Business Issues Channels Enterprise Services SME Technology
Module Header
Craig WentworthMWD Advisors
Craig Wentworth
16th April - Egnyte the blue touchpaper...
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - Managed Print Services: Are SMBs Ready?
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - The Managed Print Services (MPS) Opportunity for SMBs
Simon HollowayThe Holloway Angle
Simon Holloway
11th April - Intellinote - capture anything!
David NorfolkThe Norfolk Punt
David Norfolk
11th April - On the road to Morocco

Blogs > The Norfolk Punt

ISO Cybersecurity Standard
David Norfolk By: David Norfolk, Practice Leader - Development, Bloor Research
Published: 5th December 2012
Copyright Bloor Research © 2012
Logo for Bloor Research

A new ISO standard (SO/IEC 27032:2012 Information technology - Security techniques - Guidelines for cybersecurity) promises to assist developers with assuring the integrity of online transactions and protect any information (especially personal and financial information) exchanged over the Internet. It should even help web designers to design 'safe' websites that minimise any risk to your computer when browsing websites.

However, this won't be simply a matter of 'following standards' even though I have considerable confidence in the utility of ISO's 27000 series of standards from way back when they were first formulated as an industry initiative from retailers such as Marks and Spencers.

ISO/IEC 27032 looks like a useful guide to what is fashionably called cybersecurity on the Internet - always remembering that most of this is simply good security practice anyway, covered by other ISO 27000 standards, and nothing much specific to web applications. However, web applications may expose any poorly addressed security issues you may have to a wider audience.

The availability of a security standard doesn't excuse you from doing a risk/threat analysis, formulating security policies and introducing effective security awareness training for all staff. However, it helps you develop a curriculum for your security training courses, establish baseline security and identify holes in your understanding of security. Then, you can look at the specific threats facing you and decide whether they are adequately addressed by your baseline security or whether you need to take special measures. Baseline security (such as not sharing passwords, encrypting personal data on the wire and so on) isn't up for discussion but it may need to be extended to address specific threats with serious business consequences. However, beware of security for its own sake - if security isn't addressing a likely threat or defined business risk, then it can be a business overhead, stop people working efficiently and even call the idea of security itself into disrepute. Security is ultimately a 'people thing' and you will only achieve effective security if people buy into its necessity as a business enabler. If you follow ISO 27000, for example, even informally, PCI compliance shouldn't be difficult - and convincing the business that PCI compliance is essential to taking in money via credit cards should be pretty easy.

The main benefits of formally complying with ISO 27000 standards are probably that this tells your employees and business partners that you really are serious about security; and that it gives all concerned a common language and basis of understanding for discussing mutual security.

My main concern is that Internet security is a holistic thing. With interconnected computers you may be compromised by your connections - even if your own security is impeccable (and whose is), a mass of poorly protected computers in a botnet could be used for a DDOS attack that might still cause you problems. So, I'd like ISO 27032 as widely disseminated as possible - and it costs money, which may discourage smaller businesses from reading it. I would think that sponsoring free distribution of ISO 27000 standards to UK, plc might be a good use of government money, although I suppose some people only value what they pay for.


Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761