Distrust pushes us into self-limiting stigmas, but International Standards can help us be confidently vulnerable and resilient.
What do Microsoft, Apple, Google, Intel and IBM have in common? As well as all being Fortune 500 companies, these tech giants are all using ISO/IEC 27001. With an increasing global uptake and on display at thousands of sites around the world, ISO/IEC 27001 has become the de facto standard for information security management systems.
To protect their critical data assets from digital threats and vulnerabilities, organizations need to adopt a cyber-resilient mindset. Cyber resilience must be integral not only to technical systems but also to teams, the organizational culture and daily operations. In fact, business leaders today are far more aware of the cyber threat than the year prior. According to the World Economic Forum’s (WEF) Global Security Outlook 2023, 91 % of respondents said they believe a far-reaching and catastrophic cyber event is “at least somewhat likely in the next two years”.
Companies worldwide have responded to the pressures by implementing ISO/IEC 27001[1], the world’s best-known standard for information security management systems (ISMS). It is a documented set of policies, procedures, processes and systems that manages the risks of data loss from cyber-attacks, hacks, data leaks or theft.
Organizations need to adopt a cyber-resilient mindset.
What is cyber resilience?
Cyber resilience is the ability of an organization to operate in the face of a cyber-attack or other cyber incident. It involves having the necessary technical and organizational measures in place to detect, respond to and recover from such incidents, as well as the ability to adapt and learn from them to improve future resilience.
“Cyber resilience is what takes over when security prevention measures falter,” says Andreas Wolf, who leads the group of experts responsible for ISO/IEC IT security standards. “In the digital economy, the ability to transcend cyber disruption distinguishes market champions. Organizations that turn vulnerability into strength will have the confidence to take healthy risks.”
Wolf is no stranger when it comes to security. He and his team are responsible for the new and improved version of ISO/IEC 27001 published in October last year to address global IT security challenges and improve digital trust. It benefits organizations by encouraging them to secure all forms of information, develop a centrally managed framework, reduce spending on ineffective defence technology, and protect the integrity, confidentiality and availability of their data.
But resilience doesn’t just refer to an organization’s internal workings; it must apply across all third-party partnerships and throughout the supply chain. Fortunately, The Cyber Resilience Index (CRI): Advancing Organizational Cyber Resilience, also published by the WEF, seeks to serve as a reference framework to provide visibility and transparency on cyber resilience practices across industries, peers and the supply chain.
The CRI provides public- and private-sector cyber leaders with a common framework of best practice for true cyber resilience, a mechanism to measure organizational performance, and clear language to communicate value. Under the CRI’s principles, subsequent practices and sub-practices for healthy organizational cyber resilience is the use of recognized security frameworks and industry standards such as ISO/IEC 27001.
We can’t afford to compromise on cyber resilience in the digital era.
Vulnerability as a building block for resilience
Being transparent about internal practices and sharing information with competitors and policymakers can make organizations feel vulnerable. But it is this vulnerability that will lead to true collaboration and progress.
We can’t afford to compromise on cyber resilience in the digital era. There is a business case for it, too. Organizations that adopt cyber resilience through confident vulnerability quickly emerge as leaders in their industry and set the standard for their ecosystem. The holistic approach of ISO/IEC 27001 means that the entire organization is covered, not just IT. People, technology and processes all benefit.
Disclaimer: PECB has obtained permission to publish the articles written by ISO.