We sat down with Phillip Vu from Blue Eagle Technologies and Andrew Slater from Cybermerc to learn more about the ISO 27001:2022 updates and what it means for the cybersecurity industry.
Phillip Vu – Director at Blue Eagle Technologies
ISO 27001 is an international security standard, with over 40,000 organisations certified worldwide . It was updated in October 2022 and eleven additional security controls were introduced. For certified companies, there is a three-year transition time after October 2022. The older version of the standard’s certification will no longer be recognised after this transitional period.
Among the eleven new controls, we would like to draw your attention to the two technological controls:
The goal of this protective control is to make sure software is written securely, hence lowering the likelihood that the software application will contain information security vulnerabilities.
The above graph demonstrates how, as the software progresses through the software lifecycle, the cost to fix bugs rise exponentially . Therefore, it is cheaper and preferable to fix bugs earlier. For software security bugs, the same rules apply. This is why the general guidance is we should invest in secure coding as soon as possible to prevent security vulnerabilities.
The implementation guidance of the control includes some recommendations that are important to consider:
- It is important to include open-source software and third parties in secure coding standards, procedures, and governance.
- Businesses should keep up to date on latest cyberthreats to guide their secure coding principles. Average software release cycle is three months, but hackers won't wait that long to exploit vulnerabilities in your software.
- Some web applications are vulnerable to a number of security flaws introduced by poor coding and design, like cross-site scripting and SQL injection attacks.
Overall, by implementing the control, organisations can help to prevent security flaws from being introduced into software code and reduce risks of security incidents.
So, what is the main challenge?
In cybersecurity, our main challenge is the skill shortage, we do not have enough security engineers to fix vulnerabilities in application source code. As the skill shortage is so bad that the next steps looking at Artificial Intelligence as force multiplier , not a replacement. What if we could accomplish the same amount of work that normally requires five engineers with just two? Automating repetitive activities and even auto-fixing, auto-testing, and auto-releasing simple vulnerabilities are all possible with AI and automation solutions such as AppSecFasttrack and Snyk. As a result, our engineers can focus on more difficult tasks.
The power of AI is not only limited to “secure coding”, but also can be applied to other controls. This brings us to the next topic: “monitoring activities”.
Monitoring activities is not a new concept, and generally speaking, is quite straightforward. But it is one of the most powerful controls for a simple reason: it helps organisations to detect anomalous behaviour and take appropriate actions to respond to the threat. Would it be nice to be a few steps ahead of the cybercriminals?
As mentioned earlier, one key aspect of the control is the emphasis on leveraging machine learning and artificial intelligence capabilities. Again, with the shortage of skills, AI and automation become the right tools, at the right time.
So, what is the main challenge?
AI is powerful but it also produces an overwhelming number of "false positives". In case of a false positive, the AI incorrectly indicates the presence of a threat when the threat is not present. In turn, this puts more pressure on security teams, who already suffer from skills shortages. We want AI to monitor with a goal rather than letting the AI fly blind and produce useless "noise". For instance, the AI model should concentrate on monitoring activity in vulnerable areas of networks and systems.
Furthermore, the guidance covers important recommendations:
- The monitoring scope and level should be determined in line with business and security requirements, as well as any applicable laws, and regulations.
- Monitoring records should be kept for a defined retention period.
- Personnel should be designated to respond to alerts and given the appropriate training to effectively assess potential threats.
- To reduce the impact of adverse events, procedures should be in place to respond to alerts.
- Oganisations should have redundant systems or processes in place to receive and respond to alerts.
Andrew Slater – Director at Cybermerc
The recent update to ISO27001 has seen the inclusion of Cyber Threat Intelligence (CTI) for the first time. This guidance is timely given the recent rapid escalation in high profile breaches within Australia.
Like all preventative controls, the end goal is to prevent threats to our organisations wherever possible or, at the least, reduce the impact of threats. CTI can be a complex space and whilst being Cyber based, at its heart it is an Intelligence capability and should be thought of as such.
Intelligence is a product that informs stakeholders within an organisation, allowing them to make risk based decisions to counter threats. Organisations should be looking towards the intelligence lifecycle to define their Primary Intelligence Requirements (PIRs) to ensure that any technology or services they implement support the organisation's needs.
The guidance within the changes covers the three levels of CTI and are defined as;
- Strategic - The exchange of intelligence about the changing threat landscape.
- Operational - Intelligence of specific attacks including Indicators of Compromise.
- Tactical - Intelligence about threat actor methodologies, tools and techniques more commonly referred to as Tactics Techniques and Procedures (TTPs)
Beyond these definitions of the different types of CTI, the guidance covers what is the most pertinent point of any Intelligence program - all intelligence needs to be relevant, contextual and actionable in order to effectively help protect our organisations.
Within the Cyber realm, technology and services are leveraged to automate aspects of the lifecycle including collection, processing, analysis, production and dissemination to assist in making CTI actionable. This automation can assist with overcoming the current shortage of skilled analysts. This can include leveraging technology such as a Threat Intelligence Platform (TIP). TIPs can provide the machine to machine integrations for automated blocking and detection based on high confidence Indicators of Compromise (IoCs) reducing manual tasks but are also leveraged to provide curated collection and pre-processed information for the purpose of analysis.
With the shortage of skills, models such as collective defense, particularly through collaboration, are key and provide a force multiplier for organisations through collaboration with other trusted organisations. The guidance does refer to sharing CTI with other organisations to improve CTI.
This collaboration within the CTI space is done through Information Sharing and Analysis Centres (ISACs). There are several forms of ISACs including vertical specific such as the Financial Services ISAC, Australian specific such as AUSHIELD DEFEND and also Government-led such as the ACSC CTIS program.
 C. C. P. Ltd, “ISO 27001 – Information Security Management System - Compliance Council,” www.compliancecouncil.com.au. https://www.compliancecouncil.com.au/standards/iso-27001-information-security-management-system
 National Institute of Standards and Technology (NIST). “Relative cost to fix bugs, based on time of detection”. National Institute of Standards and Technology (NIST) 2019. https://deepsource.io/blog/exponential-cost-of-fixing-bugs/
 Sanket, “Exponential cost of fixing bugs,” DeepSource, 2019. https://deepsource.io/blog/exponential-cost-of-fixing-bugs/
 M. Webber, “Cyber industry could be key to keeping young people from leaving city,” The Canberra Times, Mar. 27, 2022. https://www.canberratimes.com.au/story/7673709/cyber-industry-could-be-key-to-keeping-young-people-from-leaving-city/ (accessed Dec. 17, 2022).