New British Standard BS 31111 for Cyber Risk and Resilience
Over the past year, the BSI Risk Management Committee has been working on developing new guidance that aims to help top executives better understand and manage the technology risks to their organizations.
The drafting group has been carefully selected to provide input from government, regulators, professional bodies, business and technical experts to produce advice that directly addresses the realities and challenges of managing cyber risk in a digital world.
The new standard is at the public draft stage and comments are being sought though the BSI draft Review System (DRS) [http://drafts.bsigroup.com/Home/Details/59198 opens new page & login is required].
The standard takes a different approach to others covering the technology sector by focusing and supporting good decision making by top management rather than concentrating on technical details. The structure and simplicity is suitable for all current computer and control environments and can be applied to emerging products and services such as the internet of things [IoT].
BS 31111 seeks to ensure that the business’s leadership and its senior management are highlighting the right priorities through a better assessment of the commercial and operational risks being faced. In addition, the new guidance aims to support existing standards and good practice frameworks by providing an overarching, yet simple framework approach illustrated as an organisational ‘cyber temple’.
The guidance challenges the executive to demonstrate that the cyber risk measures it has in place can actually protect the organization and are properly aligned with the specific interests of its stakeholders.
In particular, BS 31111 directly addresses the most commonest failings found across the serious cyber incidents. The BS 31111 standard asks the organizations leadership to provide evidence of their planning across six key themes:
a) cyber governance policies with strong structures, operating models and supporting resources;
b) Demonstrating commitment to recognised security and risk management frameworks that include mitigate, accept, respond and transfer capabilities;
c) clear risk reporting that shows the commercial and operational impact of the risks based upon actionable and real-time intelligence;
d) an ability to learn from experience including starting from first principles to a more innovative, adaptive response as a situation changes;
e) the need to recognise that cyber risk and resilience be incorporated into all new programmes and initiatives;
f) Having a threat intelligence capability and information sharing programmes to ensure that the organization and any appropriate third parties are quickly kept up-to-date with the level of risk including the ability to quickly adoption of any external guidance necessary to control identified risks.
To correctly deliver against these expectations top executives need to be able to show understanding of the firms issues and demonstrate leadership with a frame of reference that delivers governance and good risk management decision making to develop appropriate, cost effective cyber capabilities.
This British Standard aims to provide a framework of good practice that supports top management in the commercial decision making process and builds strong links to other IT-centric technical standards.
For more information on the Standard or how to get involved you can contact RM/1 Chairman Russell Price at email@example.com or call him on +44 208 993 1599.
Cyber Risk and Insurance Forum Members Sian John (Symantec), Simon Gilderson (A&M) and GRS Chairman Russell Price are panel members of the BS 31111 drafting committee.
You might also like ...
Financial cyber-crimes are becoming such a frequent feature in the media that one might be forgiven for feeling a little "cyber-fatigued."
However, the scale of the thefts from financial institutions, as reported by Kaspersky Labs recently, are arguably unique in their scale and audacity. Kaspersky describes hooded "money mules" waiting at ATMs, controlled remotely to dispense cash at a particular time without the need for a bank card.