Traditional cyber security is proving an increasingly inadequate response to the modern cyber threat landscape. It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience to these attacks – identifying and responding to security breaches – will become a critical survival trait in the future.
Cyber resilience is a key principle underpinning ISO 27001, and the wider issue of ICT’s role in business continuity is covered by ISO 27031. Continue reading as we explain a cyber resilience strategy in more detail.
Figures from the Department for Business, Innovation and Skills (BIS) 2015 Information Security Breaches survey show that 90% of large organisations and 74% of small organisations suffered a data breach in 2014. Now that suffering a breach is almost inevitable, cyber security methods can no longer be completely relied upon to secure an organisation’s operations. The only sensible response is to adopt a robust cyber resilience strategy.
Cyber resilience = cyber security + business resilience
Cyber resilience is a broader approach, which encompasses cyber security and business resilience, and aims not only to defend against potential attacks but also to ensure your survival following a successful attack. An effective approach to cyber resilience is twofold:
Ensure your cyber security is as effective as possible without compromising the usability of your systems.
Ensure you have robust business continuity plans in place that cover your information assets so that you can resume normal operations as soon as possible if an attack is successful.
Two International Standards provide the main guidance you need:
ISO27001, which details the implementation of an information security management system (ISMS); and
ISO22301, which details the implementation of a business continuity management system (BCMS).
Within the bounds of the broader ISO22301 standard, it is also worth considering the guidance in ISO27031, which applies specifically to information and communication technology business continuity, and the requirements of ISO27001 and ISO22301 are mutually compatible.
Cyber Essentials Scheme
The Cyber Essentials Scheme was developed by the UK Government to help businesses deal with the business-critical issue of cyber security and cyber resilience. The scheme provides a set of controls that organisations can implement to achieve a basic level of cyber security.
Withstand up to 80% of cyber attacks by obtaining certification to Cyber Essentials from as little as £300 >>
ISO 27001 offers a cohesive approach, recognising that effective cyber security is a cultural as much as a technological issue, and addresses people, processes and technology. An ISMS helps you coordinate your security efforts across your organisation, will ensure that your systems are as safe as possible, and will reassure your customers, suppliers, shareholders and stakeholders that you are following international best-practice guidelines.
For more detailed information about ISO 27001, please click here >>.
For all products and services relating to ISO 27001, please visit our webshop.
Business continuity for information and communication systems is fundamental to an ISMS. ISO 27031 (Guidelines for ICT Readiness for Business Continuity) provides detailed and valuable guidance on how this critical aspect should be tackled.
While development of a broad business resilience strategy should fit within an organisation's enterprise risk management framework, you should not delay dealing with cyber resilience simply because a wider business resilience strategy is yet to be developed. If you’re not in a position to implement a standard-based approach, there are other means of addressing your cyber resilience requirements.
Published by GCHQ, the 10 Steps to Cyber Security framework sets out a simple approach to handling cyber risk to help secure your information and ensure your business thrives in the Internet Age. IT Governance can carry out a robust assessment of your performance in each of the ten areas, providing you with a tailored and usable action plan that will help you close the gap between recognised good practice and what you’re actually doing.
The 20 Critical Controls is a set of additional controls developed for organisations involved in critical national infrastructure and has much to offer larger organisations. Of the 20 controls, there are five “critical tenets”.
IT Governance can provide a range of cyber resilience solutions to help you ensure your organisation is best placed to mitigate unexpected situations or events.
Visit the following pages for more information: