A recently updated standard jointly developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27004:2016, Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. ISO/IEC 27001 is a global standard establishing requirements for an information security management system (ISMS). In support of effective implementation of ISO/IEC 27001, the newly revised ISO/IEC 27004 shows how to construct an information security measurement program, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.
According to ISO, security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken center stage. "Cyber-attacks are among the greatest risks an organization can face," said Edward Humphreys, convenor of the working group that developed the standard. "Organizations need help to address the question of whether the organization's investment in information security management is effective, fit for purpose to react, defend, and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages."
ISO/IEC 27004:2016 was developed by ISO/IEC Joint Technical Committee (JTC) 1, Information technology, Subcommittee (SC) 27, IT security techniques, under the leadership of DIN (Germany) with the participation of 53 countries. The U.S. holds TC-level leadership of ISO/IEC JTC 1, with Karen Higginbottom of HP Inc. serving her third term as chair, and ANSI as secretariat. ANSI is the U.S. member body to ISO and, via the U.S. National Committee, to the IEC. The ANSI-accredited U.S. Technical Advisory Group administrator to ISO/IEC JTC 1 and its SCs is the InterNational Committee for Information Technology Standards (INCITS), an ANSI member and accredited standards developer.
On the domestic front, the National Institute of Standards and Technology (NIST), an ANSI government member, has just published a free Guide for Cybersecurity Event Recovery to help organizations develop a game plan to contain a cyber-attack and restore affected systems quickly. As the number of cybersecurity incidents climbs, and the variety of types of attacks grows, "It's no longer if you are going to have a cybersecurity event, it is when," said computer scientist Murugiah Souppaya, one of the guide's authors.
The new guide consolidates existing NIST cyber-attack recovery guidance, including publications on incident handling and contingency planning. It also provides a process that each organization can use to create its own comprehensive recovery plan, and presents additional information related to the "recover" function in the previously released Framework for Improving Critical Infrastructure Cybersecurity (known as the "Cybersecurity Framework").
ANSI has a strong record of developing, leading, and supporting collaborative cybersecurity initiatives that respond to the ever-changing threat landscape, including the following recent activities:
For more information on ANSI's work in cybersecurity, visit www.ansi.org/cyber.