Next, the CIR-BCM relationships between the relevant Standards are established based on pre-defined common areas.
By drawing relationships between the relevant Standards, organizations can get an overall picture of the content of each standard and its specific relationships concerning CIR-BCM.
Organizations adopting several standards can align the processes to develop a comprehensive plan for responding to cybersecurity incidents. The relationships are further elaborated on and compared from the perspectives of:
The main focus of the respective Standards is outlined in Figure 1. It provides a frame of what is the specific focus of the standards
Standard |
Focus |
ISO 22301 |
Business Continuity Management |
ISO 27001 |
Information Security Management System (ISMS) Best Practices Recommended controls on information security |
ISO 27002 |
|
ISO 27004 |
Guidelines for the development of measures and measurement of the effectiveness of ISMS |
ISO 27031 |
Standard on Readiness of Information and Communication Technologies (ICT) for Business Continuity |
ISO 27032 |
Guidelines to improve cyber security through implementing security techniques on information technologies |
ISO 27033 |
Guidelines for managing network security |
ISO 27035 |
Incident Management |
ISO 27040 |
Guidelines for managing data storage security |
NIST |
A voluntary framework that organisations can choose to adopt to improve cyber security within their organisation |
COBIT |
Business framework for governing and managing the IT aspect of an organisation |
Figure 1: The Relevant Standards and Their Focus
The benefits organizations receive from adopting the respective standards and implementing the recommended practices are listed in Figure 4. It sets the end objectives for organizations to achieve when aligning to the specific standard.
The standard will be relevant to organizations that need their information security mission aligned with the specific "Scope" or objectives as presented in Figure 2.
Standard |
Scope |
ISO 22301 |
Manage business continuity risks |
ISO 27001 |
Manage information security risks |
ISO 27002 |
|
ISO 27004 |
Measure the effectiveness of ISMS to identify improvements |
ISO 27031 |
Managing ICT infrastructures risks |
ISO 27032 |
Manage cyber security incidents |
ISO 27033 |
Manage network security risks |
ISO 27035 |
Plan and prepare for incident response |
ISO 27040 |
Manage data storage risks |
NIST |
Improve organisation’s ability to tackle cyber security |
COBIT |
Guide organisations to govern and manage their IT infrastructures in a holistic manner |
Figure 2: The Standards and their Scope of Coverage
The respective Standards list steps organizations can perform to develop the document's contents. Organizations can conduct common processes between standards simultaneously to meet two objectives in one set of activities, managing cyber security incidents while ensuring that business continues.
Figure 3 below summarises the steps or processes each specific standard will adopt to meet the standard's scope.
Standard |
Process |
ISO 22301* |
Reduce: Respond: Recover: Resume: Restore: Return |
ISO 27001* |
Educate: Assess: Implement: Audit |
ISO 27002 |
|
ISO 27004 |
Define: Identify: Select: Develop: Measure: Analyze: Report |
ISO 27031 |
Prevent: Detect: Respond: Recover: Improve |
ISO 27032 |
Identify: Engage: Protect: Respond |
ISO 27033 |
Define: Identify: Protect: Respond |
ISO 27035 |
Plan and Prepare: Detect and Report: Assess and Make decisions: Learn from the experience |
ISO 27040 |
Define: Identify: Protect: Respond |
NIST |
Identify: Protect: Detect: Respond: Recover |
COBIT |
Govern: Manage |
Figure 3: The Relevant Standards and their Processes
4. Elements
For each standard the organization chooses to adopt, there are objectives to achieve once the recommended practices are adopted and tailored. Each of the Standards lists processes that need to be performed to achieve the objectives.
It is elaborated in Figure 4 as the “Elements” that show the detailed processes within each Standard to complete the scope of the standard.
Standard |
Elements |
|
ISO 22301 |
Manage cyber security program. Ensure employees are aware and competent. Understand the organisation. |
Select Business Continuity Options. Develop and Implement Business Continuity Responses. Test and Exercise. |
ISO 27001 |
Organize information security. Manage assets. Comply with regulations/standards. Enforce human resource security policies. Manage control access. Acquire, develop and maintain information systems. Enforce physical and environmental security policies. |
Enforce information security policies. Manage cryptography procedures. Enforce operations security policies. Enforce communications security policies. Maintain supplier relationships. Manage information security incidents. Manage business continuity information aspects. |
ISO 27002 |
||
ISO 27004 |
Define measurement scope. Identify information needed. Select objects and attributes. |
Develop measurement construct. Collect, analyse and report data. Document the implementation plan of the overall approach. |
ISO 27031 |
Key Competencies and Knowledge. Facilities. Technology. |
Data. Processes. Suppliers. |
ISO 27032 |
Determine the definition of cyber security. Establish a correlation between cyber security and other securities. |
Determine roles and responsibilities for cyber security. Develop a framework for collaboration to tackle cyber security. |
ISO 27033 |
Define network security and its requirements. Identify risks associated with network systems. |
Implement security controls to protect network systems. Manage cyber security incidents affecting network systems. |
ISO 27035 |
Identify vulnerabilities. Detect cyber security incidents. |
Respond to and Manage cyber security incidents. Improve continuously. |
ISO 27040 |
Define data security and its requirements. Identify risks associated with data storage systems. |
Implement security controls to protect data storage systems. Manage cyber security incidents affecting data storage facilities. |
NIST |
Integrate enterprise and cyber security risk management. Manage cyber security requirements. Integrate and align cyber security and acquisition processes. Evaluate organisational cyber security. |
Manage the cyber security program. Maintain a comprehensive understanding of cyber security risks. Report cyber security risks. Inform the tailoring process. |
COBIT |
Align processes with business objectives. Design organisational structures to facilitate the exchange of information and decision-making. Consider the way of life of employees. |
Guide the development of principles, policies and frameworks. Establish communication channels for the smooth exchange of information. Account for all IT infrastructures to receive security controls. Assign competent staff for suitable activities. |
Figure 4: The Elements and Detailed Processes within each Standard
CIR Standards: Importance of Standards implementing CIR | CIR Standards: Affecting Key CIR Elements | CIR Standards: Governing CIR Implementation | Back To CIR Standards: |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 4 Standards 4.4 Relationships Between Relevant Standards
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.