ISO updates the information security controls guidelines

In News

Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organisations face. And the consequences can be huge. Most organisations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help.

For any organisation, information is one of its most valuable assets and data breaches can cost heavily in terms of lost business and cleaning up the damage. Thus, controls in place need to be rigorous enough to protect it, and monitored regularly to keep up with changing risks.

Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the controls in place to ensure they are fit for purpose, effective and efficient, and in line with company objectives.

The technical specification (TS) has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls), all of which are referenced within.

Prof. Edward Humphreys, leader of the working group that developed the standard, said ISO/IEC TS 27008 will help organisations to assess and review their current controls that are being managed through the implementation of ISO/IEC 27001.

“In a world where cyber attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organisation’s business processes,” he said.

“ISO/IEC TS 27008 can help give organisations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organisation faces.”

ISO/IEC TS 27008 is of benefit to organisations of all types and sizes, be they public, private or not-for-profit, and complements the information security management system defined in ISO/IEC 27001.

It was developed by ISO technical committee ISO/IEC JTC 1, Information security, subcommittee SC 27, IT security techniques, the secretariat of which is held by DIN, ISO’s member for Germany.

Comments

You may also read!

Help AG and SentinelOne to arm enterprises against endpoint attacks

Help AG has partnered with SentinelOne to thwart the efforts of cybercriminals that have shifted their focus towards targeting

Read More...

ESET’s Endpoint Security picks up Top Player position

ESET, a global leader in cybersecurity has been recognized as a ‘Top Player’ for the second consecutive year in

Read More...

SophosLabs 2020 Threat Report released

Sophos, today launched its 2020 Threat Report providing insights into the rapidly evolving cyberthreat landscape. The report, produced by SophosLabs researchers,

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu