Definition of CyberSecurity
Cybersecurity often is used as a buzzword everybody is talking about these days. Although, a sharp definition of what it is and how it relates to Information Security and an ISMS (Information Security Management System) keeps being unfamiliar and negligent to many people. Additionally, there is already some local legislation which uses this term, so let's first look at the term to get a better understanding.
ISO 27032 defines "Cybersecurity" as the "preservation of confidentiality, integrity and availability of information in the Cyberspace" and "Cyberspace" as "the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form".
For those familiar with Information Security, the protection goals "confidentiality, integrity and availability" are already known, thus the specifics of Cybersecurity are closely related to the term Cyber Space. Simply put, Cybersecurity deals with information security wherever the internet is involved. If you look at Information Security from an organization perspective, cybersecurity appears to be a subset of Information Security where generally all ISO 27001 principles are applied. Please note, that ISO 27032 is a guideline rather than a certification standard.
Why does ISO feel that additional guidance is necessary?
While the general approach of ISO 27001, to establish a PDCA cycle based on risk management, needs to be applied to Cybersecurity, there are some unique aspects to cybersecurity that will be found rarely within the borders of your organization. Let's have a look at them.
Additional interested parties and stakeholders
In compared to an organization where all assets reside within clear defined physical borders, an organization using the Cyberspace deals with a much bigger number of interested parties and stakeholders. Interested parties are all those parties, who are giving input to your existing ISMS or expecting output from your ISMS. Some of the examples of such parties include customers, inter-trade organizations, regulation and legal bodies. Interested parties are usually defined during the planning phase of ISMS. If you are opening your organization to cyberspace, you will have to extend the list of interested parties accordingly. The purpose of this exercise is mainly to clarify who your communication partners are and to specify which kind of information needs to be interchanged, and what the triggers are.
Collaborative use of Assets with Multiple Owners
The internet is a shared medium. If you are using a service on the internet you might not even be aware of all parties involved. Within the physical boundaries of an organization, you usually are. There are services at various layers of the communication stack involved, starting with the carriers up to cloud service providers that rely on each other. Nevertheless, your management responsibilities do not change. The implication is that you have to adjust your context of the organization, interested parties, policies, your "risk assessment process" and various roles. ISO 27001 requires that every asset needs to have one owner. The owner is in the driver seat for assessing risks and caring about remediation. As the borders of the organization dissolve, as a consequence of using the cyberspace, the challenge of mapping the virtual assets to owners in your organization appears.
IoT (Internet of Things)
IoT denotes small devices for specific purposes and limited hardware resources. Usually, they do not have extensive configuration options and are deployed in huge numbers and all communicate over the internet. A big challenge here is how to patch them if security vulnerabilities are found. Most likely, these devices operate by your customers, who usually can't be forced to install a software update. Additionally, you might not even know the name of the customer using the device. As ownership and responsibilities are cornerstones of an ISMS, you will have to think about which provisions need to be made to your patch management process, incident management, and customer communication, just to name the most prominent areas.
Specific Cybersecurity Threats
There are a plethora of external threats to care about if you start making the cyberspace a part of your business model. Just to name a few, you should be prepared to deal with Denial of Service (DOS), Phishing, Clickjacking, Social Engineering and Backdoors. You should assess, whether you are vulnerable to those kinds of threats and what controls and measures would be appropriate to detect, mitigate and correct any impacts that might arise from the various attack vectors. Awareness and training, as well as incident management, are in the focus of adjustments in order to make your ISMS Cybersecurity ready.
Public visibility of incidents
If there is a security breach where many of your customers are involved, chances are high that you will not be able to keep it a secret for very long, due to the huge number of affected parties. Even attempting to keep an incident a secret might be a bad strategy, because you might appear as completely clueless. Additionally, your local legislation might require that you report a major security incident within a short defined timeframe to authorities. Thus, provisions to the incident handling process, business continuity management and communication plans with authorities, the press and customers need to be made.
Putting it all together, if you have an existing ISMS, it would be best to get ready for Cybersecurity by implementing the adjustments necessary through a project, that goes through the full PDCA cycle similar to an initial ISMS implementation project. The difference is that many processes and controls you will identify as necessary are already there, thus only the gap needs to be addressed.
Here at PECB, we take cybersecurity very seriously, and in order to help professionals and companies worldwide to be better prepared, we have embraced Cybersecurity Management in our offerings. PECB is a certification body for persons on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise in multiple fields, including Cybersecurity Management Training Courses.
About the author
Friedhelm Düsterhöft is a Senior IT Security Consultant and Managing Director of msdd.neT GmbH, offering ISO 27001 implementation, audit and training services. Please contact him at fd@msdd.net to discuss your specific needs and challenges. msdd.neT is an official PECB partner.
About the contributor
Gezim Zeneli is a Portfolio Marketing Manager for IT Security at PECB. He is in charge of conducting market research while developing and providing information related to IT Security Standards. If you have any questions, please do not hesitate to contact: marketing.sec@pecb.com.