An information security standard is a series of documented processes that define how to implement, manage, and monitor various security controls. As well as providing a blueprint for mitigating risk and reducing vulnerabilities, cybersecurity standards and cybersecurity frameworks typically detail the necessary steps for achieving regulatory compliance.
What are the 4 types of information security?
Application Security: identifying and addressing exploitable vulnerabilities in web and mobile applications so malicious actors can’t use them to breach a company’s network.
Network Security: implementing the policies and controls to protect the data and infrastructure within a company’s network and prevent unauthorised access.
Cloud Security: strategies and solutions to secure a company’s off-site cloud deployment.
Cryptography: various processes and techniques to better secure data through encryption. Cryptography prevents sensitive information from being decoded by cybercriminals in the event of a data breach.
Let’s look at information security standards, why they’re important, and the consequences of failing to meet them.
Why companies need to meet information security standards
There are several key reasons why it’s in a company’s best interest to meet information standards:
Adhering to information security standards results in companies becoming compliant with the IT security regulations required by their industry. Consequently, they can avoid the negative consequences of not being compliant, such as financial penalties and legal trouble.
- Prevent cyberattacks
Information security standards outline cybersecurity best practices so aligning with them is an effective way for companies to approach their information security needs.
This is because meeting IT security standards requires a company to implement the necessary measures, processes, policies, and controls that will improve its cybersecurity posture.
Now, while it’s important to note that compliance doesn’t necessarily translate into security, as cyberthreats evolve faster than security standards, it’s an excellent starting point.
- Increased awareness of risk
Adhering to security standards requires a company’s security teams to become more aware of cybersecurity best practices, definitions, terminology, and, most importantly, the full extent of the cyber threats they face. This reduces the chance of costly breaches due to ignorance and reduces the need to undergo trial and error to mitigate cyberattacks.
- Enhanced reputation
Meeting information security standards displays your company’s commitment to cybersecurity and ensuring data security – especially when you receive certification for your efforts. This inspires confidence with existing and potential clients, supply chain partners, etc., and reassures them their information is secure when working with you.
Two primary information security standards
The two primary information security standards that companies strive to meet are ISO 27001 and ISO 27002. They are issued by the International Organisation for Standardisation (ISO) – an independent, international body that creates standards that cover technology, manufacturing, management and more. ISO 27001 and 27002 are two of the key standards from the ISO 27000 Series, which consists of over 45 standards covering a wide range of information security issues.
Let’s look at ISO 27001 and 27002 in more detail and why companies should adhere to them.
ISO 27001
ISO 27001 is an information security standard that outlines the requirements for how a company should implement an Information Security Management System (ISMS). An ISMS is a governance framework that contains a structured suite of activities that allows a company to manage its information security risks.
ISO 27001 specifies the controls and procedures you need to implement within your ISMS to mitigate information security risks particular to your company, as well as how to monitor and measure the ongoing efficacy and performance of said controls. Companies that require comprehensive guidance on improving their information security posture can significantly benefit from how ISO 27001 conveniently consolidates the required policies, processes, and controls.
A company can prove their compliance with the ISO 27001 standard through audits and certification, which provided by ISO-accredited agencies. RiskXchange can help you get ISO 27001 certification as a part of our CyberSec-as-a-Service offering. Consequently, a company that attains ISO 27001 certification will be recognised for adhering to a world-class information security standard.
What is the difference between ISO 27001 and NIST?
ISO 27001 and NIST Cyber Security Framework (CSF) are both information security standards on which companies can base their cyber security policies and controls. Both help a company better mitigate the risk of cyberattacks and comply with various data security legislation. Although they essentially help companies achieve the same thing, there are a few key differences between ISO 27001 and NIST CSF:
– ISO (International Organisation for Standardisation) is an international non-governmental body, while NIST (National Institute of Standards and Technology) is affiliated with the US government. As a result, ISO certifications have wider international recognition.
– It’s possible to get an ISO 27001 certification, including a third-party audit. At the same time, there isn’t a certification for NIST CSF: companies are just to utilise it as a set of guidelines.
– NIST CSF is free of charge, while you have to pay for the ISO 27001 documentation and certification.
ISO 27002
While ISO 27001 provides detailed guidelines on developing an ISMS, it doesn’t actually formally mandate which specific information security controls a company should implement. This is due to the required controls will vary according to a company’s precise information security needs. This is where ISO 27002 comes in.
ISO 27002 complements ISO 27001 and details the information security controls that a company might implement, as stated in ISO 27001. Companies can implement whichever controls are most applicable to their specific information security risks; ISO 27002 provides best practices in selecting, implementing, and managing those controls – while accounting for the company’s risk environment.
The controls detailed in ISO 27002 are the same outlined in Annex A of ISO 27001 Annex A. While both ISO 27002 and Annex A previously contained 114 controls, the updated 2022 edition was reorganised into 93 controls, with 58 updated controls, 24 merged controls, and 11 brand new ones. Similarly, while the 114 controls were divided across 14 domains, the 2022 update sees the 93 controls spread across the following four categories:
- Organisational
- People
- Physical
- Technological
Additionally, unlike ISO 27001, you don’t need certification to prove compliance. This is because ISO 27002 is an informative rather than a normative standard like ISO 27001. In other words, ISO 27002’s purpose is to describe the required controls in greater detail, rather than prescribe them, as is the case with ISO 27001.
What are the 3 principles of information security?
The three principles of information security are confidentiality, integrity, and availability (CIA).
Confidentiality: the information is only available to the intended parties.
Integrity: the information is complete when accessed and/or transferred.
Availability: the information is immediately available when requested.
What problems do you face if you don’t meet IT security standards?
We’ve looked a few benefits of adhering to information security standards – but what happens if you don’t meet them? Here are the most notable consequences of not meeting IT security standards
- Increased risk of security breaches: as security standards outline best practices for mitigating cybersecurity risks and keeping information secure, not meeting them puts you at risk of suffering a costly breach.
- Legal trouble: not adhering to IT standards can result in you being non-compliant with industry or governmental regulations, which may result in litigation against your company – especially in the event of a data breach. Also, your company may be hit with restrictions that significantly affect your day-to-day operations.
- Fines: in addition to legal trouble, your company can be hit with, often stiff, financial penalties for failing to achieve compliance. Also, with some IT standards, like GDPR (General Data Protection Regulation), you may be required to compensate any parties affected by a resulting breach.
- Reputational damage: while a company can overcome legal trouble and financial setbacks, reputational damage is more difficult to repair. If your clients don’t feel their data is secure with your company, they’ll look elsewhere. Similarly, if your company’s poor security reputation precedes you, gaining the trust necessary to attract new clients will be challenging.
Other information security standards your company can meet
GDPR
The General Data Protection Regulation (GDPR) is an IT security standard concerned with data privacy for citizens in the European Union (EU). Although GDPR is European legislation, it applies to any organisation that collects and stores data from EU citizens, regardless of where they’re based.
GDPR has become a big deal since the start of its enforcement in 2018. The main reason for this is the hefty fines that can be up to 10 million euros – or 2% of a company’s revenue for the previous financial year (whichever is higher). Google, Meta (Facebook and WhatsApp) and Amazon are prominent examples of companies hit with fines – with Amazon hit with a staggering $877 million fine in 2021.
GDPR contains seven principles that provide an overarching framework for information security:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
FINRA
As opposed to being an IT security standard, the Financial Industry Regulatory Authority (FINRA is a government-authorised, non-profit organisation that regulates US-based broker-dealers and exchanges. A crucial part of their oversight is ensuring companies have strong cybersecurity measures to protect their clients’ sensitive data.
To successfully register with FINRA, each financial services firm is evaluated on areas including:
- Technology governance
- Risk assessment
- Technical controls
- Access management
- Incident response
- Supplier management
- Data loss prevention
- System change management
- Branch controls
- Employee training
To help the companies under their purview achieve compliance, FINRA provides several resources, including their Cybersecurity Checklist and a Checklist for Compromised Accounts.
HIPAA
The Health Insurance Portability and Accountability Act (HIPPA) is for companies in the US healthcare industry, with particular emphasis on information security standards dealing with how they protect confidential patient records and medical data. However, HIPPA doesn’t just apply to companies that directly provide healthcare but to any associated company that handles personal healthcare information. This includes law and accountancy firms, data storage and disposal companies, and even transcription services.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) details how companies should handle and store credit and debit card information. PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC), which consists of the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB International. Any company that processes card transactions must adhere to PCI DSS, and the consequences of not doing so include fines, paying compensation to victims, and litigation.
The PCI DSS consists of six control categories for companies to implement:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Continuosly monitor and test networks
- Maintain an information security policy
Find out which information security standards your company needs to meet
Several factors determine which cybersecurity standards and frameworks your company needs to adhere to. This includes your industry, where you operate, and, most importantly, the size and complexity of your attack surface and the particular risks to which your company is exposed.
If you’d like help determining which information security standards apply to your company, contact RiskXchange.