What is
Information Security?
An Overview

ISO 27001 is a leading global standard designed to help organisations manage their information security management systems (ISMS’).  ISO 27001 is a risk-based standard designed to protect sensitive company and customer information with a set of organisational, physical, people and technological controls.  The Standard has wide appeal and can be adopted by organisations of all sizes from small and medium-sized enterprises (SMEs) to large multinational corporations and from all market sectors, including both public and private sectors.  ISO 27001 was updated in 2022 when a number of the mandatory management system clauses were updated to improve the alignment with other ISO Annex SL standards, such as ISO 9001 and ISO 22301.  The more significant changes, however, were made to Annex A controls with the intention of reflecting the evolving nature of cybersecurity threats etc.  With ISO 27001, the ISMS is based on a model of continuous improvement, including regular reviews and audits.  In order to provide additional assurance to stakeholders, organisations can seek independent assessment though accredited certification bodies and gain certificates that are awarded on 3-year cycles.

Having been involved in implementing ISO 27001 since its inception in 2005, URM is adept at  supporting  organisations implement an ISO 27001-conformant ISMS  from conducting gap analyses and risk assessments, through to remediation activities and delivering management system and security control audits.

The Payment Card Industry Data Security Standard (PCI DSS) is a niche standard which is designed to secure credit and debit card transactions against data theft and fraud.  It includes stringent security requirements such as encryption, access control, and regular security testing.  The Standard is globally recognised and widely implemented in many countries and is particularly popular and mandated in regions with significant e-commerce and financial activities.  As such, PCI DSS is specifically targeted at any organisation that handles payment card data, including merchants, processors, acquirers, issuers and service providers, effectively any entity involved in processing, storing, or transmitting credit and debit card information.  In order to validate compliance, organisations must undergo regular assessments.   Organisations handling large volumes of transactions (over 6 million per card brand for merchants and 300,000 for service providers) must have their compliance assessed by an independent Qualified Security Assessor Company (QSAC), such as URM, which completes a report on compliance (RoC).

Apart from conducting RoC assessments and supporting SAQs, URM can assist organisations by conducting gap analyses and helping with any PCI implementation or remediation activities.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Programme (CSP) is aimed at enhancing the security of the SWIFT network, which is used for global financial transactions to prevent, detect, and respond to fraudulent activities.  The SWIFT CSP is aimed at financial institutions and entities that use the SWIFT network for international banking transactions.  As part of the CSP, users are required to submit their attestation of compliance with the SWIFT Customer Security Controls Framework (CSCF) and share these with counterparts.  The 2022 version of the CSCF contains 31 controls, of which 22 are mandatory and 9 are advisory.  These controls are mapped against international standards such as NIST, PCI DSS and ISO 27002.  The 31 controls are based on 3 objectives; ‘Secure your Environment’, ‘Know and Limit Access’ and ‘Detect and Respond’ and are underpinned by 8 principles.

URM offers a range of SWIFT CSP services from conducting a review of current cybersecurity posture against the CSCF requirements and identifying gaps, through to remediation support and an independent assessment of policies, processes, and business practices against CSCF requirements.

The Cybersecurity Maturity Model Certification (CMMC) is a U.S.-based standard specifically tailored to address the cybersecurity requirements and challenges faced by the U.S. defence sector.  It is designed to ensure that supply-chain contractors working with the U.S. Department of Defense (DoD) implement adequate cybersecurity practices.  In order to protect against cyber threats, defence contractors and other organisations that handle controlled unclassified information (CUI) are required to meet a set of cybersecurity standards and practices to adopt appropriate cybersecurity measures.  These measures incorporate best practices from various cybersecurity standards, such as NIST and ISO 27001.

In November 2021, the DoD announced ‘CMMC 2.0’ an updated programme structure with three CMMC maturity levels (Foundational, Advanced and Expert), each building on the previous one, with the highest level requiring organisations to implement advanced and comprehensive cybersecurity practices.   Organisations which handle CUI on behalf of the DoD are required to achieve compliance or certification at the level which corresponds to the type and sensitivity of information being handled.

URM’s support services include conducting gap analyses, implementing any identified improvements and supporting the certification audits.