ISO Cybersecurity Standard

Existing ISO security standards (such as the ISO/IEC 27000 group) have a good reputation. They aren’t (and couldn’t be) any sort of ‘silver bullet’ for the delivery of security without an organisation thinking in depth about risk and threat analyses, and without putting resources into implementing a good information security management system (ISMS), but they provide a good framework for implementing basic security (which you can build on for managing specific threats). They also help to provide a common vocabulary for all the stakeholders in security management.

Now “cybersecurity” is becoming the new buzzword and a new ISO/IEC cybersecurity standard promises to help with ensuring the safety of online transactions and personal information exchanged over the Internet, and even with protecting your computer when browsing websites. 

The new standard is, in full, ISO/IEC 27032:2012, Information technology – Security techniques – Guidelines for cybersecurity. Unfortunately, it costs money and I tend to feel that standards-based security management is so important to eCommerce that some way should be found to remove cost barriers to the wider dissemination of ISO/IEC 27000 standards. Although, I suppose a counter-argument is that people don’t value what they get for nothing.

Anyway, at the very least, ISO/IEC 27032:2012 should help to ensure that all involved in what is the potential ‘cybersecurity hype bubble’ are talking off the same hymnsheet. Will it make cyberspace safer? Well, no, not in itself, as that is an implementation issue – and needs vision, management and insight from the people in an organisation. However, judging by previous ISO/IEC 27000 standards, it should help a security-aware management to bring its information security management systems up-to-date for the emerging cyber-risks – if its risk/threat analyses show that cyber-risks are actually real issues for the organisation.