The importance of assessing the role of standards has become even more urgent, given that five standards aimed at providing practitioners and evaluators with a series of consensus based guidelines that support cyber security operations and data breach response have been published by the ISO within the past 36 months. As one of the Co-Editors of those standards, I thought it might prove useful to provide some insight into how best small, medium and large enterprises can implement those standards. An overview of the available technologies that allow organisations to automate and orchestrate incident management and data breach response plan may also be valuable.
It’s important that data privacy and information security professionals understand exactly what the standards are and the potential advantages of adopting standardisation approaches, ISO is a wonderful example to start from.
The literature describes technical standards as norms or sets of requirements regarding technical systems. Standards are officially proposed by authority, custom or general consent as a virtuous model and are also known as “de jure standard”. In all cases the standard defines engineering requirements, specifications, methods, test criteria, processes, standard operating procedures (SOP), definitions and guidelines. On the other hand, a custom convention, good practice or methodology can be proposed by a Community, to become a different flavour of standard, also known as “de facto standard”, which is growing its strength by adoption.
However, it’s important to note that specific standards should not be seen in isolation from the wider framework they refer to, standards can be related to each other across a wide spectrum. This is extremely evident in the ISO approach. Typically, they create a well-structured hierarchy. When adopting a standard be aware that you’ll have to look around, because there may be implications as far as related standards are concerned.
It takes a community
However important these processes are, the authoritative support of the Standardisation Bodies and the effectiveness of standards lies in the consultative process and the contribution of Communities of Experts (Technical Committees) and end users. It’s this process that makes standards such powerful tools for organisations. The validation of standards and the approval process is under the auspices of subject matter experts (SME) who bring vast, real world experience to the process, ensuring that standards are effective and can be applied in actual operational environments, but it’s the communities that make use of the standards that inform and drive adoption, providing feedbacks through formal processes (e.g. RFC).
The application of standards in the real world is not simply the result of policies that trickle down from a Standardisation Body, at least not in isolation. The usefulness of a set of standards sometimes comes about through a process of adoption by a wider community. For example, the de facto standards are usually originating from procedures, policies, informal processes, practical experience and a series of suggestions from real users; in most of the cases they are proposed and pushed by a big community, becoming a trend – eventually something like a best practice or a guideline. It’s not a process that is driven exclusively by an official Standardisation Body. It can be proposed by the community, leveraging a trend and in some cases this dramatically increases the usefulness and adoption of these standards.