Relevant Standards for Cybersecurity Risk Management
In the section on Cyber Security Risk Management, we introduced two important concepts:
- A formal process for the assessment and management of risk, with well-defined steps;
- Best practices and technologies for mitigation of cyber security risk.
We also mentioned the fact that it is important to have a consistent approach, both to the categorization of risk factors and to their evaluation, in order to avoid comparing apples to oranges. This is where a harmonized set of standards has an important role to play.
Of course, many organizations already implement standards mainly as a requirement for compliance (for example, Data protection Risk assessment / impact assessment as prescribed by EU 679/2016 ISO 9001). But that is not the only, or even the best reason for implementing standards. Several national and international standards organizations have published standards both for risk management and for cybersecurity best practices. The advantage of such standards is that they have been elaborated with the broad consensus of organizations in such a way as to guarantee a consistency of approach and terminology. By adopting such standards whenever possible, you are not only ensuring the highest possible quality of your methodology, but also facilitating ease of communication with others.
Standards for Risk Assessment and Management
Perhaps the best-known standard for overall management of information security is ISO 27000 – actually a family of standards (well over forty in total). ISO 27001:2013 in particular is a risk-based standard approach for the information security management system. It adopts a global vision of business, process, people and technology risks, and top management is actively involved in the entire risk mitigation process. In that sense, it provides an excellent framework for the implementation of an integrated Enterprise Risk Management system. Effectively implemented, it can provide:
- Stakeholders with substantiated and consistent opinions over the current state of risk throughout the enterprise;
- Guidance on how to manage risk to levels within the enterprise’s risk appetite;
- Guidance on how to set up the appropriate risk culture for the enterprise;
- Wherever possible, quantitative risk assessments enabling stakeholders to consider the cost of mitigation and the required resources against the loss exposure;
- A more accurate view of significant current and near-future risk throughout the enterprise—and the impact (both negative and positive) of this risk on the enterprise;
- Opportunities for integration of IT risk management with the overall risk and compliance structures within the enterprise;
- Promotion of risk responsibility and its acceptance throughout the enterprise.
The main message here is: you don’t have to go it alone. You don’t have to reinvent the wheel. Enterprise Risk Management, and in particular cyber security risk management, have been codified into standards that have broad international acceptance by all kinds of organizations.
Risk Management for Small-to-Medium Enterprises
One particular initiative is of special interest to smaller organizations. “A simplified approach to Risk Management for SMEs” is an initiative begun in 2007 and promoted by the European Agency for the Security of Networks and Information (ENISA). As indicated in the title of the initiative, ENISA decided to equip management staff who are not expert in matters of security with a simple tool to perform a guided and modular risk self-evaluation. In this regard, security aspects have been simplified and acceptable target security levels have been established, identifying a target risk profile.
Another example of an initiative targeting SMEs is the U.S. National Institute of Standards and Technology (NIST) initiative “Small Business Information Security: The Fundamentals” (publication NISTIR 7621, Revision 1). Like its ENISA counterpart, this initiative also aims to give small businesses a more lightweight, yet effective approach to understanding and managing its risks, safeguarding its information, and working safely and securely in a smaller context that than of very large organizations.
Standards for Cyber Security Best Practices
Recall that an important step is the identification of measures to mitigate the identified risk (see the dedicated section on Risk Mitigation). Recall also that there are two principal categories: technological measures (like state-of-the-art equipment) and best practices followed within the organization.
What are “best practices” for cybersecurity risk mitigation? Do we have to develop our own? Here, too, standards based upon the collective experience of organizations around the world provide us with best practices that have been proven in the field and are being constantly updated to reflect new knowledge.
In the dedicated section on Risk Management, we encountered the NIST Cybersecurity Framework, which provides recommendations and requirements in many formats (spreadsheet, PDF, etc.) which may be customized for the organization. Examples of best practices you can find here are:
- Asset Management – external information systems are catalogued;
- Business environment – the organization’s role in the supply chain is identified and communicated;
- Governance – Information security roles & responsibilities are coordinated and aligned with internal roles and external partners;
- Access Control – identities and credentials are managed for authorized devices and users;
- Information Protection Processes and Procedures – Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
Note that these are organized according to categories, with each category containing specific recommendations.
Here, too, the message is: you don’t have to go it alone. There are standards and initiatives worldwide that provide sets of best practices that you can implement for credible cybersecurity risk mitigation as part of your overall cybersecurity risk management process. This is an important prelude to the successive step of residual cyber risk management, which is where the evaluation of cyber risk insurance enters into the picture.
Brief Standards Overview
Here is an overview of just some of the relevant standards for an organization implementing cybersecurity risk management and best practices.
|
Regulation/Standard |
Title |
|
Regulation (EU) N° 910/2014 |
Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS Regulation) |
|
Regulation (EU) 2016/679
|
General Data Protection Regulation (GDPR)
|
|
|
Directive on privacy and electronic communications (e-privacy directive) |
|
Implementing Regulation (EU) N° 2016/68 |
Commission Implementing Regulation on common procedures and specifications necessary for the interconnection of electronic registers of driver cards |
|
ISO/IEC 15408:2009 |
Security techniques -- Evaluation criteria for IT security |
|
ISO/IEC 17030:2003 |
Conformity assessment – General requirements for third-party marks of conformity |
|
ISO/IEC 17065:2012 |
Conformity assessment -- Requirements for bodies certifying products, processes and services
|
|
ISO/IEC 18045:2005 |
Security techniques -- Methodology for IT security evaluation |
|
ISO/IEC 27000:2016 |
Security techniques -- Information security management systems -- Overview and vocabulary |
|
ISO/IEC 27001:2013 |
Security techniques -- Information security management systems – Requirements |
|
ISO/IEC 29100:2011 |
Security techniques -- Privacy framework |
|
ISO/IEC 29190:2015 |
Security techniques -- Privacy capability assessment model |
|
ISO/IEC 40500:2012 |
(W3C) Information technology -- W3C Web Content Accessibility Guidelines (WCAG) |
|
ITU-T X1208 (01/2014) |
A cybersecurity indicator of risk to enhance confidence and security in the use of telecommunication/information and communication technologies |
|
ITU-T Y2060 (06/2012) |
Overview of the Internet of things |
|
ITU-T Y3051 (03/2017) |
The basic principles of trusted environment in information and communication technology infrastructure |
|
ITU-T Y3052 (03/2017) |
Overview of trust provisioning for information and communication technology infrastructures and services |
|
ITU-T Y4050 (07/2012) |
Terms and definitions for the Internet of things |
|
ITU-T Y4100 (06/2014) |
Common requirements of the Internet of Things |
|
ETSI TR 103 304 |
CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services |
|
ETSI TR 103 305 |
CYBER; Critical Security Controls for Effective Cyber Defence |
|
NIST SP 800-53 R4 |
Security and Privacy Controls for Federal Information Systems and Organizations |
|
NIST SP 800-122 |
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) |
|
|
Swiss Federal Act on Data Protection (FADP) |
|
|
Swiss Ordinance on Data Protection Certification |
|
|
Code for drug use on humans |
Related Projects
Standards Webinars
Cyberwatching.eu has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 740129. The content of this website does not represent the opinion of the European Commission, and the European Commission is not responsible for any use that might be made of such content. Privacy Policy | Disclaimer / Terms and Conditions of Use