And how to become resilient with ISO 27001 and ISO 22301
Unfortunately, even the most secure organisation can suffer an incident.
The odds are simply stacked against you:
While you need to protect all your assets from all types of threat, an attacker needs only one exploitable weakness to get into your systems.
Plus, any security measure you implement is only designed to stop, at most, a handful of threats – and that’s assuming it was both correctly implemented and still doing its job.
Regardless of implementation, single measures aren’t enough – because no measure is foolproof.
The consequences of an attack – no matter how rare – can be crippling if you haven’t planned how you’ll respond.
This is where cyber resilience comes in.
Cyber resilience combines cyber security with the ability to detect, respond to and recover from cyber incidents.
This goes hand in hand with defence in depth:
A dynamic approach, which has multiple security measures working together, so if one layer fails, another will still prevent an attacker from succeeding.
Our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, explains.
In this interview
Cyber incidents are a matter of ‘when, not if’
What mindset should organisations adopt when addressing information security risks?
Key is to focus on when, not if, an incident will happen.
If you look at something like DORA [Digital Operational Resilience Act], that’s all about understanding your risks – including in the supply chain – and how you’ll continue critical and important functions if you get attacked. How will you ensure operational resilience?
Risk only ceases to exist when you shut the doors.
If we know that security incidents are a matter of ‘when, not if’, how should organisations approach risk management?
Suppose you’ve identified a risk, and you’ve implemented a control to mitigate it.
You’ll still need to accept the risk exists. It might be a low risk, both in terms of likelihood and impact, but the risk is still there – just within your risk tolerance.
Nonetheless, the risk can still materialise. Plus, you must recognise that mistakes may have been made when assessing the risk due to, for example:
- Incorrect or incomplete information; or
- Biases that skewed the results.
People and security
In other words, recognise that you’re dealing with human beings, who are prone to human error?
Right. As a consultant, you have to recognise that there’s little black and white – you’re dealing with lots of shades of grey. Particularly with risk, because of the human element.
Consider the insider threat. On the one hand, this risk originates from people. On the other hand, people are also the solution.
Within security, people can be the strong point – but they can also be the weakness. And when assessing risk, much of the work involves understanding the shortcuts people might take around decision-making.
That said, with experience, you learn to apply certain tricks to lessen the impact of such variables and any biases potentially at play.
Bias in risk assessment
Could you elaborate on those tricks?
Part of it is understanding the biases people might have.
Let’s take group bias as an example. Suppose you’re doing a risk workshop with a team, with both the team leader and their subordinates in the same room. And the team leader asks their subordinates: “What do you think?”
If the leader has a dominant personality, and has already declared: “I don’t think this is a risk”, everyone else in the room feels pressured to agree with them – because they don’t want to appear to be undermining their manager.
As a consultant, how would you address group bias?
One way to get around it might be to solicit the feedback from members of the team individually by, for example:
- Running an anonymous survey; or
- Soliciting responses via one-to-one emails.
The exact solution depends on what you’re assessing – how important is it?
This then informs the amount of effort you’d put into ‘freeing’ people from the ‘gaze’ of their manager and possible repercussions.
What other biases do you have to overcome?
Recency bias – when someone overestimates a risk, particularly in terms of likelihood, on grounds that it happened to them recently. Or maybe it happened to a similar business recently. That’s also something to be on the lookout for, as a consultant.
You need to be familiar with the system to which the risk relates, and know that the risk is almost certainly lower than what the client is telling you.
Likewise, if we’re confident the client is underestimating a risk based on your experience with that system, we’d let them know about that, too.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Combining ISO 27001 with ISO 22301
With incidents being unavoidable in spite of an organisation’s best efforts, should we come at security from the other direction? Consider your key activities and functions, and how you’ll continue those if attacked or otherwise disrupted?
Over time, I’ve learned to look at ISO 27001 [the international standard for information security management] together with ISO 22301 [the international standard for business continuity management].
By implementing both Standards, you’re not just looking at information security – you’re looking at things from a business process perspective, too.
In other words, when implementing an ISO 22301 BCMS [business continuity management system], you’re asking questions like:
- What are our critical business activities?
- What’s important to us as a business?
- What isn’t that important?
How does that link back to an ISO 27001 ISMS [information security management system]?
The answers to those types of questions filter down to the IT systems you’re using:
- Which systems can you afford to be without for a longer period?
- Which systems do you need to immediately get back up and running again, if disrupted?
So, as part of the BCMS, you’re looking at things like maximum acceptable outages [MAOs] and recovery time objectives [RTOs]. How quickly do you need to recover your IT systems before you’d be in serious trouble as a business?
Questions like that aren’t necessarily covered by ISO 27001, but I think organisations should look at both [ISO 27001 and ISO 22301] together, as one informs the other.
It ensures you’re asking key questions like what a specific server does. Maybe it runs a specific application. You then ask what that application facilitates from a business perspective – how does it help your company’s bottom line?
Previously, we talked about how to get leadership buy-in: by linking the information security objectives to the organisation’s overall objectives. Business continuity works in a similar way. And looking at the two together makes you more resilient as a business.
Defence in depth
I suppose that another form of resilience is to layer your defences.
Absolutely. I constantly see organisations thinking that they’ve written a policy, or implemented some another control, so that’s job done.
Policies are great. They provide direction. But to be effective, you must also enforce them.
Where possible, use technical controls for that. For example, if you want to stop users from writing down passwords, encourage the use of a secure and vetted password manager.
Again, people will look for shortcuts or workarounds. Policies and procedures that facilitate them, without sacrificing security and while enabling productivity, mitigate that risk.
But to truly be secure, layer your defences – don’t rely on a single control. And select controls that come at it from different directions:
- ISO 27001:2022 groups the Annex A controls into four areas: organisational, people, physical and technological.
- Combine ISO 27001 with ISO 22301, and you’ll look at your IT systems from different angles.
As you told me before:
“You can never know where the next attack or threat might come from. Who might turn malicious, what might turn bad, who may want to harm your organisation.
“So, the more defences you have in place, the more protected you’ll be.”
Get a Cyber Health Check
Embarking on a cyber security improvement programme?
Our Cyber Health Check will help you identify your weakest security areas and recommend appropriate measures to mitigate your risks, drawing on best-practice standards like ISO 27001 and ISO 22301.
At the end of the engagement, you’ll receive a detailed report that describes your current cyber risk status and critical exposures, along with remediation advice.
Don’t take our word for it
Here’s what our customer Nick said:
The Cyber Health Check was conducted as an independent review of our current posture in terms of Governance, Risk and Compliance (GRC) to help identify if there were any gaps prior to the development of an ISO 27001-aligned framework.
The CHC also provided our risk committee and top management with assurance that appropriate technical and organisational controls are in place to protect the confidentiality, integrity and availability of our data and systems.
The service met with our expectations and the report generated highlighted points that will be considered by our Risk Committee. The service and report helped us prioritise focus areas of improvements to our existing ISMS.
This is certainly a service we would recommend from IT Governance.
About Damian Garcia
Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.
He has an MSc in cyber security risk management and maintains various professional certifications.
As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.
We’ve previously interviewed Damian about how to start managing risks and how to mitigate them, selecting effective security controls, the insider threat, and common cyber security and ISO 27001 myths.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
