IISP East Midlands: BIS Organisational Standards

February 2014

On January 29, we held the second IISP meeting in the East Midlands, at the Institute of Directors in Nottingham, attended by close to 30 delegates.

The meeting was opened by Colin Powers with an introduction and explanation that some quick reshuffling of the agenda was in order as the main speakers train was running late. He also published the hash-tag #IISPEastMids, with delegates encouraged share their thoughts on the meeting live via twitter (these tweets are available as an archive).

And @colinmpowers has kicked us off! #IISPEastMids pic.twitter.com/g5ZVg3OcH2

— NEXOR (@Nexor) January 29, 2014

I was due to give a 5 minute presentation on NEXOR Quaestor, so filled a 15 minute introduction by describing the motivation behind, Quaestor. I explained it was a tool to help the corporate board room in SMEs to understand the maturity of Cyber Security in their business based on the Ten Steps to Cyber Security from BIS, and identify the areas of weakness they should focus on.

At this point, Joanne Miller arrived and we were able to continue with the main event.
Joanne described the scale of the cyber threat as “astonishing”, supported by evidence from the 2013 Information Security Breaches Survey. Joanne the proceeded to describe the governments investment in the Ten Steps, the Cyber Steetwise awareness campaign, the skills initiatives ranging from GCSE to PhD, the Cyber Growth Partnership.

Joanne then focused on the Organisation Security Standard being drafted by BIS following a long industry consultation process, stating that government heard that:

None of the existing standards fully met BIS requirements.
Industry is keen to help BIS develop something new that would meet our requirements.
Greatest volume of support for ISO27000 – series standards.
Supportive of two additional publications: IASME and the ISF Standard of Good Practice for Information Security.
There is a gap for accessible and easy-to-use standards that help organisations implement the most important controls to mitigate basic cyber threats.

As a result BIS are fostering a industry-led development of a new implementation profile, which will become the Government’s preferred standard, due to be published on March 31, 2014. The standard is likely to cover key technical controls drawn from ISO27001, including:

Patching
Firewalls and internet gateways
Controls of administrative privileges and user accounts
Anti-virus

A lively discussion started, covering a broad spectrum for corporate governance, to whether incident response should be part of the standard. Joanne thanks everyone for the feedback on the standard, which will feed into the current open consultation on the standard.

The meeting concluded with a Colin Powers leading the thanks to Joanne for an informative talk before handing over to Clinton Walker to give a brief introduction to our next meeting, which will be on May 29th 2014, in Nottingham, hosted by Talk*infosec.

Are you finding the IISP East Midlands meetings useful / interesting? How can we improve?

Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.