One of the most common mistakes that organisations make when addressing cyber security is that they consider it a one-off event.
Whether they’re taking small steps, such as installing antivirus software, or large ones, such as a GDPR (General Data Protection Regulation) compliance campaign, they consider it ‘job done’ when the implementation project is complete.
That’s a problem when cyber risks are constantly evolving, as is the way your organisation operates. Weaknesses will quickly appear as criminal hackers discover new techniques and you move to new processes that create additional vulnerabilities.
It’s why organisations must manage the risks they face with continual evaluation, maintenance and revision.
This process should be embedded within your overall cyber security measures in what experts refer to as cyber defence in depth. The framework consists of five interrelated stages (or ‘layers’) to help organisations manage information security risks across all parts of their business.
Even if one of these defensive layers is breached, the next works to further contain the damage.
We’ve been looking at each layer of cyber defence in depth in our blog, explaining what it encompasses, how it fits into an organisation’s overall approach to cyber security and the controls that you can implement to establish that layer.
Having previously covered the first two layers – threat detection and threat prevention – we now turn our attention to stage three: threat management.
What is threat management?
Managing cyber security risks requires a more intensive approach than simply implementing basic protections. Cyber security isn’t a destination – it is an ongoing process, requiring continual evaluation, maintenance and revision.
Threat management is defined by the way organisations address cyber security risks as part of their wider operations. It includes measures such as embedding risk-based security controls into corporate processes, managing supply chain security and carrying out regular audits to ensure security controls remain up to date.
Organisations can perform these tasks with the help of ISO 27001. It’s the international standard for an ISMS (information security management system), and takes a risk-based approach to information security.
The Standard outlines three essential aspects, or ‘pillars’, of effective information security: people, processes and technology.
This three-pronged approach helps organisations protect themselves from highly organised attacks and common internal threats, such as accidental breaches and human error.
See also:
ISO 27001 can also be used as a framework to help organisations achieve GDPR compliance. Many of their requirements overlap, particularly in relation to Article 32 of the Regulation.
This section outlines requirements related to the technical and organisational measures that organisations must implement to protect personal data. It includes steps such as keeping records of processing activities, conducting data protection impact assessments where required, and training staff.
The GDPR doesn’t go into detail about what these processes should look like, because best practices – particularly when it comes to technology – change rapidly, and what is considered appropriate now might not be in a few years.
Fortunately, ISO 27001 contains a framework that’s updated every few years to provide the latest guidance on how best to protect sensitive information.
Organisations can use the Standard to, for instance, pseudonymise personal data. You can do this by replacing the names and unique identifiers of data subjects with a reference number, which you can cross-reference via a separate document.
ISO 27001 also provides guidance on measures such as anti-malware software, staff awareness training and vulnerability scanning.
Moreover, because organisations are required to continually audit to ISO 27001 to retain certification, it encourages them to manage their information security practices.
By regularly reviewing the effectiveness of any process, policy or technology that is implemented, you ensure that your defences are appropriate and that you remain compliant.
How we can help
If you want to know more about threat detection or defence in depth, IT Governance is here to help.
Keep an eye on our blog for the rest of our series on the five layers of defence in depth, or subscribe to our Weekly Round-up to receive our latest articles straight to your inbox.
We also have webinars on each of the five stages of defence in depth, hosted by IT Governance’s founder and executive chairman, Alan Calder.
Stage 2 – Protection is available to download now, while you can register for our upcoming presentations on our website.
