CHAPTER 4: IMPLEMENTING CYBER RESILIENCE

As mentioned in the introduction, the full set of practices that support the 14 principles and 4 objectives set out by the NCSC is often described as ‘cyber resilience’. It is a blend of cyber security, incident response and business continuity. The principle behind cyber resilience is that an organisation can do a great deal to prevent incidents or mitigate their impact, but incidents remain inevitable. An effective cyber resilience framework protects an organisation from the majority of attacks and incidents, while also maximising its durability when an incident does occur.

As the technology to commit cyber crime becomes more intelligent and the number of vulnerabilities that any organisation might be subject to increases, the threat of a cyber attack increases. This assumption is supported by statistics: according to a 2018 UK government survey,³¹ 43% of all UK businesses had suffered at least one breach or cyber attack in the previous 12 months, which was higher among medium-sized (64%) and large organisations (72%) – and this is despite a significant increase in investment in cyber security.

For organisations that do suffer an incident, such as a cyber attack, it is critical that they have processes in place to respond, reduce its impact and quickly recover to business as usual. It is sensible to look not just at your legal requirements (those of the NIS Directive, in this case), but to look for a solution that is best able to protect the organisation. For this reason, we favour a more complete approach to cyber resilience – one that incorporates a full set of continuity processes to minimise disruption and associated costs. This requires a comprehensive framework that considers people, processes and technology – and people are arguably the most important part of that because they are, after all, critical to ensuring that processes and technologies are applied correctly and consistently.

Just as the principles adopted by the NCSC assert, the project must be led from the top of the organisation, and must be capable of continually adapting to new threats and changing environments. These are characteristics of any successful, ongoing business project, and it is true that cyber resilience should be treated in much the same way.

An organisation could develop a cyber resilience capability by simply going through the guidance and references provided by the NCSC, but this is likely to result in an inconsistent and disorganised set of processes without a larger appreciation for how they fit into the organisation. A successful project must take a more considered, holistic approach.

ISO standards – especially ISO/IEC 27001:2013 (information security) and ISO 22301:2012 (business continuity) – provide specifications for management systems that can be integrated to provide an effective framework for cyber resilience, incorporating further guidance from standards such as ISO 27002 and ISO 27035.

However, helpful as these standards may be, they are not designed for compliance with the NIS Directive, NIS Regulations or any other piece of legislation. Rather, they are intended to provide guidance on good practice to protect information and information systems (the ISO 27000 family), and help organisations survive and quickly recover from incidents (ISO 22301). As such, any organisation using these standards to any degree still needs to ensure that it has taken all steps necessary to achieve, maintain and prove compliance.

ISO 27001 and ISO 27002

ISO 27001 is the international standard for information security management, and provides a structured approach to protecting an organisation’s information assets. Meanwhile, ISO 27002 – the ‘code of practice’ – provides comprehensive implementation guidance that builds on ISO 27001.

Like other ISO management system standards, ISO 27001 recognises that there are a number of core functions that any management system must rely upon and builds onto them. This makes information security part of the way the organisation operates, rather than simply being a side concern. This also takes into account the organisation’s business environment and obligations, ensuring that the information security management system (ISMS) is relevant to the organisation.

This begins with top management commitment, in line with NCSC’s principle A1 (governance). The organisation must both direct and support the ISMS from the very top, which might be the board or senior management, and includes taking accountability for the success of the project. This ensures that the ISMS can be operated in line with the organisation’s wider business objectives, while also providing evidence that information security is a topic to be taken very seriously.

In line with Recital 44 of the Directive, “A culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced, should be promoted and developed through appropriate regulatory requirements and voluntary industry practices”, ISO 27001 advocates taking a risk management approach to information security (see NCSC principle A2). In other words, the organisation should decide how to mitigate its risk on the basis of an informed assessment of the risks it actually faces.

Once again, this exists within a larger framework that takes the organisation’s business environment into account. ISO 27001’s risk management process is kept deliberately open to allow the organisation to use whatever methodology is already familiar or appropriate to the business. Rather than prescribing a method in detail, it simply sets out a more general process that can be adopted by most risk management methodologies.

Clause 6.1 of ISO 27001 requires the organisation’s risk assessment process to:

While this can become a complex process that requires specific expertise, the NCSC principles provide further guidance on the matter and refer to a number of risk management frameworks, including ISO 27005, which is aligned with ISO 27001.

The output of risk assessment will be a risk treatment plan that describes how the organisation will treat the risks it has identified. For the most part, this will involve applying controls. Such controls can fulfil a range of functions, but they generally fall into one of three categories:

It is, of course, possible for a control to fulfil several functions – a CCTV camera might discourage a criminal from breaking into an office (preventive), identify when a break-in occurs (detective) and help identify the intruder (reactive). Meanwhile, a firewall is primarily preventive in that it tries to keep intruders out, but can also function as a detective control by notifying the user of suspicious activity.

As said earlier, it is important to understand that the organisation should select controls on the basis of the actual risks it faces, and should balance the cost of treating a risk against the impact of the risk. As part of this, the organisation should be sure that it understands the ‘hidden’ costs of an incident, including reputational damage, legal harm, and regulatory action including fines. Annex A of ISO 27001 provides a reference set of controls that are generally applicable and supported by guidance in ISO 27002, but organisations are free to draw their controls from any source or design their own.

Many controls will also directly contribute towards meeting the requirements of the NCSC’s principles – for instance, controls concerning asset management align with principle A3, a wide range of controls can contribute to data security (principle B3), and so on. Risks to each of the principles (i.e. the risk that the principle will not be achieved) should also be taken into account in order to protect the organisation’s ability to protect itself from incidents that could disrupt its services.

There is a great deal more that could be said on the topic of risk management. For more information, read Information Security Risk Management for ISO27001/ISO27002.³²

The controls to directly manage risks are supported by a range of management procedures that tie information security into ‘ordinary’ business processes. These include communication, competence and staff awareness (see NCSC principle B6), which ensure that the ISMS is well understood and that the organisation has the skills and knowledge to implement and maintain it.

The ISMS must also be assessed to make sure it is functioning correctly and in line with the documented processes. This is achieved through a combination of ongoing, regular measurements and internal audits. The results of these assessments are then reviewed by management so that any discrepancies or anomalies can be resolved. Just as management must initiate and support the ISMS, it is also responsible for ensuring its continuing efficacy. This set of processes allows the organisation to continually improve the ISMS, which ensures it remains effective over time and in the face of changing technologies and environments.

Another key component of an ISO 27001-conforming ISMS, and possibly part of this set of processes, is penetration testing – systematic and controlled probing for vulnerabilities in your applications and networks. Regular penetration testing is the most effective way of identifying exploitable vulnerabilities in your infrastructure, allowing appropriate mitigation to be applied. It would also be good practice to test any new services or networks before making them available. Vulnerabilities are discovered and exploited all the time by opportunistic criminal hackers who use automated scans to identify targets. Closing these security gaps and fixing vulnerabilities as soon as they become known are essential steps to keeping your networks and information systems safe and secure.

ISO 22301

Many of the same processes used in information security management apply to a business continuity management system (BCMS) aligned to ISO 22301 – in particular, the more general management processes, such as ensuring management oversight and review, communication, awareness, competence and documentation management. This means that they can be applied simultaneously to integrate both management systems. For instance, the same process used to make staff aware of the organisation’s need for information security can also be used to stress the importance of continuity – even within the same breath, if need be. Because these processes are shared, the organisation can save time and money by integrating these management systems.

A BCMS that conforms to ISO 22301 provides a well-defined incident response structure, ensuring that when an incident occurs, responses are escalated in a timely manner and the right people take the right actions to respond effectively. The key processes involved in a BCMS are business impact analysis (BIA), risk assessment and the business continuity plan (BCP), and align with NCSC principle D1.

BIA is the process of identifying the impact on the organisation if a given business function is disrupted. It also takes into account how that impact changes over time. After all, some incidents will have a very small or negligible impact unless they persist, while other incidents have an immediate impact that does not change over time.

This information then becomes the basis for prioritising each business process for recovery in the event of a disruptive incident. For OES, additional weight should be given to services and processes that support service delivery.

ISO 22301’s approach to risk assessment focuses on risks to “the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them”.³³ Treatment of these risks should be in line with both the organisation’s continuity objectives and its risk appetite. These objectives should, of course, include the objectives set by the NCSC.

By combining the assessed threat that each risk poses to the organisation’s critical services, the organisation is able to prioritise its responses. These priorities inform the BCP(s).

The BCP is critical to the BCMS: it describes how the organisation will respond to disruptions, in both general and specific terms. For instance, it should include contact details for authorities and key suppliers, and sources of support that can be called on during disruptions, while also setting out the detailed steps involved in responding to and recovering from incidents that affect the organisation’s critical services.

The BCP relies on being tested regularly. Without testing, there is little way of knowing whether the plan is effective, or of improving the plan to better protect the organisation’s ability to respond to and recover from disruptive incidents.

ISO 27035

ISO 27035 outlines concepts, phases and overall guidelines for information security incident management, and can be easily implemented by organisations also aiming to meet ISO 27001’s requirements, as many of the two standards’ processes line up. As previously explained, ISO 27035’s structured approach to incident response consists of five phases:

The first phase, detailed in Clause 5.2 of the Standard, focuses on the more general management processes, such as ensuring management oversight and review, communication, awareness, competence and documentation management.

The second phase becomes more specific for information security incident management, which is dedicated to internally reporting potential incidents as soon as possible after any unusual activity has been detected.

The third phase, assessment and decision, looks into assessing the situation and deciding whether the event classifies as an ‘information security incident’. If so, the incident has to be contained, information has to be collected to pinpoint what exactly happened, and a log has to be kept, which can be analysed at a later stage.

In the fourth phase, responses, any agreed incident management activities have to be carried out after tasks and responsibilities have been assigned. Such activities could include reviewing any reports made and logs kept, reassessing the damage and notifying the relevant people or bodies. This point is particularly relevant for the Directive’s purpose, as any incident of substantial impact has to be reported.

Finally, after all urgent action has been taken, the whole situation and process can be reviewed, including any existing management systems, plans or procedures, and notes can be taken on how the incident could have been mitigated or even prevented. The most important part of “lessons learnt” is ensuring that potential improvements are actually implemented.

Combining standards

With an ISO 27001-aligned ISMS in place and integrated with an ISO 22301-aligned BCMS, taking note of incident response procedures as guided by ISO 27035, the organisation has a systematic approach to cyber resilience and compliance with relevant laws and regulations, including the NIS Directive.

Because these management systems operate on a process of continual improvement, they can adapt to changes in the legal environment and evolving threats. This is critical: an organisation that cannot continue to defend itself from cyber attack and other incidents will inevitably suffer, and regulators will see this and act accordingly. Cyber resilience is an ongoing concern that should adapt and grow as an organisation does, not a project to complete once and leave to stagnate.

³¹ Department for Digital, Culture, Media & Sport, “Cyber Security Breaches Survey 2018”, April 2018, www.gov.uk/government/statistics/cyber-security-breaches-survey-2018.

³² Alan Calder and Steve Watkins, 2010, www.itgovernance.co.uk/shop/product/information-security-risk-management-for-iso27001iso27002.

³³ ISO 22301:2012, Clause 8.2.3 a).