Cyber Security

CIR Standards: Affecting Key CIR Elements

Written by Moh Heng Goh | Nov 26, 2022 3:54:26 AM

CIR Related Standards

Relationships Between Relevant Standards

Next, the CIR-BCM relationships between the relevant Standards are established based on pre-defined common areas.

By drawing relationships between the relevant Standards, organizations can get an overall picture of the content of each standard and its specific relationships concerning CIR-BCM.

Organizations adopting several standards can align the processes to develop a comprehensive plan for responding to cybersecurity incidents. The relationships are further elaborated on and compared from the perspectives of:

  1. Focus
  2. Scope
  3. Process
  4. Element

1. Focus

The main focus of the respective Standards is outlined in Figure 1. It provides a frame of what is the specific focus of the standards

 

Standard

Focus

ISO 22301

Business Continuity Management

ISO 27001

Information Security Management System (ISMS) Best Practices

Recommended controls on information security

ISO 27002

ISO 27004

Guidelines for the development of measures and measurement of the effectiveness of ISMS

ISO 27031

Standard on Readiness of Information and Communication Technologies (ICT) for Business Continuity

ISO 27032

Guidelines to improve cyber security through implementing security techniques on information technologies

ISO 27033

Guidelines for managing network security

ISO 27035

Incident Management

ISO 27040

Guidelines for managing data storage security

NIST

A voluntary framework that organisations can choose to adopt to improve cyber security within their organisation

COBIT

Business framework for governing and managing the IT aspect of an organisation

Figure 1: The Relevant Standards and Their Focus

2. Scope

The benefits organizations receive from adopting the respective standards and implementing the recommended practices are listed in Figure 4. It sets the end objectives for organizations to achieve when aligning to the specific standard.

The standard will be relevant to organizations that need their information security mission aligned with the specific "Scope" or objectives as presented in Figure 2.

 

Standard

Scope

ISO 22301

Manage business continuity risks

ISO 27001

Manage information security risks

ISO 27002

ISO 27004

Measure the effectiveness of ISMS to identify improvements

ISO 27031

Managing ICT infrastructures risks

ISO 27032

Manage cyber security incidents

ISO 27033

Manage network security risks

ISO 27035

Plan and prepare for incident response

ISO 27040

Manage data storage risks

NIST

Improve organisation’s ability to tackle cyber security

COBIT

Guide organisations to govern and manage their IT infrastructures in a holistic manner

Figure 2: The Standards and their Scope of Coverage

3. Process

The respective Standards list steps organizations can perform to develop the document's contents. Organizations can conduct common processes between standards simultaneously to meet two objectives in one set of activities, managing cyber security incidents while ensuring that business continues.

Figure 3 below summarises the steps or processes each specific standard will adopt to meet the standard's scope.

 

Standard

Process

ISO 22301*

Reduce: Respond: Recover: Resume: Restore: Return

ISO 27001*

Educate: Assess: Implement: Audit

ISO 27002

ISO 27004

Define: Identify: Select: Develop: Measure: Analyze: Report

ISO 27031

Prevent: Detect: Respond: Recover: Improve

ISO 27032

Identify: Engage: Protect: Respond

ISO 27033

Define: Identify: Protect: Respond

ISO 27035

Plan and Prepare: Detect and Report: Assess and Make decisions: Learn from the experience

ISO 27040

Define: Identify: Protect: Respond

NIST

Identify: Protect: Detect: Respond: Recover

COBIT

Govern: Manage

Figure 3: The Relevant Standards and their Processes

4. Elements

For each standard the organization chooses to adopt, there are objectives to achieve once the recommended practices are adopted and tailored. Each of the Standards lists processes that need to be performed to achieve the objectives.

It is elaborated in Figure 4 as the “Elements” that show the detailed processes within each Standard to complete the scope of the standard.

 

Standard

Elements

ISO 22301

Manage cyber security program.

Ensure employees are aware and competent.

Understand the organisation.

Select Business Continuity Options.

Develop and Implement Business Continuity Responses.

Test and Exercise.

ISO 27001

Organize information security.

Manage assets.

Comply with regulations/standards.

Enforce human resource security policies.

Manage control access.

Acquire, develop and maintain information systems.

Enforce physical and environmental security policies.

Enforce information security policies.

Manage cryptography procedures.

Enforce operations security policies.

Enforce communications security policies.

Maintain supplier relationships.

Manage information security incidents.

Manage business continuity information aspects.

ISO 27002

ISO 27004

Define measurement scope.

Identify information needed.

Select objects and attributes.

Develop measurement construct.

Collect, analyse and report data.

Document the implementation plan of the overall approach.

ISO 27031

Key Competencies and Knowledge.

Facilities.

Technology.

Data.

Processes.

Suppliers.

ISO 27032

Determine the definition of cyber security.

Establish a correlation between cyber security and other securities.

Determine roles and responsibilities for cyber security.

Develop a framework for collaboration to tackle cyber security.

ISO 27033

Define network security and its requirements.

Identify risks associated with network systems.

Implement security controls to protect network systems.

Manage cyber security incidents affecting network systems.

ISO 27035

Identify vulnerabilities.

Detect cyber security incidents.

Respond to and Manage cyber security incidents.

Improve continuously.

ISO 27040

Define data security and its requirements.

Identify risks associated with data storage systems.

Implement security controls to protect data storage systems.

Manage cyber security incidents affecting data storage facilities.

NIST

Integrate enterprise and cyber security risk management.

Manage cyber security requirements.

Integrate and align cyber security and acquisition processes.

Evaluate organisational cyber security.

Manage the cyber security program.

Maintain a comprehensive understanding of cyber security risks.

Report cyber security risks.

Inform the tailoring process.

COBIT

Align processes with business objectives.

Design organisational structures to facilitate the exchange of information and decision-making.

Consider the way of life of employees.

Guide the development of principles, policies and frameworks.

Establish communication channels for the smooth exchange of information.

Account for all IT infrastructures to receive security controls.

Assign competent staff for suitable activities.

Figure 4: The Elements and Detailed Processes within each Standard

Related Topics to CIR Relationship to International Standards
CIR Standards: Importance of Standards implementing CIR CIR Standards: Affecting Key CIR Elements CIR Standards: Governing CIR Implementation Back To CIR Standards:

 

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 4 Standards 4.4 Relationships Between Relevant Standards

Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.