Cybersecurity concerns are no longer merely a business disruption threat handled by IT, rather they’re a critical condition of doing business and a driver of insurance costs. Organizations’ annual cybersecurity penetration tests and assurances aren’t enough for customers, trading partners, and insurers. These stakeholders are increasingly requiring organizations to complete questionnaires about cybersecurity policies and practices, and organizations are using that data to perform an independent cybersecurity assurance review. This practice is time-consuming, redundant, and costly for an organization. Management accountants have the internal control, planning, risk management, and technology skills to help their organizations navigate these challenges.
Third-party assurance of an organization’s cybersecurity practices addresses the concerns of internal and external stakeholders. For most organizations, the ISO/IEC 27001 certification (ISO 27001) is the gold standard of third-party cybersecurity assurance tools. ISO 27001 is an internationally recognized standard detailing the requirements for an Information Security Management System (ISMS).
The cost and effort required for this assurance is a function of a company’s other compliance programs. All IT governance controls are in scope for both the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and ISO 27001. So in the United States, if you have a Sarbanes-Oxley compliance program, you’re likely covered in these areas and will just need to focus on expanding and strengthening your IT general controls to meet the requirements.
Newer companies are typically more cybersecurity aware; they use cloud technologies and may have many of the technology risks already mitigated but may be very immature with respect to governance. Adopting the CSF is appropriate for all companies, and taking the next step to certification for these organizations is cost-justified if it will give you a competitive advantage and/or will save costs.
The CSF and its accompanying NIST 800-53 Rev. 5 Controls Catalog (CCAT) are comprehensive, open-source frameworks for an ISO 27001 program. Mapping your firm’s internal controls to the CCAT and CSF ensures the completeness of your cybersecurity controls and identifies control gaps for remediation (see “Implementing Cybersecurity,” Strategic Finance, July 2021). An ISMS with respect to the CSF must be mature with demonstrated and explicit monitoring activities validated as effective by internal audit prior to proceeding to ISO 27001.
The four ISO stages are plan, do, check, and act. The six steps to the plan stage of the project are as follows:
- Adopt a cybersecurity framework.
- Obtain top management commitment to the ISMS.
- Define a systematic approach to information security risk assessment and the risk acceptance criteria.
- Perform a risk assessment within the context of the ISMS scope.
- Identify and evaluate options for the treatment of these risks via “mapping” company controls to cybersecurity risks.
- Prepare a statement of applicability and a risk treatment plan based on ISO standards.
OBJECTIVES OF ANNEX ABoth internal and external risks that may preclude accomplishing the objective of an effective ISMS must be identified and included in the risk assessment. The risk assessment developed for your organization should have a strong linkage to the objectives listed in the Annex A Reference Controls and Controls of the ISO 27001. There are 35 objectives listed in Annex A, and we typically identify 85 to 100 risks associated with these objectives to include in the risk assessment. Risk owners for the major sections of the risk assessment such as physical access control, logical access control, and human resource security help identify and confirm both the objectives and related risks. The risk owners also perform the initial risk assessment.
The risk assessment uses a five factor/point scale for impact of the risk ranging from high (5) to low (1) and a five factor/point scale for likelihood ranging from certain (1.00) to unlikely (0.10). The product of these scores results in an inherent risk score. Next the risk is assessed with consideration of the relevant controls in place to mitigate the risk. The five factor/point scale is also used for mitigation effectiveness ranging from fully (0.00) to no impact (1.00). The product of the inherent risk and the mitigation effectiveness is the residual risk score.
For example, a high impact risk with a certain likelihood will have the highest possible inherent risk of 5.0, which will remain as a 5.0 residual risk if the controls are deemed no impact but lead to a residual risk of 0.00 if the controls are deemed fully. Notes are documented throughout to support the reasons for the selections made for impact, likelihood, and mitigation effectiveness. Following the completion of the initial risk assessment, the results are reviewed with senior management, allowing them to weigh in on potential factors the risk owners may not have considered. Any necessary updates are agreed to, and the risk assessment is finalized as a formal ISO risk treatment plan. The five steps to the do stage of the project are:
- Finalize the risk treatment plan and its documentation.
- Implement the risk treatment plan and planned controls.
- Arrange appropriate training for affected staff, as well as awareness programs.
- Manage operations and resources in line with the ISMS.
- Implement procedures that enable prompt detection of, and response to, security incidents.
The check stage involves driving continuous improvement by monitoring, reviewing, testing, and auditing. ISO requires an independent audit, which can be achieved via internal audit, cosourcing, or some combination of the two.
The act stage involves addressing audit outcomes/findings as well as continually updating and improving your process with lessons learned from simulation exercises, incidents, actual threats identified and responded to, developments in information security, and other improvements.
Once your program is in place with explicit documented monitoring of all controls, subject to internal audit, you’re ready to choose a firm to perform the ISO certification. Once certified, communicate this to your stakeholders. Your certification will instill confidence, eliminate the cybersecurity questionnaires, reduce your insurance premiums, and greatly reduce the risk of any future cybersecurity events.