BSI, the UK’s National Standards Body, has created a new specification, PAS 555 Cyber security risk – Governance and management, to help organisations manage their cyber security. In a domain where there are already a very large number of standards and schemes, one of the first questions is ‘why’ has another been created?
In fact, it is that very thinking that has led to the creation of PAS 555. The truth is that there are so many different pieces of good practice, it can be confusing to choose between them and potentially very expensive for any organisation to demonstrate its security credentials. Moreover, despite nearly £3Bn a year spent on information security technology in the UK alone, the volume and scale of cyber security incidents has continued to increase. Something needs to change.
The creation of PAS 555 arose from a need recognised by industry and also articulated in the UK Government’s 2011 Cyber Security Strategy. It is intended to help organisations of all sizes better understand the risks they face and to take an outcome-based approach to improving cyber security.
PAS 555 is based on the following principles
A comprehensive approach to security is essential
It is an old adage that security is only as good as the weakest link. Information security has focused for too long on just the technical elements, but it is people that use computers – people who may make mistakes, fail to follow policies and sometimes use the power they have at their keyboard for malicious purposes. While getting the basics of cyber security right would help significantly, good practice needs to address all dimensions, PAS 555 defines all the dimensions of the cyber security challenge through the complete lifecycle, including risk assessment, protection and mitigation, detection and response, and recovery. This is the first time that this has been achieved and no other standard is as comprehensive.
Effective cyber security means reaching into all parts of the economy, big and small
Security providers often focus more on solutions for government and big business. However, every large organisation relies upon many smaller companies, who may have access to their systems and their sensitive or critical assets. Increasingly, it is these smaller companies, who are often less protected, that are being targeted in order to provide access to the secrets and resources of bigger organisations. Yet for small companies, spending large amounts of money on secure systems designed for large companies is neither financially viable nor does it make practical sense. For large companies, the idea of complying with another standard is hardly compelling either, especially if it means creating a whole new set of paperwork to satisfy auditors.
PAS 555 addresses these issues head on. It was designed from the outset to be equally applicable to large or small organisations. Existing standards can be used to achieve PAS 555, if so desired (so a good implementation of ISO 27001 will achieve much of what PAS 555 seeks) but it does not necessarily require them. Indeed, it does not require any paperwork, other than that which an organisation chooses to use. It achieves this by specifying outcomes.
Outcome-focused thinking works better for cyber security
Understanding outcomes can be difficult. It is like a taxi journey: it does not matter which route, how many traffic lights, what gears are used, as long as the outcome is that you get where you want in good time and for a reasonable price. To date, information security has focused almost exclusively on the methods and the controls. Yet these change with advances in technology, following lessons learned from incidents and at a rapid pace so that good advice today may not hold tomorrow. PAS 555 instead focuses on the outcomes – the aims and impacts – of security processes. If the outcome is being achieved, then the process of achieving it is irrelevant. This means that it provides freedom of choice as to how security is achieved, while setting out the elements of good security that can be measured.
PAS 555 therefore works with other existing standards and good practice, but for the first time allows them to be mapped into a comprehensive framework that can be readily understood. In so doing, it aims to add something truly valuable to what is a minefield of overlapping and sometimes conflicting information.
PAS 555 draws on the in-depth cyber security knowledge and experience of leading industry organisations, including Cisco, Control Risks, G4S, PA Consulting Group and Symantec, with other key stakeholders involved in its development.