How to properly assess cyber security

While a perfect cyber security assessment does not exist, using the internationally recognized ISO set of standards provides a solid foundation upon which organization’s can build.

One of the most frequent questions I receive as a result of my blog postings deals with how to properly assess cyber security within the context of the cyber threat environment. The biggest misconception out there deals with penetration testing.

“Pen-testing” is not the first step. It plays a critical part in the overall cyber security program, but cyber security assessments must be far more robust.

When this question is asked, I recommend ISO 27000 series (http://www.27000.org/), and I also include ISO 28000 as the foundation upon which to assess an organization’s current defensive cyber posture. These standards were created by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), and are updated regularly.

Naturally, we have added a few things to the 27000 and 28000 standards. It is amazing how many people have heard of the quality standard ISO 9000, but have not heard about the ISO security series of standards.

This ISO set of standards addresses information security management from multiple perspectives. Using these standards cyber security evaluators can ask a series of questions and determine the current cyber security measures that an organization has put in place. Answers to each assessment question are recorded and given a rating of 1 (low/incomplete) to 5 (high/complete), and a graphically depicted scorecard is created that illustrates the results.

As the assessment is repeated on an annual or semi-annual basis, the previous score for each area is shown and contrasted with the current score. This allows quick interpretation of changes, both positive and negative, in the organization’s security posture.

While a perfect cyber security assessment does not exist, using the internationally recognized ISO set of standards provides a solid foundation upon which organization’s can build. Many organizations start with a scaled down version of the standards due to just how bad many score when looking at the complete standard.

It is worth your time to look at ISO 27000, and to keep in mind that there is a big difference between compliance requirements and security standards like those issued by ISO.