The information security management standard ISO 27001 and its code of practice ISO 27002...
The threat of cybercrime for businesses cannot be understated, cybercrime in the past decade has seen a sharp increase, causing significant financial and reputational damage to businesses in Australia and all around the world. This threat has led to businesses choosing to prioritise uplifting their information security. To meet this need there are several frameworks and standards that help businesses create or enhance their cybersecurity program that covers all facets of their information security. ISO 27001 and APRA CPS 234 are two such examples, each designed to meet a particular set of needs. So what are their differences? Before we can delve into their differences it is important to understand what each of them is and the purpose they serve.
What is ISO 27001?
ISO 27001 is a globally recognized standard for information security. It allows for your business to equip itself with a risk-based approach to information security that is internationally accepted as best practice.
One of the key ways it achieves this is through the introduction of an Information Security Management System. An ISMS assists businesses in identifying, assessing, mitigating, and managing the risks involved in managing corporate information. Implementing an Information Security Management System is one of the most important methods of securing your organisation’s intellectual property, financial data, and third-party or employee information.
An ISMS is a combination of processes and policies that help you identify, manage, and protect your sensitive data against external threats. The ISMS’s main objective is to make sure that the confidentiality, integrity, and availability of your company’s data and information are maintained.
Why is ISO 27001 important?
Achieving ISO 27001 certification proves to your customers and partners that your business is committed to achieving an international standard of information security. The certification helps towards improving the trust customers are comfortable putting into your business and is a huge differentiating factor amongst competitors.
Lock Down Your Cybersecurity & Compliance
Protect, Certify & Grow Your Business
Build resilient governance practices that can adapt and strengthen with evolving threats.
What are the controls of ISO 27001?
ISO 27001 takes a risk-based approach to information security. This approach requires organisations to identify risks that may be detrimental to information security and then select appropriate controls to mitigate them.
Those controls are outlined in Annex A of the Standard. As of ISO 27001: 2013, there are 114 Annex A controls, divided into 14 control domains:
Information Security Policies
The organisation of Information Security
Human Resource Security
Physical & Environmental Security
System Acquisition and Maintenance
Security Incident Management
Business Continuity Management
When checking for ISO 27001 compliance, certification auditors will take a look at controls under each domain.
What is APRA CPS 234?
To assist organisations in protecting themselves from cybercrime the Australian Prudential Regulation Authority (APRA) created a new standard for information security management called APRA CPS 234. This standard is designed to help APRA-regulated entities increase their overall resilience towards information security incidents that can affect the confidentiality, integrity or availability of information assets.
The CPS 234 requires APRA-regulated entities to
- Explicitly define roles and responsibilities of the board, senior management, governing bodies and other employees regarding information security.
- Create and maintain an information security capability that is adequate enough to deal with emerging threats and existing vulnerabilities, so that the organisation can continue to operate efficiently and effectively.
- Establish controls to protect information assets taking into consideration their individual criticality and sensitivity. Continue to evaluate these controls in a timely fashion so that improvements can be made so that they are always of a high standard.
- Report any cyber incidents to APRA within 72 hours.
Why is APRA CPS 234 relevant today?
Cyber-attacks have increased in frequency, as malicious actors are getting more sophisticated and ingenious in their methods of compromising information assets of organisations. organisations in the finance industry have become especially lucrative targets for these criminals due to the high amount of financial reward and access to personally identifiable information (PII) and protected health information (PHI) that these organisations hold.
This trend has been helped by lacklustre information security and an overreliance on the use of technology and third-party vendors by superannuation, banking and insurance companies, in an attempt to increase customer satisfaction and operational efficiency. In consequence, internal and external stakeholders have increased their expectations when it comes to securing information assets, as well as calling for an increase in importance given to promoting information security within the organisation as a whole.
CPS 234 can help APRA-regulated entities to reduce cyber risk and increase their overall cyber security posture by ensuring that their information security takes into account their vulnerabilities and threats. The CPS 234 also ensures that organisations give more attention to vendor risk management so that incidents involving third parties are reduced.
What kind of organisations does the APRA CPS 234 apply to?
CPS 234 applies to all APRA-regulated entities. These include:
- Banks, credit unions and other authorised deposit-taking institutions (ADIs)
- Superannuation fund
- Life insurance companies
- Friendly societies
- General insurers
- Non-operating holding companies
- Private health insurers.
It is important to note that from July 1, 2020, onwards all third parties that handle information assets from the above-listed organisations will also have to comply with CPS 234.
CPS 234 also applies to certain foreign entities. These include
- Foreign ADIs
- Foreign General Insurers
- Foreign life insurance companies
Are there any differences between CPS 234 and ISO: 27001?
A key difference between the two standards is the way that they are enforced, on one hand, businesses can get ISO 27001 certification and are required to renew their certification every 3 years, with regular surveillance audits during this period. On the other hand, CPS 234 does not have a certification, instead, APRA has a range of formal and non-formal enforcement tools at their disposal. Non-formal approaches include working in cooperation with companies to identify and rectify problems before they threaten the ability of that company to meet its promises. However, APRA is prepared to take enforcement action when appropriate – including court-based action or directing companies to take or cease particular actions.
Another key distinction between the two standards is who they apply to, while ISO 27001 is globally recognised, APRA created the CPS 234 standard to meet the growing need for cybersecurity uplift amongst businesses in the financial services industry, therefore it is a requirement that is specific to APRA regulated entities, whereas ISO 27001 is a much broader information security standard that is more thorough and applies to business across industries, regardless of size, type and location.
In conclusion, apart from the two differences outlined above it is difficult to compare the two standards as they both are designed to uplift an organisation’s information security. CPS 234 was created to work in tandem with ISO 27001, with its requirements designed to align with the set of clauses and controls outlined in the ISO 27001 standard. Therefore businesses that are already accredited to ISO 27001, have an easier time meeting the requirements outlined in CPS 234.
How can StickmanCyber help?
Whether you are looking to achieve ISO 27001:2013 accreditation or need help meeting APRA CPS 234’s key requirements, StickmanCyber is here to help. We have 15 years of experience in the industry and have worked on over 300 cybersecurity projects, we are an ISO 27001 certified company and our consultants are certified as ISO 27001 Lead Auditors and Implementors.
The First Step is Crucial. Start with a Cybersecurity Assessment
Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.