ISO updates the information security controls guidelines

Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organisations face. And the consequences can be huge. Most organisations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help.

For any organisation, information is one of its most valuable assets and data breaches can cost heavily in terms of lost business and cleaning up the damage. Thus, controls in place need to be rigorous enough to protect it, and monitored regularly to keep up with changing risks.

Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the controls in place to ensure they are fit for purpose, effective and efficient, and in line with company objectives.

The technical specification (TS) has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls), all of which are referenced within.

Prof. Edward Humphreys, leader of the working group that developed the standard, said ISO/IEC TS 27008 will help organisations to assess and review their current controls that are being managed through the implementation of ISO/IEC 27001.

“In a world where cyber attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organisation’s business processes,” he said.

“ISO/IEC TS 27008 can help give organisations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organisation faces.”

ISO/IEC TS 27008 is of benefit to organisations of all types and sizes, be they public, private or not-for-profit, and complements the information security management system defined in ISO/IEC 27001.

It was developed by ISO technical committee ISO/IEC JTC 1, Information security, subcommittee SC 27, IT security techniques, the secretariat of which is held by DIN, ISO’s member for Germany.