Strengthening Cybersecurity with ISO/IEC 27001 and Technology: Fundamentals, Imperatives, and Practical Implementation

The increasing number of information leakage cases and cybersecurity incidents has caused losses to various parties, including data owners, data controllers, and data users. This has raised awareness of the importance of information security and cybersecurity. However, with the dynamic development of technology, synergy is required between the implementation of information security frameworks and the cybersecurity technologies used. Therefore, sufficient fundamental understanding of these two concepts is required.

Fundamentals and Urgency of Implementation

According to international standards [1], The International Organization for Standardization (ISO) and The International Electrotechnical Commission (IEC) are specialized bodies responsible for developing global standards. These two organizations have published ISO/IEC 27001:2022 concerning Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems Requirements as one of the frameworks for an Information Security Management System (ISMS), which establishes requirements for building, implementing, managing, and continuously improving an ISMS for all types and sizes of organizations.

The implementation of ISMS by various organizations in Indonesia has different backgrounds, whether as fulfillment of regulatory requirements, initiatives driven by organizational awareness, or marketing needs and efforts to increase organizational value in the eyes of customers. Regardless of the background of ISMS implementation, the development of a management system fundamentally has a positive impact on internal organizational order.

There are three main sources of information security requirements according to ISO/IEC 27001:2022, namely compliance with organizational laws and regulations, a set of principles, objectives, and operational business activity requirements, as well as risk assessment.

Research results by Alshar [2] state that the purpose of an ISMS is to protect the confidentiality, integrity, and availability of information by implementing risk management processes and providing assurance to interested parties that risks are managed adequately. One of the risks faced by data owners, data controllers, and data users is cybersecurity risk, which will continue to evolve along with technological developments. Therefore, internationally recognized controls are needed to reduce the level of cybersecurity risk.

The ISO/IEC 27001:2022 standard [3] explains a series of information security control references through Annex A, which can serve as implementation guidance as outlined in ISO/IEC 27002. Information security controls based on ISO/IEC 27002 are divided into four groups: organizational controls, human resource controls, physical controls, and technological controls.

The need for technological controls in ISO/IEC 27001 can be fulfilled in various ways, one of which is through the implementation of cybersecurity technologies. In today’s highly digital era, most information is stored digitally within system and computer network environments. This increases the importance of technological controls in securing information. This is where cybersecurity technologies are present and play a role in fulfilling the technological controls required by ISO/IEC 27001.

Cybersecurity exists to strengthen information protection. According to Drishan et al. [4], information needs to be protected and secured to protect information owners from threats of financial loss, reputational damage, loss of information data, and even social dangers such as physical surveillance and social media harassment. These threats apply to both business actors and individuals, making cybersecurity implementation necessary. Fnu Jimmy, in his article [5], states that cybersecurity itself includes securing computers, servers, mobile devices, electronic systems, computer networks, and data from attacks.

There are various technologies that can be used in implementing cybersecurity. According to Nunez et al. [6], cybersecurity can be divided into two groups: endpoint security and network security. Commonly used endpoint security technologies include Windows firewall/traffic filters, antimalware, data encryption, web filtering, and web-browsing protection. In the network security group, there are technologies such as intrusion detection, server protection, firewalls, virtual local area networks (VLAN), anti-DDoS, and network isolation.

The use of basic software such as firewalls or antivirus, multi-factor authentication, password manager applications, as well as hardware with built-in features to analyze cyberattacks, can support effective and efficient cybersecurity implementation as cyber threats and attacks continue to evolve.

Implementation

All information flows within an organization must have controls to prevent data leakage or cyberattacks. The implementation of ISO/IEC 27001 in an organization needs to be supported by three main factors: human resources, operational and business processes, and the technology used.

The relationship among these three factors in the implementation of ISO/IEC 27001 through operational and business processes must be documented in a document approved by management, which refers to the laws, regulations, and the context of the organization’s activities. These written provisions must also be supported by technological adjustments to ensure the effectiveness of the controls.

However, written provisions and technological support cannot be implemented without supervision and operational personnel. Therefore, adequate and competent human resources are required to implement the provisions and ensure that controls operate properly.

From the technology perspective, cybersecurity can be implemented through various combinations according to the needs and capabilities of the organization. Antimalware or antivirus technology, Windows firewall/traffic filters, and data encryption can be easy and inexpensive options to implement. These features can be found as basic features in some operating systems.

Furthermore, organizations can implement more advanced solutions such as insider threat protection, web-browsing protection, network intrusion detection, server protection, VLAN, and network isolation. These additional solutions can be obtained from third-party providers or through free open-source resources. At a more advanced level, organizations can implement Security Information and Event Management (SIEM) technology. SIEM helps users detect, mitigate, and respond to cyberattacks and incidents by analyzing network, application, and firewall logs in near real-time, enabling organizations to respond quickly.

These three main factors are interconnected, so improvements in one factor can affect the others. Enhancements in cybersecurity tools must also be accompanied by increased human resource training and updates to the policies that form the basis of implementation.

Starting to Build Cybersecurity

Cybersecurity is a complex issue that requires a comprehensive approach. ISO/IEC 27001 provides a framework to help organizations build an effective ISMS. This framework also describes the required controls from various aspects, such as human resources, processes, physical security, and technology, further emphasizing the important role of cybersecurity technologies.

Organizations can choose appropriate technologies according to their needs and capabilities. A combination of basic features from built-in antivirus systems for endpoint protection with additional tools such as firewalls and SIEM can increase the effectiveness and efficiency of ISO/IEC 27001 implementation to protect data and information as vital assets that cannot be assessed solely by their monetary value in today’s digital era.

References

[1] ISO Copyright Office, International Standard ISO 27001 Information Security, Cybersecurity, and Privacy Protection – Information Security Management System, Switzerland, 2022.

[2] M. Alshar, “Cyber Security Framework Selection: Comparison of NIST and ISO 27001,” Applied Computing Journal, pp. 1–11, 2023.

[3] ISO Copyright Office, International Standard ISO 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls, Switzerland, 2022.

[4] D. Dutt, S. Pandey, S. Arora, M. Tripathi, and K. K. Gupta, “Need for Cyber Security Tools and Knowledge,” International Journal of Research in Engineering, Science and Management, p. 203, 2022.

[5] F. Jimmy, “Cyber Security Vulnerabilities and Remediation Through Cloud Security Tools,” Journal of Artificial Intelligence General Science, p. 197, 2024.

[6] M. Nuñez, X.-L. Palmer, L. Potter, C. J. Aliac, and L. C. Velasco, “ICT Security Tools and Techniques among Higher Education Institutions: A Critical Review,” International Journal of Emerging Technologies in Learning, p. 4, 2023.

This article was published in our quarterly newsletter Valoka Vol.2 2024.