Towards a new normal in Cybersecurity: How a systemic approach and certification create the basis condition
Covid-19 shows the importance of a systemic approach for information- and cybersecurity. Certification of information- and cybersecurity validates efforts and is the basis for a unified understanding of one of the most important necessities for the digital eco-system.
Even before the outbreak of Covid-19 at the beginning of 2020, cybersecurity has become one of the most important topics for all industries and companies around the globe, and it regularly tops CEO’s what-keeps-you-up-at-night surveys.
Securing assets, ensuring integrity of supply chains, security and validity of relevant processes and first and foremost meeting the demand for secure products for users from industry, but also the private sector has become of utmost importance in our ever so interconnected world. To tackle these challenges, multiple systemic approaches are available for stakeholders of every size and industry. Solutions may vary from self-assessments, internal audits, third-party audits and validation via certification.
By now, many cybersecurity-certification schemes have been developed world-wide, varying from component-security, to process and organization security and various levels in between. One of the core components of a holistic cybersecurity-strategy is an information security management system (ISMS), which can be certified in accordance with the international standard ISO 27001:2017 and may be further enhanced with segment and technology-specific certification schemes, such as ISO 27011, ISO 27017, ISO 27018, ISO 27701 et al.
Whilst certification is not the one-key-for-all-locks solution, organizations, products and people may benefit from it as it makes cybersecurity tangible, comparable and therefore a more widely accepted and understood tool for companies of all industries and sizes. The ISO 27001:2017 has a big advantage: it is a very widely used and understood standard which provides a good common set of cybersecurity-focused requirements.
It is important to understand that an ISMS in accordance with ISO 27001 is not an out-of-the-box solution and may be customized and adjusted to specific organizational circumstances. The key requirements of the standard, such as management commitment, tracking and measuring, improvement and disaster recovery plans should of course always be taken into account in any organization.
To put things into context, an ISMS should be seen more as a way to continually improve organizational cybersecurity and not as a burden. Certification via a third party may be seen as a method to standardize cybersecurity globally and validate efforts. Certification helps to show to the outside world that one of the most important necessities of our globalized world – cybersecurity – is tackled professionally and in accordance with continually evolving, internationally accepted standards.
Our understanding of the “new normal” should incorporate a deep understanding of the importance of information- and cybersecurity. Implementing an ISMS may become the initial milestone for a more secure world in the 21st century for industry and the private sector.
By Marcello Walz, Global Business Line Manager Cybersecurity, TÜV SÜD Management Service GmbH, and co-lead of the Charter of Trust Principle 7 Taskforce