CHAPTER 4: IMPLEMENTING CYBER RESILIENCE
Cyber resilience is a blend of cyber security, incident response and business continuity. An effective cyber resilience framework can protect an organisation from the majority of attacks and incidents, while also maximising its durability when an incident does occur. The principle behind cyber resilience is that an organisation can do a great deal to prevent incidents or mitigate their impact, but incidents remain inevitable. This is one good reason for the Implementing Regulation to mandate business continuity, which defines it as “the capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incident” (Article 3).
As the technology to commit cyber crime becomes more accessible and the number of vulnerabilities that any organisation might be subject to increases, cyber attacks become more certain. This assumption is supported by statistics: according to a 2018 UK government survey,23 43% of all UK businesses had suffered at least one breach or cyber attack in the previous 12 months, which was higher among medium-sized (64%) and large firms (72%) – and this is despite a significant increase in cyber security investment. These figures are in line with those found by a global study conducted by Thales: 67% of responding mid-sized and enterprise class organisations have previously been breached; 36% over the past year.24
For organisations that do suffer an incident, such as a cyber attack, it is critical that they have processes in place to respond to the incident, reduce its impact and quickly recover to business as usual. This requires a comprehensive framework that considers people, processes and technology – people, after all, are critical to security and to ensuring that processes and technologies are applied correctly and consistently, which is, of course, why the Directive requires both technical and organisational measures.
Common principles across various cyber resilience frameworks include that the project must be led from the top of the organisation, and must be capable of continually adapting to new threats and changing environments. These are characteristics of any successful, ongoing business project, and cyber resilience should be treated in much the same way.
Your organisation could develop a cyber resilience capability by simply going through the guidance and references provided by one of these frameworks, but this is likely to result in an inconsistent and disorganised set of processes without a larger appreciation for how they fit into the organisation. A successful project must take a more considered, holistic approach.
ISO standards – especially ISO 27001 (information security) and ISO 22301 (business continuity) – provide specifications for management systems that can be integrated to provide an effective framework for cyber resilience, incorporating further guidance from standards such as ISO 27002 and ISO 27035.
However, helpful as these standards may be, they are not designed for compliance with the NIS Directive, Implementing Regulation or any other piece of legislation. Rather, they are intended to provide guidance on good practice to protect information and information systems (the ISO 27000 family), and help organisations survive and quickly recover from incidents (ISO 22301). As such, any organisation using these standards to any degree still needs to ensure that it has taken all steps necessary to achieve, maintain and prove compliance.
ISO 27001 and ISO 27002
ISO 27001 is the international standard for information security management, and provides a structured approach to protecting an organisation’s information assets. Meanwhile, ISO 27002 – the ‘code of practice’ – provides comprehensive implementation guidance that builds on ISO 27001.
Like other ISO management system standards, ISO 27001 recognises that there are a number of core functions that any management system must rely upon and builds onto them. This makes information security part of the way the organisation operates, rather than simply being a side concern. This also takes the organisation’s business environment and obligations into account, ensuring that the ISMS is relevant to the organisation.
The first step to ensure top management commitment: the organisation must both direct and support the ISMS from the very top, which might be the board or senior management, and includes taking accountability for the success of the project. This ensures that the ISMS can be operated in line with the organisation’s wider business objectives, while also providing evidence that information security is a topic to be taken very seriously. It also ensures that the ISMS meets all of the requirements that your organisation may face.
ISO 27001 advocates taking a risk management approach to information security, in line with Recital 44 of the Directive:
A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices.
In other words, the organisation should decide how to mitigate its risk on the basis of an informed assessment – that is, based on the risks it actually faces.
Once again, this exists within a larger framework that takes the organisation’s business environment into account. ISO 27001’s risk management process is kept deliberately open to allow the organisation to use whatever methodology is already familiar or appropriate to the business. Rather than prescribing a method in detail, it simply sets out a more general process that can be adopted by most existing risk management methodologies.
Clause 6.1 of ISO 27001 requires the organisation’s risk assessment process to:
• Define both risk acceptance criteria and criteria for conducting a risk assessment;
• Produce “consistent, valid and comparable results”;
• Identify risks associated with the loss of confidentiality, integrity and availability of information assets;
• Analyse each risk to identify the likelihood of it occurring and the potential impact if it does occur; and
• Evaluate the risks against the organisation’s risk acceptance criteria to decide upon appropriate responses.
The output of a risk assessment will be a risk treatment plan that describes how the organisation will treat the risks it has identified. For the most part, this will involve applying controls. Such controls can fulfil a range of functions, but they generally fall into one of three categories:
1. Preventive
Preventive controls are intended to prevent risks from occurring or to reduce their likelihood. For instance, a rigorous patching programme reduces the amount of time that applications are vulnerable to exploitation, which in turn reduces the likelihood that an attacker will be able to take advantage of them.
2. Detective
Detective controls identify events and incidents, allowing the organisation to take steps to prevent an incident from occurring, gather forensic evidence for later action or react to reduce the impact of an incident. For instance, an intrusion detection system (IDS) identifies anomalous activity that could be an intrusion into the organisation’s networks. This activity may not be an actual intrusion, but it could be symptomatic of a vulnerability that the organisation can then act to resolve.
3. Reactive
Reactive controls come into play when an event or incident occurs and seek to reduce their impact. For instance, a process that isolates a network segment can prevent an attacker from exfiltrating data, progressing further into the system or identifying further weaknesses to exploit.
It is, of course, possible for a control to fulfil several functions – a CCTV camera might discourage a criminal from breaking into an office (preventive), identify when a break in occurs (detective) and provide evidence of the intruder’s identity (reactive). Meanwhile, a firewall is primarily preventive, as it tries to keep intruders out, but could also function as a detective control, notifying the user of suspicious activity.
As said before, it is important to understand that the organisation should select controls on the basis of the actual risks it faces, and should balance the cost of treating a risk against the impact of the risk. As part of this, the organisation should be sure that it understands the ‘hidden’ costs of an incident, including reputational damage, legal harm, and fines and regulatory action. Annex A of ISO 27001 provides a reference set of controls that are generally applicable and supported by guidance in ISO 27002, but organisations are free to draw their controls from any source or design their own.
There is a great deal more that could be said on the topic of risk assessment. For more information, we recommend that you read Information Security Risk Management for ISO27001/ISO27002.25
The controls to directly manage risks are supported by a range of management procedures that tie information security into ‘ordinary’ business processes. These include communication, competence and staff awareness, which ensure that the ISMS is well understood, and the organisation has the skills and knowledge to implement and maintain it.
The ISMS must also be assessed to make sure it is functioning correctly and in line with the documented processes. This is achieved through a combination of ongoing, regular measurements and internal audits. The results of these assessments are then reviewed by management so that any discrepancies or anomalies can be resolved. Just as management must initiate and support the ISMS, it is also responsible for ensuring its continuing efficacy. This set of processes allows the organisation to continually improve its ISMS, which ensures it remains effective over time and in the face of changing technologies and environments.
Another key component of an ISO 27001-conforming ISMS, and possibly part of this set of processes, is penetration testing – systematic and controlled probing for vulnerabilities in your applications and networks. Regular penetration testing is the most effective way of identifying exploitable vulnerabilities in your infrastructure, allowing appropriate mitigation to be applied. It would also be good practice to test any new services or networks before making them available. Vulnerabilities are discovered and exploited all the time by opportunistic criminal hackers who use automated scans to identify targets. Closing these security gaps and fixing vulnerabilities as soon as they become known are essential steps to keeping your networks and information systems safe and secure.
Standards for Cloud services
There are a few standards specifically aimed at Cloud services:
• ISO/IEC 27017:201526
ISO 27017 is the Code of practice for information security controls based on ISO/IEC 27002 for cloud services. ISO 27002 provides expanded guidance on the Annex A controls in ISO 27001; ISO 27017 expands this content to make the guidance more applicable to Cloud service providers.
• ISO/IEC 27036-4:201627
ISO 27036-4, Guidelines for security of cloud services, is intended for both Cloud service customers and providers.
• The Cloud Security Alliance Cloud Controls Matrix (CSA CCM)28
The CSA CMM provides a controls framework that is “specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider”, and is available online for free. It is also regularly referred to in ENISA’s Technical Guidelines.
ISO 27017 emphasises a few points. For instance, the organisation’s security policy for its information assets should stretch to its Cloud computing policy. By that principle, the provider should also “agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers, and its suppliers” (Clause 6.1.1). The same clause explains:
Data and files on the cloud service provider's systems that are created or modified during the use of the cloud service can be critical to the secure operation, recovery and continuity of the service. The ownership of all assets, and the parties who have responsibilities for operations associated with these assets, such as backup and recovery operations, should be defined and documented. Otherwise, there is a risk that the cloud service provider assumes that the cloud service customer performs these vital tasks (or vice versa), and a loss of data can occur.
ISO 27017 continues to make similar points, such as the advice that any assets stored in the Cloud must be recorded in an inventory. Ultimately, the overall message of the Standard is that Cloud providers have to take comparable measures to any other type of service providers – thus the similarity to ISO 27002. Cloud providers should take note of the fact that their assets are not in ‘traditional’ digital or paper formats only; they face a slightly different set of risks and may need to take extra precautions.
Clause 5.2 of ISO 27036 explains in more depth how the risk to Cloud-based assets differ from more traditional ones:
Cloud service customers have limited control over the location, access, processing and protection of information placed in the cloud service. Additionally, cloud service customers may not be made aware of incidents, breaches, failures or other issues affecting the service in a timely manner. The limited control, coupled with a lack of information about the cloud service performance and security, presents a major risk of using the cloud service. When making an acquisition decision, the cloud service customer will need to evaluate these risks in relation to the information to be placed in the cloud and the dependence of the business on the information and the cloud service.
The Standard lists the typical threats and risks that Cloud services may face, which is followed by suggested adjustments to a more general risk assessment and related processes. ISO 27036 also provides information on controls that may be suitable for Cloud providers, but the Standard’s list is not nearly as comprehensive as the CSA CCM.
Where both ISO 27017 and ISO 27036 focus mainly on practices and are a bit more general (in line with the ISO 27000 family), the Matrix is much more specific to the technologies typically used by Cloud providers. As a control set, the CSA CCM also tends to integrate well with ISO 27001, which provides the specifications for a management system without being too precise about which controls an organisation might use.
ISO 22301
Many of the same processes used in information security management apply to a business continuity management system (BCMS) aligned to ISO 22301 – in particular, the more general management processes, such as ensuring management oversight and review, communication, awareness, competence and documentation management. This means that they can be applied simultaneously to integrate both management systems. For instance, the same process used to make staff aware of the organisation’s need for information security can also be used to express the importance of continuity. Because these processes are shared, the organisation can save time and money by integrating these management systems together.
A BCMS that conforms to ISO 22301 provides a well-defined incident response structure, ensuring that when an incident occurs, responses are escalated in a timely manner and the right people take the right actions to respond effectively. As Article 2(3) of the Implementing Regulation points out: “Business continuity management […] means the capability of an organisation to maintain or as appropriate restore the delivery of services at acceptable predefined levels following a disruptive incident”. The key elements involved in a BCMS are business impact analysis (BIA), risk assessment and the business continuity plan (BCP).
BIA is the process of identifying the harm that could come to the organisation if a given business function is disrupted. It also takes into account how that harm changes over time. After all, some incidents will have a very small or negligible impact unless they persist, while other incidents have an immediate impact that does not change over time.
This information then becomes the basis for prioritising each business process for recovery in event of a disruptive incident. ISO 22301’s approach to risk assessment focuses on risks to “the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them”.29 Treatment of these risks should be in line with both the organisation’s continuity objectives and its risk appetite.
By combining the assessed threat that each risk poses to the organisation’s critical services, the organisation is able to prioritise its responses. These priorities inform the BCP(s).
The BCP is critical to the BCMS: it describes how the organisation will respond to disruptions, in both general and specific terms. For instance, it should include contact details for authorities and key suppliers, and sources of support that can be called on during disruptions, while also setting out the detailed steps involved in responding to and recovering from incidents that affect the organisation’s critical services.
The BCP relies on being tested regularly – in line with Article 2(3) of the Implementing Regulation, which points out that any established plans must be “assessed and tested on a regular basis for example, through exercises”. Without testing, there is little way of knowing whether the plan is effective. Additionally, there is no real way to improve the plan, which, by extension, means that the organisation cannot improve its ability to respond to and recover from disruptive incidents.
Although it would, of course, be good business practice to implement a BCMS that covered the entire organisation, for the purposes of NIS Directive compliance, the network is the only thing that will be in scope, so achieving certification to ISO 22301 might not be necessary. However, certification can give you a competitive advantage and lead to new contractual opportunities. It could also help your organisation comply with other legislation, and generally protect your organisation from harm.
ISO 27035
ISO 27035 outlines concepts, phases and overall guidelines for information security incident management, and can be easily implemented by organisations also aiming to meet ISO 27001’s requirements, as many of the two standards’ processes line up. ISO 27035’s structured approach to incident response consists of five phases:
1. Plan and prepare
2. Detection and reporting
3. Assessment and decision
4. Responses
5. Lessons learnt
The first phase, detailed in Clause 5.2 of the Standard, focuses on the more general management processes, such as ensuring management oversight and review, communication, awareness, competence and documentation management.
The second phase becomes more specific for information security incident management, which is dedicated to internally reporting potential incidents as soon as possible after any unusual activity has been detected.
The third phase, assessment and decision, looks into assessing the situation and deciding whether the event classifies as an ‘information security incident’. If so, the incident has to be contained, information has to be collected to pinpoint what exactly happened, and a log has to be kept, which can be analysed at a later stage.
In the fourth phase, responses, any agreed incident management activities have to be carried out after tasks and responsibilities have been assigned. Such activities could include reviewing any reports made and logs kept, reassessing the damage and notifying the relevant people or bodies. This point is particularly relevant for the Directive’s purpose, as any incident of substantial impact has to be reported.
Finally, after all urgent action has been taken, the whole situation and process can be reviewed, including any existing management systems, plans or procedures, and notes can be taken on how the incident could have been mitigated or even prevented. The most important part of “lessons learnt” is ensuring that potential improvements are actually implemented.
Combining standards
With an ISO 27001-aligned ISMS in place and integrated with an ISO 22301-aligned BCMS, taking note of incident response procedures as guided by ISO 27035, the organisation has a systematic approach to cyber resilience and compliance with relevant laws and regulations, including the NIS Directive and Implementing Regulation. For more detailed guidance, DSPs can take further note of ISO 27002 and, if relevant, any or all of the Cloud standards.
Because these management systems operate on a process of continual improvement, they can adapt to changes in the legal environment and evolving threats. This is critical: an organisation that cannot continue to defend itself from cyber attack and other incidents will inevitably suffer, and regulators will see this and act accordingly. Cyber resilience is an ongoing concern that should adapt and grow as an organisation does, not a project to complete once and leave to stagnate.
23 Department for Digital, Culture, Media & Sport, “Cyber Security Breaches Survey 2018”, April 2018, www.gov.uk/government/statistics/cyber-security-breaches-survey-2018.
24 Thales, “2018 Thales Data Threat Report – Global Edition”, https://dtr.thalesesecurity.com/.
25 Alan Calder and Steve Watkins, “Information Security Risk Management for ISO27001/ISO27002”, April 2010, www.itgovernance.eu/en-ie/shop/product/information-security-risk-management-for-iso27001-iso27002.
26 Available at: www.itgovernance.eu/en-ie/shop/product/iso-27017-2015-information-security-controls-for-cloud-services.
27 Available at: www.itgovernance.co.uk/shop/product/isoiec-27036-4-2016-iso27036-4-standard-cloud-security-guidelines.
28 Cloud Security Alliance, “Cloud Controls Matrix Working Group”, March 2017, https://cloudsecurityalliance.org/group/cloud-controls-matrix.
29 ISO 22301:2012, Clause 8.2.3 a).