The UK Government has recently issued a call for guidance on cyber-security standards:
“The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber security. We aim to offer clarity to the private sector, based on the standard that we select and choose to promote.”
As a sentiment, this is admirable – there is, indeed, a number of standards available for organisations to use as guidance for – and evidence of – the implementation of best practice in this area. Britain originated what has now become the international standard for information security, ISO/IEC 27001 – and has since adopted a variant for central government (the HMG Security Policy Framework), as well as drawing up a more recent option that deals with public sector cyber security, PAS 555 (currently under review).
The international standard is supported by a family of other best practice standards, covering key areas from risk assessment (ISO 27005) to cyber-security (ISO 27032); ISO 27001 is backed by an international accredited certification scheme, with hundreds of Certification Bodies competent to carry out audits against the standard, and is increasingly demanded as a basic requirement of their suppliers by organisations across the world. According to ISO, 17,500 companies worldwide had become certificated by the end of 2011, and the number is growing at 12% per year – faster than any other management system standard.
More than that, ISO 27001 is one in range of management system standards that grew out of ISO 9001 , for quality management – and there are now more than 1,000,000 organisations worldwide that have an ISO 9001 QMS; this is a significant number of management teams who have already demonstrated an interest in applying a single standard of what acceptable performance looks like. Notably, international take-up of the standard only accelerated after what was originally a British standard was internationalised.
All this has taken over 10 years to achieve, and reflects the extent to which management teams around the world have recognised the value of a single, internationally accepted, sector- and technology-agnostic specification for information security management. Exactly the wrong thing to do, right now, would be to try and get the UK – or the world – to try and accept a new and different standard to deal with the issue that is already being tackled by ISO27001.
The reality is that cyber threats are current. As the press generally, and my recent blogs specifically, have insisted, cyber attacks are taking place today by the multi-million. Not only do we no longer have the luxury of enough time to debate what the ideal management standard might have been, the internationally inter-connected world can no longer afford its civil servants the luxury of time for developing and adopting (at some future point – HMG Govt consultation only closes in Autumn 2013) a new best practice standard in the hope that whatever new ideas it contains will generate results that justify throwing out everything that has gone before.
The only right thing is to oppose – by rejecting – the half-baked idea that UK needs yet another manageent system.