Information security and cybersecurity are closely related and overlap but have different goals. Information security addresses the confidentiality, integrity and availability of information, while cybersecurity is primarily concerned with protecting the lives, health and property of people and organisations, society and nations as a whole.
Cybersecurity is related to the whole cyberspace. Organisations operating in cyberspace should consider not only themselves but also the interested parties that could be adversely affected by an information security incident and vice versa. Organisations operating in cyberspace should therefore manage cyber risks while cooperating with other relevant actors in cyberspace.
Information security focuses in particular on:
- confidentiality of information that has value for the organisation;
- the integrity and availability of information that is essential to the organisation’s activities;
- the availability of ICT infrastructure that supports the organisation’s processes;
- reliable and trustworthy delivery of ICT services.
An information security incident in cyberspace can lead to a cyber incident. Therefore, information security risks in the context of cyberspace are sensed as cyber risks.
Information security controls are put in place by organisations to reduce their risks. Cybersecurity controls are implemented by organisations to reduce their risks, but also the risks of other stakeholders that could be directly or indirectly affected.
To reduce the consequences of cyber incidents, cyberspace entities have a shared responsibility for managing and communicating cyber risks, implementing security measures, detecting potential incidents and cooperating in responding to and recovering from major incidents.
Information security management system and cybersecurity
The information security management system (ISMS) is applied to the organisation and the boundaries of the ISMS separate it from the external environment. Cyberspace, therefore, forms the external context of the organisation.
Cybersecurity transcends ISMS and organisational boundaries. Organisations often collaborate and communicate with external entities through cyberspace, which represents risks that need to be managed within an organisation’s ISMS.
There are also many sources of risk in cyberspace with different intentions, abilities and motivations. Examples are state-sponsored groups, organised crime groups, terrorists, ideological activists or variously proficient professional and amateur hackers. These sources of risk can expose organisations to information security risks. Therefore, an organisation must identify risks from sources of risk in cyberspace as part of the planning and operation of its information security management system.
The organisation should use its ISMS to manage cyber risks. ISMS helps to define boundaries, dependencies, implement all necessary processes and the appropriate set of controls.
An example of the use of ISMS to support cybersecurity is the use of ISO/IEC 27001 with ISO/IEC 27019 to establish, implement, maintain and continuously improve the ISMS for energy suppliers. As a result, ISMS supports the stability of the energy supply and thus contributes to the cybersecurity of the state and its inhabitants. Similar examples can be found in telecommunications, banking, transport, healthcare, etc., ie in critical infrastructure.
Cybersecurity framework
Sources of cyber risk are constantly evolving. Therefore, states or industry groups create cybersecurity frameworks that individual organisations implement and declare compliance with.
The recently published ISO/IEC TS 27110 standard specifies guidelines for the development of cybersecurity frameworks and a way of organising cybersecurity controls in five concepts – identification, protection, detection, response and recovery. And as the ISO/IEC TS 27110 states, such a structured cybersecurity framework may consist of standards, guidelines and procedures for cyber risk management.
Newly defined concepts of cybersecurity do not yet use by today’s cybersecurity frameworks. The change should be brought about by the updated ISO/IEC 27002 standard, which should contain a breakdown of controls according to these concepts. Other frameworks will hopefully follow. This will help mutual understanding and communication between organisations that use different frameworks.