Critical Information Infrastructure (CII) information systems and networks are exposed to major security risks from internal and external cyber threat actors. The trend of cyberattacks and incidents is in line with the expansion of disruptive technology such as the Internet, artificial intelligence, cryptocurrency, robotics, geo-disaster and so on that can cause large scale disruption to organisation’s operations if not given due attention.
Being certified is a provision for assurance that CII organisation are able to meet the required benchmark for CII products and services to customers’ expectations. Certification is also viewed as a legal or statutory obligation for any CII organisations set-up.
Information Security Management Systems (ISMS) And Business Continuity Management System (BCMS)
The holistic approach on how organisation evaluates its risks and information security management methodology to protect information systematically is the right step towards achieving a secured environment for organisation to operate in.
ISO/IEC 27001 or ISMS is a set of Requirements for Information Security Management Systems which specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization's overall business risks. ISMS also lines up a systematic and structured approach to managing information so that it remains secure.
ISMS implementation includes policies, processes, procedures, organizational structures and software and hardware functions. The ISMS implementation should be directly influenced by the organization’s objectives, security requirements, processes employed, size and structure.
As for ISO 22301 or BCMS, its main purpose is to prepare for, provide and maintain controls and capabilities for managing an organization’s overall ability to continue to operate during disruptions. The document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.
Organizations should be audited continuously to improve the suitability, adequacy and effectiveness of their ISMS and BCMS, based on qualitative and quantitative measures to check if both meet the required standards.