ISO takes information security management “to another level” with new standard for market sectors

With cyber threats on the rise, in turn placing businesses and industries at risk, it’s more important than ever that organisations protect their information (and, indeed, that of their customers). The International Standards Organisation’s (ISO) standard for information security, namely ISO/IEC 27001, is already widely used, but a new standard just published will take that a step further, helping to apply the requirements of this flagship standard to specific market sectors.

Offering more tailored protection for specific sectors (eg finance, transportation and healthcare, as well as infrastructure projects such as smart cities) in order to ward off threats to their information has become a political, business and economic imperative, driving a need for sector-specific cyber standards. The recently published ISO/IEC 27009 will help standards developers do just that, providing the necessary advice and guidance on how to create standards that apply ISO/IEC 27001 to individual sectors.

ISO/IEC 27009 Information Technology – Security Techniques – Sector-Specific Application of ISO/IEC 27001 – Requirements joins the ISO/IEC 27000 family of standards to help maximise the effectiveness of ISO/IEC 27001. It explains how to include requirements and controls additional to those in ISO/IEC 27001 that are applicable to specific sectors, enabling them to achieve consistency when developing standards in this family.

Professor Edward Humphreys, the convenor of ISO/IEC SC 27/WG 1 (the Working Group that developed the standard) explained that ISO/IEC 27001 is the international common language for information security management. ISO/IEC 27009 will enhance this common language across the sector landscape and shape the development of standards for sector-specific information security and privacy.

“We’ve already developed several sector-specific standards, such as ISO/IEC 27011 for telecoms, ISO/IEC 27017 for cloud computing and ISO/IEC 27019 for the energy sector,” asserted Professor Humphreys. “These standards are examples of where controls additional to those in ISO/IEC 27001 have been defined to meet the requirements of the specific sectors concerned. In developing these standards, it became clear that a harmonised structure and language, based on ISO/IEC 27001, as well as specific guidance would make the development of future sector-specific standards more effective and avoid unwanted duplication.”

Professor Humphreys added: “ISO/IEC 27009 will ensure that the development of new standards, and the revision of existing, sector-specific standards can all adopt an approach that’s consistent with ISO/IEC 27001. Therefore, it will provide advice on how to add to, refine or interpret the requirements of ISO/IEC 27001 and how to add to or otherwise modify the implementation guidance of ISO/IEC 27002 for sector-specific use.”

NTT Security launches UK Cyber Security Innovation Programme

NTT Security, the global information security and risk management company, has announced the launch of its Cyber Security Innovation Programme in the UK. Through the new programme, NTT Security will explore and test the evolving technology landscape, and also examine how a multitude of new solutions can help organisations create sustainable and resilient cyber architectures while at the same time reducing complexity and cost.

Over 20 ambitious vendors – largely operating in machine-based learning as well as isolation, deception and intelligence-based solutions – have joined the Cyber Security Innovation Programme. All will be independently evaluated by security experts who’ll identify how the solutions can truly innovate and meet individual business needs. Furthermore, NTT Security will test the innovations in real life environments to ensure they function and deliver value in the real world, as well as reduce the time and resources that businesses invest when looking at new solutions, but without compromising innovation.

Dave Polton, chief technology architect at NTT Security, said: “Most businesses are striving for increased cyber confidence or capabilities, but the security product landscape is vast, complex and dynamic. This can often lead to confusion in purchasing decisions. We’ve seen many organisations feel burdened with inflexible information security architectures that deliver little return on investment.”

Polton went on to state: “A change in approach is needed. We believe that innovation should be at the heart of the security industry. New and emerging advanced technologies can make our data more secure, but what’s critical to the success of these innovations is that more rigour is applied to an organisation’s investment decisions. We recognise that businesses want solutions that will make cyber security tasks easier and faster. Our UK Cyber Security Innovation Programme is designed to deliver the strategic planning, business context and agnostic evaluation to enable exactly that.”

*NTT Security has developed a series of free White Papers to guide businesses through the latest in cyber security innovations. Download them here

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts