How CIS V8 can complement ISO 27001!
What is ISO 27001?
ISO 27001 is a globally recognised standard in the field of information security. The standard is part of the ISO 27000 series and these standards help secure information in its broadest sense (Digital, printed, internal or external). ISO stands for ‘International Stadardization Organization’. The Dutch institution ‘NEN’ ensures that the standard is translated and available for the Dutch market.
ISO 27001 can be applied to any organization. For healthcare institutions, there is a separate standard called NEN 7510. This standard solely focuses on information security of healthcare institutions and enforces some specific measures for this.
ISO standards are based on a management system that allows an organisation to demonstrate that it is in control. For the ISO 27000 series, this is the ISO 27001, so this is what is certified. The certificate is issued by a recognized and independent party, which does so by auditing this management system and its operation. Organizations that hold this certificate can demonstrate that they have mastered the information security process and that there is management attention to constantly improve it.
Besides ISO 27001, there is also the ISO 27002, this document describes in detail the measures described in ISO 27001 under Annex A. The measures from Annex A (also called controls) are declared applicable within the certification process, indicating that they are applied within the organization. You may also draw up the controls yourself, but it is wise to use ISO 27002 as a guide because external auditors will use the ISO 27002. In this way, an organisation can take appropriate measures to comply with ISO 27001.
What’s the same?
ISO 27001 and CIS V8 both focus on securing an organization’s most important information. Many of the measures from ISO27002 are also named in the CIS v8 although they are a bit more elaborate there. So with CIS v8, you test the measures from ISO27002.
What’s the difference?
The major difference between CIS and ISO is that with ISO, a management system is certified. The CIS v8 is not a certificate, but it is a technical control set that provides insight into how mature security measures are within an organization. Whereas within ISO the main focus is on the continuous improvement of security and management attention to this, a CIS v8 audit gives a clear picture of where the technical implementation of the policy currently stands.
They support eachother. An ISO 27001 certificate has demonstrated to the outside world that there is a policy and focus on information security and that processes have been implemented to continuously improve it. And the outcome of a CIS v8 audit can provide internal insight into degree of maturity and quality of measures taken.
How does OpenSight apply CIS V8
OpenSight conducts CIS v8 audits of customers to objectively determine the current state of security within an organisation. This involves looking at the remaining vulnerability to certain attack paths and technical aspects. This gives a clear insight into an organization’s areas for improvement. It can therefore be used as an add-on within an ISO 27001 management system. After the audit, a report is drawn up covering the various aspects.