Current Location：Home > NEWS > Webinar recap: Strengthening defences against cyber threats

Webinar recap: Strengthening defences against cyber threats

share:    Updated:2024-06-26 00:00:00

With information security threats, cyber-attacks, and data breaches on the rise, managing these risks has never been more important for businesses.

AS/NZS ISO/IEC 27001:2023 - Information security, cybersecurity and privacy protection – Information security management systems – Requirements is the world’s best-known standard for information security management systems (ISMS). As a globally recognised framework, the standard helps businesses set up, roll out, maintain, and improve information security, cyber security, and privacy protection.

Standards Australia recently hosted an online event focused on AS/NZS ISO/IEC 27001:2023. The event aimed to provide essential insights into how the standard can help protect an organisation’s information and assets from cyber threats. The webinar was presented by Anna Harris, Committee Member of Australian Technical Committee IT-012 Information Security, Cybersecurity, and Privacy Protection and Principal Advisor – Information Security at the Office of the Victorian Information Commissioner. During the session, Ms. Harris explored the standard and discussed how organisations can effectively manage risks associated with information security threats.

The event also included a live Q&A session, providing attendees with the opportunity to ask questions related to the standard and its implementation.

Q&A

Can an organisation implement AS/NZS ISO/IEC 27001:2023 without getting formal certification?

Yes, an organisation can follow AS/NZS ISO/IEC 27001:2023 as best practice without needing formal certification. Formal certification can provide independent verification to stakeholders or customers, but it is not mandatory.

‍

Why should an organisation consider adopting AS/NZS ISO/IEC 27001:2023 instead of, or in addition to, the ASD Essential 8?

The ASD Essential 8 focuses on specific technology and primarily on Microsoft systems. It does not cover other systems or non-digital information. AS/NZS ISO/IEC 27001:2023 is more holistic and covers all aspects of information security, making it a more comprehensive choice.

‍

What advice do you have for SMEs looking to implement AS/NZS ISO/IEC 27001:2023?

SMEs should start by understanding the information they need to protect. This involves discussions with the business to identify valuable information and prioritising protection efforts. Executive buy-in is crucial for successful implementation.

‍

Are ISO 27000 and ISO 27002 standards available for free?

Yes, ISO 27000, which provides an overview and vocabulary, is free to download. The other standards in the ISO 27000 series are not free.

 

‍How will AS/NZS ISO/IEC 27001:2023 harmonise with operational technology (OT) system standards?

If OT systems use a management system standard (MSS), AS/NZS ISO/IEC 27001:2023 can be applied using the same structure. If not, AS/NZS ISO/IEC 27001:2023 can still be used as it is generic and applicable to all types of information, including OT environments.

 

Is it best to apply AS/NZS ISO/IEC 27001:2023 together with COBIT 5 as both address IT risk management?

Both AS/NZS ISO/IEC 27001:2023 and COBIT 5 address IT risk management, but they serve different purposes. COBIT 5 is a holistic IT governance framework, while AS/NZS ISO/IEC 27001:2023 is a holistic information security framework. The key is to understand your specific needs and apply the necessary controls from either standard. AS/NZS ISO/IEC 27001:2023 covers a broader range of information security, not just electronic information on IT systems, whereas COBIT 5 focuses more broadly on IT governance.

 

‍Are ISO 27017 and ISO 27018 still part of the updated ISO 27000 family?

Yes, ISO 27017, which covers controls for cloud services, and ISO 27018, which focuses on personal information in public clouds, are still part of the ISO 27000 family.

 

What are the differences between AS/NZS ISO/IEC 27001:2023 and IEC 62443, and why might a contractor use both?

IEC 62443 focuses on industrial automation and control systems (IACS), while AS/NZS ISO/IEC 27001:2023 describes an information security management system for business systems. A contractor might use both standards to cover a broader range of security controls, especially if they serve clients in utilities like water, gas, or electricity as well as the corporate/enterprise environment. IEC 62443 emphasises the need for consistency with AS/NZS ISO/IEC 27001:2023 practices, noting that IACS security risks may have health, safety, and environmental implications, which should be integrated with existing risk management practices.