The ISO 27001 is one of the most well-known standards globally, and plays a crucial role in safeguarding information’s confidentiality, integrity, and availability across various sectors and sizes of organisations. But is it the right one to choose from the numerous options for cyber security frameworks and standards to assist in securing your operational technology (OT)? In this blog, we delve into the significance of ISO 27001, its structure, application in Australian organisations, as well as its benefits and weaknesses when applying this standard to OT. 

What is ISO/IEC 27001? 

ISO/IEC 27001 is an international standard that is used as guidance for establishing, implementing, maintaining, and continually improving information security management systems (ISMS) by maintaining confidentiality, integrity, and availability (CIA) for information within organisations. The standard helps organisations of all sectors and sizes to be more risk aware and proactive when identifying and addressing weaknesses, by providing a holistic approach to information security that combines people, policies, procedures, and technology. Implementation of the standard improves tools for risk management, helps systems become more cyber risk resilient, and creates systems that can operate within their structure and business protecting information assets. 

Background 

The standard’s official abbreviation is ISO/IEC 27001, indicative of the joint publishing by the efforts of International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC). ISO 27001 was released and published in 2005 as the first standard in the ISO 27000 series of standards for information security, revised in 2013 and 2017 to accommodate the ever-changing field of information security challenges, and again in 2022. 

How is ISO 27001 structured? 

ISO 27001 standard provides a top-down approach through a systematic and structure process involving management support and leadership, policy development, role representatives, allocation of resources, decision-making and prioritisation, and performance monitoring and review. By involving all relevant parties, it provides a crucial drive to implement an effective structure within organisations. 

The standard has 14 domains, also known as Control Objectives that cover various aspects of ISMS and provide structure for selecting and implementing controls to address specific risks. The 14 Control Objectives are:  

1. Information Security Policies 
2. Organisation of Information Security 
3. Human Resource Security 
4. Asset Management 
5. Access Control 
6. Cryptography 
7. Physical and Environmental Security 
8. Operations Security 
9. Communication Security 
10. System Acquisition, Development, and Maintenance 
11. Supplier Relationships 
12. Information Security Incident Management  
13. Information Security Aspect of Business Continuity Management 
14. Compliance 

Each domain covers a different area of security and together, the 14 domains help to provide an ideal security situation, enabling organisations to establish a comprehensive and effective ISMS.  

ISO 27001 use in operational technology 

Many organisations govern information technology with ISO 27001, as it is utilised for ISMS and suitable for supporting their business technologies, but some have also attempted to apply the standard to operational technology (OT). The attempt on OT is usually due to the commonalities with control systems and implementations for IT and OT. However, some factors such as traditional security technologies (e.g. antivirus and intrusion prevent) could interrupt production and network traffic, potentially preventing the effectiveness of safety controls during critical time frames.

Incorporation of this standard alone may not be able to satisfy OT systems requirements, due to the lack of safety and physical hazard considerations. That being said, as ISO 27001 is utilised for protecting information, it can still play a part within OT, such as in protecting process control data, program logic, or configuration files from being impacted – an equally important domain of security measures and also cohesive to physical safety and hazards. 

ISO 27001 in Australia 

The ISO 27001 standard is one of the most well-known standards globally, and therefore would be one that many Australian Government departments, industries, and organisations would adopt as their default standard for information security system management. Though not mandatory, it is highly recommended for organisations to be certified and meeting the standards.  

ISO 27001 is prevalent in all industry sectors across Australia that utilise technology and systems that support information assets – from Australian financial institutions to health for compliance, water and energy sector organisations for information systems audit, and critical infrastructure for risk management and information security for control systems. Within government sectors, ISO 27001 is used significantly to support audit and compliance activities, in which internal audit functions and government audit offices assess information security assurance. This is prominent for varying government agencies across State and Territory levels, as it allows agencies to obtain appropriate assurances to operate in confidence with regards to maintaining security. 

NEED GUIDANCE ON SELECTING THE RIGHT FRAMEWORK FOR YOUR ORGANISATION?

ISO 27001 stands as a globally recognised standard, integral in shaping robust information security practices across various sectors, including many across in Australia. While it offers a comprehensive framework for managing and protecting information assets, its application in operational technology (OT) necessitates careful consideration. The standard’s focus on information security, combined with the specific needs of OT, means that while it provides valuable guidelines, it may require adaptation or supplementation to fully address the unique challenges of OT environments. Nonetheless, ISO 27001’s widespread adoption and its role in promoting a holistic approach to security management make it an invaluable tool for organisations seeking to fortify their cyber security posture in an increasingly complex digital landscape. 

Selecting the right framework is an important first step to ensuring a secure environment, but with so many options on the market, it can prove a daunting task. As a trusted provider of comprehensive cyber security solutions, Secolve offers expertise and guidance needed to navigate the intricacies of these frameworks. We understand the unique challenges faced by OT organisations of all sizes and can assist you in selecting, implementing, and optimising the right framework for your specific needs.  

Contact us today to learn more about how we can empower your organisation to navigate the ever-evolving cyber landscape and stay one step ahead of potential threats.