Managing the risks associated with a cyber-attack is an ongoing priority for organisations in all sectors. With the number of reported attacks and the scale of attacks increasing, protecting critical information; including that of customers is a growing concern.
To help offer tailored protection to complex industry sectors including healthcare, finance and transportation, the International Organization for Standardization (ISO) has published ISO/IEC 27009, Information technology – Security techniques – Sector-specific application of ISO/IEC 27001 – Requirements, which provides guidance on the inclusion of sector specific requirements and controls in addition to those laid out by Information Security Management System (ISMS) standard ISO/IEC 27001:2013.
Rob Acker, LRQA Information Security Technical Manager, shared his thoughts about the publication of the new standard; “The publication of ISO/IEC 27009 represents a significant stage in the journey towards optimisation and rationalisation across all industry sectors. With many complex requirements in these different sectors, ISO/IEC 27009 will help to ensure that they can all be accounted for whilst maintaining the robust protection offered by ISO/IEC 27001 – safeguarding organisations, their ISMS and their customers.”
ISO/IEC 27009 provides a framework within which ISO/IEC 27001 or ISO/IEC 27002 can be enhanced or refined to include sector specific requirements or against which requirements can be interpreted to ensure their consistent and commonly understood implementation. This approach will build on the existing sector, technology or risk specific standards such as ISO/IEC 27011 (telecommunications), ISO/IEC 27017 (cloud computing) or ISO/IEC 27032 (Cyber Security) minimising the risk of duplication or confusion.
For those wishing to continue to only use the core ISO/IEC 27002 specification as a check for their supply chain this framework also provides assurance that the inclusion of sector specific standards does not reduce the effectiveness of the baseline requirements as the approach is designed prevent removal or in any other way reduce the validity of those controls. With all the major ISO standards being revised, LRQA is at the forefront of communicating the changes. We offer a range of assessment services as well public and in-house training courses, all aimed at helping to ensure that organisations worldwide have a smooth transition to the new standards.