Information is a valuable asset, and data breaches can cost in terms of lost business and damage. Thus, controls need to be rigorous enough to protect it, and monitored regularly to keep up with changing risks; so says the international standards body of its new guidelines.
Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the controls in place to ensure they are fit for purpose, effective and efficient, and in line with company objectives.
The technical specification (TS) has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls), all referenced.
Prof Edward Humphreys is leader of the working group that developed the standard. He said ISO/IEC TS 27008 will help organisations to assess and review their controls that are being managed through the information security management standard ISO/IEC 27001.
“In a world where cyber-attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organisation’s business processes. ISO/IEC TS 27008 can help give organisations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organisation faces.”
ISO/IEC TS 27008 is aimed at organisations of all types and sizes, be they public, private or not-for-profit. It was developed by ISO technical committee ISO/IEC JTC 1, Information security, subcommittee SC 27, IT security techniques, the secretariat of which is held by DIN, ISO’s member for Germany.
