISO 27001 framework.

Securing the information is achieved through the implementation of a set of controls that ensure the confidentiality, availability and the integrity of it (i.e. the Information). In the case of Information Security (IS), the type of information includes the non-digital category and physical access control to papers or environments for example is also considered. The management aspect involves monitoring and making decisions necessary to achieve business goals while protecting the organisation's information assets. This is accomplished through the formulation and application of policies, procedures, and guidelines that are then applied throughout the organisation by all individuals. It highlights the importance of risk assessment (identify, quantify and prioritise) and risk treatments, the continual improvement of the ISMS. 

Through the ISO 31000 – Risk Management standard (ISO, 2018) guidelines, organisations are directed in how they can integrate risk-based decision making into their governance, planning, management, reporting, policies, values and cultures. Since it is an open system based on principles, organisations have the flexibility to adapt it to their needs. The same guidelines describe the principles, framework and processes for managing risk that might already exist within an organisation and only need to be adapted or improved. This is represented in Figure 6 (ISO, 2018) where the relationship between the macro elements i.e. risk management framework, principles and process is indicated.  

The importance of the internal and external context is emphasised, as well as that of the alignment with the business objectives and of the correct evaluation of the risk appetite and tolerance. Once the above have been clarified, a risk identification, analysis, evaluation sequence is then recommended that end with a risk treatment via a risk treatment plan (RTP). Continuous improvement and assurance for the implemented framework requires a feedback-loop defined by monitoring, review, recording and reporting 

The Cyber Essentials (CE) is a UK government-backed scheme, supported by the National Cyber Security Centre (NCSC) and it is designed to protect organisations against a whole range of the most common cyber-attacks. It also provides certification a Cyber Essentials certification valid for 12 months. Through its questionnaire and recommended actions, customers can benefit from: 

- Better prevention of cyber attacks 

- Being able to demonstrate supply chain security 

- Increase opportunities for business expansion 

- Enabling possible collaboration with the UK GOV and the MoD

In its basic scheme, achievable through a self-assessment questionnaire, CE offers a base-level security certification, which validates the  organisation’s awareness of the cyber threats and ensures that key controls are in place. Cyber Essentials Plus however requires an external audit of the key controls operating within the organisation, of the employees and contractors and their work (from local, or remote locations) and access. 

It also includes a vulnerability assessment, pen-testing and an overall on-site assessment.

NIST 800-53 is a Security and Privacy Controls for Information Systems and Organisations framework created by the U.S. Department of Commerce and the National Institute of Standards and Technology. The security and privacy controls are intended to help facilitate risk management and compliance with regulations, policies, standards and with the applicable federal laws, executive orders, and directives.

Its cybersecurity framework is defined by five functions: Identify, Protect, Detect, Respond and Recover.

NIST 800-53 is addressed to federal agencies and their contractors involved in the systems and system components manufacturing, or creating security and privacy technologies and also individuals with responsibilities in areas of system development and oversight, risk management, (information) security, privacy implementation, assessment and monitoring, logistical or disposition-related.  A vast in mature document containing 20 control families. It is used predominantly by entities registered and, or operating in the USA, but also by organisations involved in commercial activities with the USA. Mandatory for federal information systems, organisations and agencies.