ISO 27001, the international standard for cyber risk management
The ISO 27001 standard, published in 2005 and revised in 2013 and then in 2022, was developed by the specialized global standardization system known as ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). This explains why it is also known as ISO/IEC 27001:2013. This international reference standard defines the information security management system (ISMS) to be implemented within an organization. It provides a framework to help organizations implement, maintain, and continuously improve their ISMS.
ISO 27001 is sufficiently generic to be adapted to any type of organization, regardless of its size, nature, or sector of activity. Its objective is to implement the necessary protective measures to maintain the confidentiality, availability, and integrity of your organization's information.
This standard therefore addresses safety through risk management. The 252 requirements of this standard cover the following areas in particular:
- regulations with the protection of personal data
- information security governance and data governance strategy
- the security of material resources (infrastructure, networks, and computer systems)
- human resources (staff organization and responsibility, information system security policy, cybersecurity awareness, etc.)
- physical security (access to buildings or IT infrastructure)
- the development and maintenance of systems and software
- business continuity (BCP, DRP, etc.)
A company that correctly applies all the requirements of the ISO 27001 standard can be certified by a qualified auditor. ISO 27001 certification is a guarantee of trust in data storage and security. In addition to being a commercial asset (more and more calls for tenders require certification), it puts your organization on a path of continuous improvement in information system security.
LPM, the French military programming law
In France, the Military Programming Law (LPM) has been regularly voted on since the 1960s. Every 4 to 6 years, this law sets the military spending program. The 2014-2019 LPM includes a strengthened "cyber" component and establishes the legislative framework for Operators of Vital Importance (OIV), making them responsible for securing their information systems of vital importance (SIIV).
The latest version, the 2019-2025 Military Planning Law, makes cybersecurity a priority. Key measures in this text include increasing the number of cybersecurity experts, protecting weapons systems and information systems from the design phase onwards, and strengthening the capabilities of the Center for Analysis and Defensive IT Operations (CALID) and the armed forces' SOCs.
NIS, the European cybersecurity directive
The NIS (Network and Information Security) Directive is a founding piece of legislation for cybersecurity at the European level. Adopted in 2016 by the European Parliament, this directive requires legislative transposition at the national level. According to ANSSI, which is in charge of this project: "This directive aims to create a strong and trustworthy Europe, based on the national cybersecurity capabilities of Member States, the establishment of effective cooperation, and the protection of critical economic and societal activities of the nation, in order to collectively address the risks of cyberattacks."
One of the key points of this directive is to raise the level of cybersecurity in Member States through the establishment of national CSIRTs (Computer Security Incident Response Teams).
The second objective of the text is to increase cross-border collaboration. It is by sharing information and working together that Europe will be able to tackle cyber threats.
Finally, the directive also sets out a series of network and information security requirements for operators of essential services (OES) and digital service providers. Each Member State must then draw up a list of sectors it considers to be "essential," such as energy, transport, water, health, and even the financial sector. In France, this directive is in line with the 2014-2019 Military Planning Law and the establishment of OIVs (Operators of Vital Importance).
Faced with increasing cyber threats, the European Union wants greater security and is preparing a revision of this directive. NIS V2.0 does not aim to increase security rules, but rather to extend the scope of application of security rules. According to statements made by Guillaume Poupard, Director General of ANSSI, in June 2022, the number of so-called "essential" actors would then increase tenfold.
NIST CSF, the US cybersecurity framework
In the United States, the National Institute of Standards and Technology (NIST) published the CSF (Cybersecurity Framework) in 2014 for private sector organizations with critical infrastructure to guide them in managing their cybersecurity. This"framework for improving the cybersecurity of critical infrastructure"is the result of a joint effort between the U.S. government, academia, and private industry. Widely deployed around the world, this framework consists of standards, guidelines, and best practices.
The five main functions of this framework are defined by action verbs, from recognition to resolution:
- Identify: This involves developing an understanding of the organization (systems, assets, data, etc.) in order to manage cybersecurity risks.
- Protect: refers to the protective measures to be developed and implemented to ensure the security of the organization's critical services.
- Detect: refers to the identification of cybersecurity events.
- Respond: defines the actions to be taken in response to a detected cybersecurity incident.
- Recover: It establishes the appropriate actions to be taken to maintain resilience plans and restore anything that may have been compromised as a result of a cybersecurity incident.
The purpose of these functions is to provide a strategic view of the cybersecurity risks that could occur within an organization.
In addition to these functions, there are around twenty categories (risk management, maintenance, governance, etc.) and nearly a hundred subcategories derived from references to other standards such as ISO 27001. Adaptable to all types of businesses, this framework has the advantage of presenting information in an easily accessible way.
PCI-DSS, protecting banking transactions
PCI-DSS (Payment Card Industry Data Security Standard) is the acronym used to refer to the set of data security policies and procedures applicable to the payment card industry.
It comprises 12 main requirements, grouped into 6 groups called "control objectives."
The first version of PCI-DSS was published in late 2004 and is regularly updated. The purpose of this standard is to protect credit, debit, and payment card transactions. It also aims to prevent the misuse of cardholders' personal information.
Compliance with the PCI-DSS standard is required for all bank cards. This international standard is currently being developed by a consortium of five players (MasterCard, Visa, American Express, Discover Card, and JCB).
NC, outside the scope of compliance
Talking about compliance would be meaningless without mentioning the acronym NC for Non-Compliance. By definition, non-compliance consists of failing to comply with a rule in force. It is therefore a malfunction in a process, service, or even a product, relative to an initial requirement. Failure to comply with a regulation or standard can be classified as a major NC or minor NC depending on the corrective measures that need to be implemented to restore compliance.
And Baptiste David, Head of PreSales & Delivery at Tenacy, is very clear on the subject:
‍
‍
‍
‍
‍
‍
‍
‍
"We cannot achieve compliance without addressing non-conformities on a daily basis! Furthermore, addressing non-conformities is a challenge for a certified organization. During an audit, proof of non-conformity resolution is required."
‍
[1] French version: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018fr.pdf
