Demystifying ISO27001 (ISMS) and Red Teaming
The Privasec team conducted an online workshop last week and saw more than 85 attendees joining us on Teams with their questions.
As a recap, in the workshop, our GRC consultant Shepherd Gonera shared the top 10 actionable tips to help guide organisations that are looking to embark on their ISO 27001 certification journey. Our RED practice lead Riley Kidd and Asia Head Quan Heng Lim also introduced the Red Teaming exercises according to CORIE/ AASE requirements.
In case you have missed any portion of the workshop or would like to review some of the talking points, here is the link to the recording. We have also included the Q&A (below) that was addressed during the session. For those who are interested in finding out more, check out our we
bsite on ISO 27001 and Red Teaming, including a detailed methodology of a red team attack simulation.
We are always a call or email away so do reach out to us if you would like to have a further chat/ have any questions.
You can also follow us on Linkedin to keep updated about our upcoming events.
If you have attended the workshop, and need to claim a CPE point, do contact us so that we can ensure it is in our attendance list as well for audit purposes.
Questions and Answers
ISO 27001 (ISMS)
How long does the ISMS take to implement?
The ISO 27001 Certification is a journey, where there will be variance in implementation for every organisation. The factors like organisation size and information gathering differs for every client. For Privasec, the typical implementation range between 3 to 6 months.
We are a small start-up company that are looking to build our ISMS. How should I go about weighing the different factors for implementing ISMS, in terms of costs, implementation efforts and time?
At Privasec, we do offer a few options around our services depending on the organisation's needs.
Many companies who are more constraint in time and resources would prefer to outsource the entire ISMS, where at Privasec, we can provide turn-key solutions for the entire ISMS implementation. Conversely, some companies that are of smaller size and limited budget may prefer to implement the ISMS themselves, where in the process, Privasec would provide the guidance and workshop to these companies.
The cost is depended on the organisation’s work structure in terms of implementation efforts, where there will be ways to work around budget and tailor a solution and offering to meet your organisation's needs.
How would the ISMS work on companies that are working in multi countries, i.e Singapore, Australia, New Zealand, etc with similar systems in place across all regions i.e Cloud etc?
The ISMS can span across multiple countries/location under one single certification. There are no limitations. In fact, you can draw some inefficiencies across multiple locations. Usually, organisations start from one location and grow the scope of certification. However, this depends on the organisations and their business models and structure.
Based on your experience, which business unit(s) will be in the best position to lead the ISMS implementation/ transformation?
Typically, the security team will lead such implementation, but it is subjective due to the organisation’s size, nature, and structure. While not every organisation has a dedicated cyber security team, in general it falls on IT or Security team but having an internal audit or compliance team to lead will help.
For bigger organisation, representatives from individual team/business units to drive the risk behaviour is crucial for successful outcome. In all scenarios, we drive those activities and make sure stakeholders involved understand the risk language.
ISO 27001 is for a company, but does the process help to validate the product that the company develops also?
With your company being certified to ISO 27001, it gives assurance to your clients and stakeholder, where it shows that your company is taking the risk-based approach for your system. It also gives confidence to your clients that the product comes from a company that is secure and alert about the risks.
ISO 27001 is a governance standard. It does not secure your product.
ISO 27001 also includes Penetration Testing for the company, is there option that we can perform a Penetration test for the product developed?
Whilst a penetration test is not mandatory, it will most likely be a check your organisation will need to perform. Yes, Privasec can perform a penetration test of the product. The details to tailor the scope of the penetration test needs to be further discussed.
Red Teaming is a new concept for many, especially for those who are not in the critical infrastructure industry. How does an organisation tell if they are ready for the Red Team exercise, in terms of the maturity of their security function?
It’s a case-by-case basis, depending on the outcome the organisation is looking for.
Red Teaming could be suitable for the following reasons:
- For people who are trying to justify the security problems that they have identified, and a Red Team exercise can demonstrate the impact of the security problem to the organisation’s critical assets. This can be effective for an executive to justify the budget required to protect critical assets.
- Due to regulatory requirements, some organisation might require a Red Teaming report to demonstrate their security posture.
- Proactive checks on security systems and infrastructure to holistically understand security posture. With Red Teaming exercises, an organisation can identify unknown vulnerabilities and harden their security with the findings.
As compared to ISO 27001 where the timeline is driven by the organisation, what is the timeline/timeframe for the implementation of Corie or AASE?
For CORIE engagements, depending on the tier of your organisation, the document specifies the number of scenarios that an organisation needs to perform which correlates to the time needed to perform the engagement.
For Bespoke Red Teaming, where the organisation can select the components for Red Teaming, the costs will have a direct correlation to the time. In general, some components can take one to two weeks, some can be 1 month or longer.
However, do keep in mind, for a proper Red Team engagement to be conducted, some preparation time for the attacks will be required, for example the creation of malware or the setting up of phishing website as an initial attack vector.
Depending on the approach and scenario, the attacks need to be spread out and timed wisely to simulate real-world threats. This is where the engagement can range from 3 to 6 months.
The CORIE and AASE Framework is new for organisations, will Privasec be in a good position to help an organisation determine the components needed for compliance?
For CORIE, this is not up to the organisation, the components to comply is dictated by the regulating body. For case-by-case basis testing, it will be something that we can help an organisation understand, by looking at their needs. However, most of the time, companies do know what their crown jewels are, where these critical assets need to be protected and that there are known threat actors that could be targeting them. Privasec can then come in to help guide these companies to comply with these regulations.
For AASE, the compliance depends on the organisation’s objectives, where it is meant to be a guideline. It does describe how deep one can go for the attacks, and it does have a table around the objective that can be sought out by the blue team as well as an assessment for the organisation’s defence capability. According to that, an organisation can perform any exercises where it can be doing a simple penetration test to cyber range to automated attack simulation to advanced adversary attack simulation.
Will there be fines or penalties for non-compliance to CORIE or AASE?
For CORIE, the framework is still in pilot phase where there are no penalties or fines for non-compliance.
Similarly, for AASE, it is also more of a due diligence for companies, where if your organisation’s risk is assessed internally to be of critical level, then the organisation should look to conduct Red Teaming for compliance.
Also, for the case of license review or regulatory review, the typical assessment for risk level will deem it to be reasonable to conduct Red Teaming.
With COVID regulations in place, do we have to go on site to do this test or can we do it remotely
Testing can be done remotely but being onsite can help simulate the greater than normal risks. If we go onsite, we can be with the white team to share information about the process and execution of the attacks. Even if we are not onsite, we are always open to transparently share information about the engagement as and when required.