Fending off cyber threats

New Standard will boost IT security

By Morand Fachot

Information security breaches represent a growing threat to businesses and organizations throughout the world, costing them vast amounts every year in stolen intellectual property and confidential data. The IEC and ISO (International Organization for Standardization) recently published the second edition of the ISO/IEC 27001 Standard, which will help organizations enhance their information security.

New Standard will make it harder for criminals to gain unauthorized access to IT systems

Information security breaches costing billions

A 2013 Information Security Breaches Survey, commissioned by the UK Department for Business, Innovation and Skills, revealed that 93% of large organizations and 87% of small businesses in the UK had been victims of an information security breach during the year, with affected companies experiencing roughly a 50% increase in breaches over the previous year’s figure. The total cost to UK businesses amounts to billions and has approximately tripled over a year.

This second edition of ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements,  "takes account of past user experiences, improvements in security controls suitable for today's IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems", says Prof Edward J. Humphreys*, convenor of ISO/IEC JTC (Joint Technical Committee) 1 SC 27: IT security techniques, WG 1: Information security management systems. "Cyber security is not just an IT challenge, it is critical to the running of any business", he adds.

Giving clients assurances

Humphreys stresses* that "the broad applicability and usefulness of ISO/IEC 27001 provides unlimited business opportunities for managing risks and building customer confidence".

Humphreys quotes Fujitsu Chief Information Security Officer Brendan Smith as saying that "Fujitsu Australia uses ISO/IEC 27001 for internal security management, as well as integrating it with ISO/IEC 20000 [Information technology – Service management] to provide secure services to our managed clients".

Covering a wide domain

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

The Standard outlines requirements regarding the understanding of the organization and of its context, the needs and expectations of interested parties and determination of the scope of the information security management system.

It makes recommendations regarding leadership, commitment and policies, as well as actions to address risks and opportunities.

ISO/IEC 27001:2013 also addresses support matters such as resources, competence, awareness, communication, operational planning and control, information security risk assessment and issues including treatment and performance.

In addition the Standard references the information security management system family of standards (including ISO/IEC 27003, ISO/IEC 27004 and ISO/IEC 27005), with related terms and definitions.

As Brendan Smith remarked: "A key benefit of using an internationally recognized Standard such as ISO/IEC 27001 is that it gives our clients the assurance that we have implemented security management to a common level".


* ISO Focus November/December 2013

iStock_000014214548Medium New Standard will make it harder for criminals to gain unauthorized access to IT systems
bank-counter In September 2013, 8 men were arrested after hacking into computers of the local branch of a British bank, reportedly stealing GBP 1,3 million
MSdatacenter Protection of data centers against cyber attacks is vital for industry and government