And how to become resilient with ISO 27001 and ISO 22301
Unfortunately, even the most secure organisation can suffer an incident.
The odds are simply stacked against you:
While you need to protect all your assets from all types of threat, an attacker needs only one exploitable weakness to get into your systems.
Plus, any security measure you implement is only designed to stop, at most, a handful of threats â and thatâs assuming it was both correctly implemented and still doing its job.
Regardless of implementation, single measures arenât enough â because no measure is foolproof.
The consequences of an attack â no matter how rare â can be crippling if you havenât planned how youâll respond.
This is where cyber resilience comes in.
Cyber resilience combines cyber security with the ability to detect, respond to and recover from cyber incidents.
This goes hand in hand with defence in depth:
A dynamic approach, which has multiple security measures working together, so if one layer fails, another will still prevent an attacker from succeeding.
Our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, explains.
In this interview
Cyber incidents are a matter of âwhen, not ifâ
What mindset should organisations adopt when addressing information security risks?
Key is to focus on when, not if, an incident will happen.
If you look at something like DORA [Digital Operational Resilience Act], thatâs all about understanding your risks â including in the supply chain â and how youâll continue critical and important functions if you get attacked. How will you ensure operational resilience?
Risk only ceases to exist when you shut the doors.
If we know that security incidents are a matter of âwhen, not ifâ, how should organisations approach risk management?
Suppose youâve identified a risk, and youâve implemented a control to mitigate it.
Youâll still need to accept the risk exists. It might be a low risk, both in terms of likelihood and impact, but the risk is still there â just within your risk tolerance.
Nonetheless, the risk can still materialise. Plus, you must recognise that mistakes may have been made when assessing the risk due to, for example:
- Incorrect or incomplete information; or
- Biases that skewed the results.
People and security
In other words, recognise that youâre dealing with human beings, who are prone to human error?
Right. As a consultant, you have to recognise that thereâs little black and white â youâre dealing with lots of shades of grey. Particularly with risk, because of the human element.
Consider the insider threat. On the one hand, this risk originates from people. On the other hand, people are also the solution.
Within security, people can be the strong point â but they can also be the weakness. And when assessing risk, much of the work involves understanding the shortcuts people might take around decision-making.
That said, with experience, you learn to apply certain tricks to lessen the impact of such variables and any biases potentially at play.
Bias in risk assessment
Could you elaborate on those tricks?
Part of it is understanding the biases people might have.
Letâs take group bias as an example. Suppose youâre doing a risk workshop with a team, with both the team leader and their subordinates in the same room. And the team leader asks their subordinates: âWhat do you think?â
If the leader has a dominant personality, and has already declared: âI donât think this is a riskâ, everyone else in the room feels pressured to agree with them â because they donât want to appear to be undermining their manager.
As a consultant, how would you address group bias?
One way to get around it might be to solicit the feedback from members of the team individually by, for example:
- Running an anonymous survey; or
- Soliciting responses via one-to-one emails.
The exact solution depends on what youâre assessing â how important is it?
This then informs the amount of effort youâd put into âfreeingâ people from the âgazeâ of their manager and possible repercussions.
What other biases do you have to overcome?
Recency bias â when someone overestimates a risk, particularly in terms of likelihood, on grounds that it happened to them recently. Or maybe it happened to a similar business recently. Thatâs also something to be on the lookout for, as a consultant.
You need to be familiar with the system to which the risk relates, and know that the risk is almost certainly lower than what the client is telling you.
Likewise, if weâre confident the client is underestimating a risk based on your experience with that system, weâd let them know about that, too.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Combining ISO 27001 with ISO 22301
With incidents being unavoidable in spite of an organisationâs best efforts, should we come at security from the other direction? Consider your key activities and functions, and how youâll continue those if attacked or otherwise disrupted?
Over time, Iâve learned to look at ISO 27001 [the international standard for information security management] together with ISO 22301 [the international standard for business continuity management].
By implementing both Standards, youâre not just looking at information security â youâre looking at things from a business process perspective, too.
In other words, when implementing an ISO 22301 BCMS [business continuity management system], youâre asking questions like:
- What are our critical business activities?
- Whatâs important to us as a business?
- What isnât that important?
How does that link back to an ISO 27001 ISMS [information security management system]?
The answers to those types of questions filter down to the IT systems youâre using:
- Which systems can you afford to be without for a longer period?
- Which systems do you need to immediately get back up and running again, if disrupted?
So, as part of the BCMS, youâre looking at things like maximum acceptable outages [MAOs] and recovery time objectives [RTOs]. How quickly do you need to recover your IT systems before youâd be in serious trouble as a business?
Questions like that arenât necessarily covered by ISO 27001, but I think organisations should look at both [ISO 27001 and ISO 22301] together, as one informs the other.
It ensures youâre asking key questions like what a specific server does. Maybe it runs a specific application. You then ask what that application facilitates from a business perspective â how does it help your companyâs bottom line?
Previously, we talked about how to get leadership buy-in: by linking the information security objectives to the organisationâs overall objectives. Business continuity works in a similar way. And looking at the two together makes you more resilient as a business.
Defence in depth
I suppose that another form of resilience is to layer your defences.
Absolutely. I constantly see organisations thinking that theyâve written a policy, or implemented some another control, so thatâs job done.
Policies are great. They provide direction. But to be effective, you must also enforce them.
Where possible, use technical controls for that. For example, if you want to stop users from writing down passwords, encourage the use of a secure and vetted password manager.
Again, people will look for shortcuts or workarounds. Policies and procedures that facilitate them, without sacrificing security and while enabling productivity, mitigate that risk.
But to truly be secure, layer your defences â donât rely on a single control. And select controls that come at it from different directions:
- ISO 27001:2022 groups the Annex A controls into four areas: organisational, people, physical and technological.
- Combine ISO 27001 with ISO 22301, and youâll look at your IT systems from different angles.
As you told me before:
âYou can never know where the next attack or threat might come from. Who might turn malicious, what might turn bad, who may want to harm your organisation.
âSo, the more defences you have in place, the more protected youâll be.â
Get a Cyber Health Check
Embarking on a cyber security improvement programme?
Our Cyber Health Check will help you identify your weakest security areas and recommend appropriate measures to mitigate your risks, drawing on best-practice standards like ISO 27001 and ISO 22301.
At the end of the engagement, youâll receive a detailed report that describes your current cyber risk status and critical exposures, along with remediation advice.
Donât take our word for it
Hereâs what our customer Nick said:
The Cyber Health Check was conducted as an independent review of our current posture in terms of Governance, Risk and Compliance (GRC) to help identify if there were any gaps prior to the development of an ISO 27001-aligned framework.
The CHC also provided our risk committee and top management with assurance that appropriate technical and organisational controls are in place to protect the confidentiality, integrity and availability of our data and systems.
The service met with our expectations and the report generated highlighted points that will be considered by our Risk Committee. The service and report helped us prioritise focus areas of improvements to our existing ISMS.
This is certainly a service we would recommend from IT Governance.
About Damian Garcia
Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, heâs helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.
He has an MSc in cyber security risk management and maintains various professional certifications.
As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisationsâ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.
Weâve previously interviewed Damian about how to start managing risks and how to mitigate them, selecting effective security controls, the insider threat, and common cyber security and ISO 27001 myths.
We hope you enjoyed this edition of our âExpert Insightâ series. Weâll be back soon, chatting to another expert within GRC International Group.
If youâd like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
