CIR Standards: Governing CIR Implementation

CIR Related Standards

Relationship Between Standards and CIR

The specific standard clauses that mention CIR are extracted and presented in this section.

1. ISO 22301

A detailed elaboration of this standard can be found in Appendix 1.

1.1 Clause “Establish and Implement Business Continuity Procedures”

Organizations must develop, implement and maintain business continuity procedures (ISO 22301, 2012) to manage disruptive incidents so that business functions can continue operating. Developed procedures should be documented, and they should:

• Contain appropriate internal and external communications protocols;
• Contain specific descriptions of steps to execute during a disruption;
• Be flexible to adapt to unanticipated threats and to change internal and external conditions;
• Prioritize incidents that cause disruptions to operations;
• Be based on assumptions and analyzing interdependencies; and
• Minimize impacts with the implementation of appropriate mitigation controls.

1.2 Clause “Incident Response Structure”

A management structure (ISO 22301, 2012) consisting of personnel with necessary responsibility, authority, and competence has to be formed to facilitate an effective response to disruptive incidents. The response structure should:

• Determine the organization’s risk appetite before initiating a formal response;
• Create a team that assesses the nature and extent of the disruptive incident and its potential impact;
• Activate the appropriate response procedures based on the severity of the incident;
• Contain processes and procedures that guide employees to activate, operate, coordinate and communicate during response;
• Identify necessary resources that support the response processes and procedures to manage the disruptive incident; and
• Establish communication channels with relevant stakeholders.

1.3 Clause “Business Continuity Plans”

The business continuity plan (ISO 22301, 2012) should contain documented procedures for managing disruption effectively and how it recovers its business functions within a predetermined timeframe. This will also include the CIR plans.

2. ISO 27001

A detailed elaboration of this standard can be found in Appendix 3.

2.1 Clause “Actions to Address Risks and Opportunities”

Cyber security risks that threaten an organization should be identified. Organizations can identify appropriate mitigation or response measures to prevent or reduce cyber security attacks from occurring, minimizing the impact (ISO 27001, 2013) of undesired effects. The effectiveness of these mitigation/response measures has to be evaluated. These include the threats that lead to any cyber security response.

2.2 Clause “Improvements”

Organizations need to instil the mindset of continuous improvement (ISO 27001, 2013) in all employees. Processes/Functions within the Information Security Management System or ISMS should be evaluated and updated to improve its suitability, adequacy, and effectiveness in dealing with the latest development in the cyber landscape. This clause requires CIR to be continually improved.

2.3 Clause “Operations”

Risk assessment and risk treatment is an ongoing processes. As the cyber landscape develops and advances, the organization has to update itself (ISO 27001, 2013) to be relevant in handling cyber security threats. Therefore, risk assessment and treatment should be conducted at planned intervals or when significant changes occur to ensure relevancy in the ISMS.

3. ISO 27002

A detailed elaboration of this standard can be found in Appendix 4.

3.1 Clause “Selecting Controls”

The selection of appropriate response controls (ISO 27002, 2013) depends on the organization. The Standard only provides guidance and description of the recommended controls; the organization has to decide and tailor the controls to fit their organization so that it can mitigate/respond to cyber security incidents.

4. ISO 27004

A detailed elaboration of this standard can be found in Appendix 5.

4.1 Clause “Information Security Measurement Program Evaluation and Improvement”

After evaluating the ISMS and finding areas for improvement, the organization needs to determine if the measurement methods (ISO 27004, 2009) for evaluating the ISMS are appropriate and to implement improvements. The measurement program should be assessed and improved whenever significant changes occur within and outside the organization. This ensures that the measurement method is up-to-date and relevant to the current situation, so evaluating the ISMS is not flawed regarding relevancy.

5. ISO 27031

A detailed elaboration of this standard can be found in Appendix 6.

5.1 Clause “Principles of IRBC”

By following the process flow (ISO 27031, 2011) as prescribed, which by this standard is "Prevent; Detect; Respond; Recover; Improve", the organization aims to protect their ICT infrastructures from cyber security incidents through:

• Implementing security controls to mitigate cyber security attacks;
• Detecting cyber security attacks when it is at the earliest stage;
• Executing efficient response measures;
• Recovering ICT infrastructures promptly; and
• Improving from lessons learned

6. ISO 27032

A detailed elaboration of this standard can be found in Appendix 7.

6.1 Clause “Assets in the Cyberspace”

Within an organization, various assets (ISO 27032, 2012) are related to cyber security: data, IT hardware and software, network, and applications. The organization must establish a list of assets they own so they know what they protect cyber criminals from.

6.2 Clause “Threats against the Security of the Cyberspace”

Based on the assets identified within the organization, determine the threats (ISO 27032, 2012) that can cause potential impacts on them. Due to the advancement of technology, the methods deployed by cybercriminals have become more complex. Understanding the types of threats the organisation faces makes the employees aware of the cyber security threats and facilitates the development of security controls.

6.3 Clause “Cybersecurity Controls”

Depending on the threats faced by the different assets, appropriate security controls (ISO 27032, 2012) will have to be in place to deal with the threats. Developing and implementing security controls ensures that the IT infrastructures are protected and secured against cyber criminals.

6.4 Clause “Methods and Processes”

Organizations cannot wait until a cyber security attack then start to develop a cyber security program for their organization. It has to be developed during peaceful times (ISO 27032, 2012) so that they are ready and prepared for the attack. Preparing oneself for cyber security attacks can be conducted in several ways, as discussed in the Standard. A comprehensive cyber security program within the organizations enables cyber security incidents to be managed effectively, minimizing impacts and ensuring business functions continue to operate.

6.5 Clause “Risk Assessment and Treatment”

Although no formal specification is made on how risk assessment is carried out, certain aspects (ISO 27032, 2012) should be taken into consideration:

• Identify critical assets;
• Identify risks;
• Determine responsibilities;
• System or service retirement; and
• Consistency.

From “Assets in the cyberspace” and “Threats to the security of cyberspace”, organizations can tailor the risk assessment process accordingly. Each organization is unique, so no risk assessment process is the same.

7. ISO 27033, 27035 and 27040

A detailed elaboration of these standards can be found in Appendix 8, 9, and 10, respectively.

8. NIST Framework

A detailed elaboration of this standard can be found in Appendix 11.

8.1 Clause “Risk Management and the Cybersecurity Framework”

Cyber security risks to an organisation's IT infrastructures must be identified, assessed, and responded to. Management of cyber security risks (NIST, 2017) requires understanding the likelihood and resulting impacts of the cyber security risks. Risk management should be an ongoing process to constantly determine the organization's risk appetite. Adjustments and improvements can be made to the cyber security program depending on the outcome of the risk management process. Depending on the impact, the organization can mitigate, transfer, avoid or accept the risk.

8.2 Clause “Framework Core”

The process (NIST, 2017) of managing cyber security is Identify, Protect, Detect, Respond and Recover. Identification refers to understanding organizational context, business functions’ IT requirements, and cyber security risks. Protection refers to implementing appropriate security controls to secure the IT infrastructures within the organization. The objective of “Protect” is to limit or contain the impacts of cyber security risks. Detection refers to measures undertaken to perform timely discovery of cyber security attacks. Response refers to the execution of developed measures to handle detected cyber security attacks. Recovery refers to restoring services that were impaired by the cyber security attack.

8.3 Clause “Establishing or Improving a Cybersecurity Program”

The organization needs to identify its business objectives and business functions with the highest priorities. Using this knowledge (NIST, 2017), strategic decisions can be made regarding implementing mitigation/response measures. The scope of IT infrastructures supporting the operation of CBFs has to be determined. Once identified, the organization can identify cyber security risks and organizational vulnerabilities to these IT infrastructures.

The organization needs to establish the current condition that it is currently in. This determines if the organization, with its existing measures and controls, is ready to deal with today's cyber security risks. Set a target for the organization is aiming to achieve. This target describes the cyber-related outcomes that the organization wants to meet from its current position. Hence, processes and procedures will be developed for the organization to progress from its current position to the set target.

9 COBIT Framework

A detailed elaboration of this standard can be found in Appendix 12.

9.1 Clause “Meeting Stakeholder Needs”

Business activities and operations are performed within an organisation to fulfil various stakeholders' needs (ISACA, 2013). Therefore, their interests and concerns must be accounted for when developing the CIR plan. Changes within and outside of the organization, such as the introduction of new technologies or regulations, influence changes in the needs and requirements of stakeholders.

They need to be addressed by setting enterprise goals. IT-related goals, then address enterprise goals. Employees within the organization then develop and execute procedures and processes to achieve the IT-related goals, and subsequently, stakeholder needs are fulfilled.

9.2 Clause “Covering the Enterprise End-to-End”

All aspects of the organization need to be accounted for (ISACA, 2013) when governing and managing the IT infrastructures within the organization. All IT infrastructures and business processes are addressed, whether internal or external.

The process for governing the whole organization can be used to govern the IT infrastructures. Governing the entire organization contains a lot of processes; collectively, they aim to create value for stakeholders, the main objective.

Besides the processes, frameworks, principles, and structures are established to create value for stakeholders. All these actions and effort gets directed at the main objective. The resources stated will facilitate the organisation's employees, with their assigned roles and responsibilities, to perform activities to fulfil the objective.

In the case of IT infrastructure, the objective is to ensure that they are protected from the influence of cyber criminals and that there are appropriate measures to detect and respond to cyber security attacks. Similarly, multiple resources are developed to guide employees to achieve the objective. In this case, all employees have a part to play in CIR.

9.3 Clause “Applying a Single Integrated Framework”

COBIT is a single, integrated framework (ISACA, 2013) because other relevant standards and frameworks are aligned. COBIT covers the whole organization, serving as a basis to integrate other relevant standards and frameworks where relevant knowledge, information, and recommended practices are tweaked and compiled into one single framework. This standardizes the processes required to be carried out. The only adjustments organizations that adopt COBIT need to make is to tailor the processes to their organization.

10. Conclusion on Related Standards for CIR and BCM

In summary, all the related standards are shown in the Figure on the right. ISO 27001 contains guidelines for developing ISMS. ISO 27002 is a follow-up standard of ISO 27001, containing more detailed descriptions of the recommended security controls in ISO 27001. Finally, ISO 27004 contains guidelines on developing measures and measuring the effectiveness of the ISMS.

 Within the NIST Framework, processes are stated to develop mitigation/response measures so that cyber security incidents can be managed efficiently.

The recommended practices for developing the mitigation/response measures cover all IT infrastructures within the organization. ISO 27031, ISO 27033, and ISO 27040 cover developing security controls for ICT infrastructures, information/data systems, and data storage, which are components of the organization’s IT infrastructures.

When it comes to CIR, all the seven standards/frameworks mentioned above are subsets of ISO 27032, which is the overall picture of managing cyber security. Within cyber security, many components have been divided into the respective relevant Standards so that the content can be more specific and detailed.

There are some similarities in the development and thinking processes between ISO 27032 and ISO 22301. The main difference between the Standards is just the area of coverage: ISO 27032 for cyber security and ISO 22301 for BCM.

Therefore, an integration of the procedures can be performed where the activities for developing a BCM or cyber security program can be aligned. This is practised in the COBIT Framework, where the management of the IT infrastructures is conducted from a business point of view.

Related Topics to CIR Relationship to International Standards

CIR Standards: Importance of Standards implementing CIR	CIR Standards: Affecting Key CIR Elements	CIR Standards: Governing CIR Implementation	Back To CIR Standards:

Do You Want to Continue BCM Training onsite or online?

Competency-based Course		Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 4 Standards 4.5 Relationship Between Standards

Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.