Home Cyber ISO takes information security management “to another level” with new standard for market sectors

ISO takes information security management “to another level” with new standard for market sectors

by Brian Sims

With cyber threats on the rise, in turn placing businesses and industries at risk, it’s more important than ever that organisations protect their information (and, indeed, that of their customers). The International Standards Organisation’s (ISO) standard for information security, namely ISO/IEC 27001, is already widely used, but a new standard just published will take that a step further, helping to apply the requirements of this flagship standard to specific market sectors.

Offering more tailored protection for specific sectors (eg finance, transportation and healthcare, as well as infrastructure projects such as smart cities) in order to ward off threats to their information has become a political, business and economic imperative, driving a need for sector-specific cyber standards. The recently published ISO/IEC 27009 will help standards developers do just that, providing the necessary advice and guidance on how to create standards that apply ISO/IEC 27001 to individual sectors.

ISO/IEC 27009 Information Technology – Security Techniques – Sector-Specific Application of ISO/IEC 27001 – Requirements joins the ISO/IEC 27000 family of standards to help maximise the effectiveness of ISO/IEC 27001. It explains how to include requirements and controls additional to those in ISO/IEC 27001 that are applicable to specific sectors, enabling them to achieve consistency when developing standards in this family.

Professor Edward Humphreys, the convenor of ISO/IEC SC 27/WG 1 (the Working Group that developed the standard) explained that ISO/IEC 27001 is the international common language for information security management. ISO/IEC 27009 will enhance this common language across the sector landscape and shape the development of standards for sector-specific information security and privacy.

“We’ve already developed several sector-specific standards, such as ISO/IEC 27011 for telecoms, ISO/IEC 27017 for cloud computing and ISO/IEC 27019 for the energy sector,” asserted Professor Humphreys. “These standards are examples of where controls additional to those in ISO/IEC 27001 have been defined to meet the requirements of the specific sectors concerned. In developing these standards, it became clear that a harmonised structure and language, based on ISO/IEC 27001, as well as specific guidance would make the development of future sector-specific standards more effective and avoid unwanted duplication.”

Professor Humphreys added: “ISO/IEC 27009 will ensure that the development of new standards, and the revision of existing, sector-specific standards can all adopt an approach that’s consistent with ISO/IEC 27001. Therefore, it will provide advice on how to add to, refine or interpret the requirements of ISO/IEC 27001 and how to add to or otherwise modify the implementation guidance of ISO/IEC 27002 for sector-specific use.”

NTT Security launches UK Cyber Security Innovation Programme

NTT Security, the global information security and risk management company, has announced the launch of its Cyber Security Innovation Programme in the UK. Through the new programme, NTT Security will explore and test the evolving technology landscape, and also examine how a multitude of new solutions can help organisations create sustainable and resilient cyber architectures while at the same time reducing complexity and cost.

Over 20 ambitious vendors – largely operating in machine-based learning as well as isolation, deception and intelligence-based solutions – have joined the Cyber Security Innovation Programme. All will be independently evaluated by security experts who’ll identify how the solutions can truly innovate and meet individual business needs. Furthermore, NTT Security will test the innovations in real life environments to ensure they function and deliver value in the real world, as well as reduce the time and resources that businesses invest when looking at new solutions, but without compromising innovation.

Dave Polton, chief technology architect at NTT Security, said: “Most businesses are striving for increased cyber confidence or capabilities, but the security product landscape is vast, complex and dynamic. This can often lead to confusion in purchasing decisions. We’ve seen many organisations feel burdened with inflexible information security architectures that deliver little return on investment.”

Polton went on to state: “A change in approach is needed. We believe that innovation should be at the heart of the security industry. New and emerging advanced technologies can make our data more secure, but what’s critical to the success of these innovations is that more rigour is applied to an organisation’s investment decisions. We recognise that businesses want solutions that will make cyber security tasks easier and faster. Our UK Cyber Security Innovation Programme is designed to deliver the strategic planning, business context and agnostic evaluation to enable exactly that.”

*NTT Security has developed a series of free White Papers to guide businesses through the latest in cyber security innovations. Download them here

You may also like