Article

UAE’s Cyber Landscape

Article / November 27, 2024

Why cybersecurity is an urgent necessity rather than a technical luxury?

United Arab Emirates, is considered as one of the advanced countries for doing business within the Middle East and North African region. Dubai is considered as one of the best global business hubs in the world which hosts offices to many International Business corporations. Information Communication technology is one of the leading sectors driving Dubai economy. The government has been encouraging IT sector in the country through various measures. Through its Initiative of Abu Dhabi Economic Vision 2030 and UAE Vision 2021, the emirate government is seriously trying to emerge as one of the leading Information Technology based country. UAE has constituted several Free Trade Zones to facilitate Efficient and Advanced Business environments.

What made UAE's FTZ most popular destination for Business?

  • 100% Foreign Ownership of Enterprise
  • 100% import and export tax exemptions
  • 100% Repatriation of capital and ownership 
  • Corporate Tax exemption up to 50 years
  • No income Tax on individuals 
  • 5% Vat on Commercial establishments

These features have made UAE and especially Dubai, leading business destination for business sectors worldwide specifically, IT sector. Dubai has emerged as attractive destination for IT software and service sector. UAE’s heavy investment in healthcare, aviation, real estate, space and Defence sectors, entertainment, transportation, financial and Hospitality services are driving demand for Information and communication technology. Evidently, UAE’s ICT markets have to deal with complex challenges like Internet service, IT workforce and Most Importantly Cyber security. UAE has spent nearly $17 Billion on ICT in 2021 with year-on-year growth of 2.5% in investment. Apart from these, UAE is seriously investing in Artificial Intelligence, Blockchain Technology, innovation in Internet of things etc. Also, UAE is the first country in the region to exchange MOUs with technology giants like amazon, google, Microsoft to transform the country into advanced cloud-based data centre hubs in MENA Region.

Some of the significant IT Sub sectors in Dubai:

Cloud- based computing:
UAE is one of the largest Data centre hubs in Middle east. By 2021 UAE is developing three cloud zones with partnership with Microsoft and Amazon Web Services. Apart from the heavy Investment in Information Technology and Cloud Based computing infrastructure by UAE government, the government is also exploring the Innovative and Competitive Business regulation laws to expand the efficient business prospects further.
 
Internet of Things:
According to an Estimate, UAE government has Invested $37 Billion in Internet of things Infrastructure. There was rising demand for Smart technological Innovations like smart services, internet communications, Machine to machine communication, smart Industrial technologies etc. UAE Hosts the world’s advanced Smart city like Dubai apart from other cities and also planning to lead the global smart city development mechanisms. Hence apparently IoT has lot of potential which aligns with the UAE quest for Smart Innovations. 
 
Artificial Intelligence:
Another significant priority of UAE’s ICT policy is Artificial Intelligence. It is forecasted that AI shall contribute 14% of GDP to UAE’s economy by 2030 with a growth rate of 33% per year from 2018.
The UAE has already begun integrating AI with industries such as education, healthcare, space, transportation, and aviation. AI is a key part of the ambitious plans of the UAE government to diversify their economy and become a knowledge economy.
 
Cyber security:
UAE being the leading world class economy and a global corporate attraction, was also a significant target for cyberattacks. UAE faces the most cyberattacks and ransomware attacks in MENA Region. To captivate this rising demand for Cybersecurity, several firms are developing their capabilities in Cyber security. At present Cybersecurity is the highest priority for the UAE government to attract Investments and Business establishments. Also, government has grandly spent on cybersecurity frameworks and regulation to increase the credibility among the Business platforms to invest in UAE.  Cyber threats and risks lead to major threats like Fraud, Terrorism, espionages, Violation of privacy and Defamation.
On an average, a person in UAE spends 7 hours and 24 Minutes online per day. According to a study conducted by IBM, the financial impact of data breach in both the biggest economies in middle east, Saudi Arabia and Dubai has increased to 6.4 million Dirhams per breach which is double the global average of 3.86 million. Approximately 25000 E-crimes were registered in UAE alone in 2021. With the Cities like Dubai rapidly expanding their technological footprints, cyber security is one of the major concerns in UAE. Ransomware and phishing are the most common type of cyberattacks in Dubai. Coming to data Breaches in UAE, Health sector is the most effected industries with cyberattack and data leaks which incurred the highest average data breach cost of 7.1 million.
 

During the pandemic, with the great increase in use of technology to facilitate work from home revolution, made cybersecurity vulnerable. In 2021 there was 300 percent increase in cyberattacks in UAE alone. Social engineering, phishing, Spear Phishing are the most prevalent cyber security threats in UAE. UAE is the second most targeted country in Middle East for ransomware attacks and ranked 26th worldwide. According to Symantec internet security report “Cyber criminals are making and demanding more money than ever before. The average ransomware payments spiked 171% in 2020, surging to $312,000. The highest ransom paid out by organisations doubled from 2019 to 2020, jumping from $5 million to $ 10 million”. With increasing complex threat landscape and the cyber security vulnerabilities, companies should focus on some key factors to secure their organisations.

  1. improving visibility into all endpoints and workloads
  2. responding to the resurgence of ransomware
  3. delivering security as a distributed service
  4. adopting an intrinsic approach to cloud-first security

In 2016 alone, UAE lost 5.20 billion Dirhams in cyberattacks. In this regards the government of UAE and Dubai electronic security centre has published a Cyber security strategy to make proactive risk assessment and guidelines to avert cybersecurity threat. The cyber security strategy emphasises on Five main domains to tackle cyber security and guide the organisations within UAE to more resilient cyber security architecture.

 
  1. CYBER SMART SOCIETY: Achieving awareness, skills and capabilities to manage cyber security risks for Dubai’s public and private sectors as well as individuals.
 
  1. INNOVATION: Promoting research and development for cyber security, and establishing a free, fair and secure cyber space in Dubai.
 
  1. CYBER SECURITY: Putting controls in place to protect confidentiality, integrity and availability, as well as data privacy for Dubai’s public and private sectors, and individuals.
 
  1. CYBER RESILIENCE: Ensuring the continuity of IT systems and their availability in the cyber space.
 
  1. NATIONAL AND INTERNATIONAL COLLABORATION: Establishing national and international collaboration to manage cyber risks. 
The Cyber Security Strategy together with the guiding principles will be established and implemented to achieve strong cyber protection. The cyber security strategy is implemented by different stakeholders, who need to achieve their objectives and work together to create a cyber-secure Dubai.

What is Data Privacy Regulation Act?

Article / November 27, 2024

Understanding India’s Data Protection Act: Key Principles and Implications

The absence of any data protection law in India leads to leakage of individuals’ (our) personal data causing the violation of our fundamental right to privacy.
From Table 1, you can realize why data protection is necessary.
 
The Indian government has been working to build Indian’s Privacy Regulation for the last five years to protect the data. Finally, the government has released the Personal Data Protection (PDP) Bill. The journey of the PDP Bill is like this,

The Features

The PDP Bill has three main features,
  1. It defines principles of data protection, for example,
  • It mandates only essential data for a particular purpose must be collected
  • Limit the use of data, no recycling or repurposing
  • After the fulfilment of the need, the data must be deleted
  1. Collection and use of personal data must need consent from the Data Principals
  2. Right to Review of data (access, erase, modify, delete) by the Data Principals

Important Terminology

Data

A data is an individual fact, it could be statistics, items of information or a numeric.

Data Principal

A Data Principal is an individual or person from whom the personal data has been collected.

Data Fiduciary

A Data Fiduciary could be an organization or a person who will collect data from the data principal and store the data.
Consent is required from the Data Principal when Data Fiduciary,
  1. Collects and stores data
  2. Process Data in India
  3. Transfer Data to other countries for processing

Data Protection Authority

Data Protection Authority is a supervisory committee of an organization that govern and monitor all the activities related to data protection.

Data Protection Officer

Data Protection Officer (DPO) is the role that will maintain all the data protection activities.
A DPO will ensure the organization will,
  1. Compliance with the PDP Bill
  2. Portability and Access to individuals
  3. No data will collect without any legitimate purpose
  4. Delete the data after the purpose gets over
  5. Right to be Forgotten: Data Principal can withdraw the consent at any time of the processing
  6. Localization: all data will store only in India’s database with the consent of the data principal
  7. Transfer of data to other countries: Consent from the data principal and the data fiduciary has been required during the transformation of any data from India to any other country.

Penalty

The penalty for PDP Bill violation,
Minimum: Rs.5 Crores or 2% of the annual turnover
Maximum: Rs.15 Crores or 4% of the annual turnover

Advantages of the PDP Bill

The PDP bill will,
  1. Provide Data Sovereignty
  2. Protect and Secure personal data
  3. Protect critical information such as business transactions and financial statements
  4. Help to reduce cyber attack
  5. Help to reduce Fake News

Disadvantages/Challenges of the PDP Bill

  1. The Indian Government can have access to information of the individuals for any reasonable purpose
  2. The employers have the full right to use their employees’ data without taking any consent

GDPR and PDPB: Relations & Differences

Article / November 27, 2024

The five brief differences between GDPR and Personal Data Privacy Bill

The Indian Government Has Recently Introduced the Indian Privacy bill, 2019. Ostensibly the bill was considered as an Indian version of the General Data Protection Bill which the European Union Introduced in 2017. However, there are some major differences between the GDPR and PDPB. This article discusses five brief differences between GDPR and PDPB.

Legal Basis for Processing of personal Data

The EU GDPR has laid down six legal bases for the processing of personal data. Namely, Consent, Legitimate Interests, the performance of a contract, Legal Obligations, Life protection and Public Interest. On the other hand, the Indian Privacy bill has laid Consent, Legal Obligations, Medical emergency, Health services, protection of individual safety and Employment reasons. Further, the Indian Bill has specifically mentioned the clause for the reasonable purpose specified by regulation. The primary difference between both the regulations is GDPR has explicitly given provisions for the performance of a contract as a legal obligation which was absent in Indian PDPB. On the other hand, The Indian Privacy bill has explicitly provided provisions regarding Health and Employment reasons.

Legitimate Interests

According to GDPR processing of data without consent is permitted unless it overrides the Interests of the Data Subject. Further, it was the controllers’ responsibility to determine and assess the purpose of collecting data without consent. Indian Data Protection bill lays the responsibility to assess the data collection under reasonable purpose to Data Protection Authority of India. Therefore, the Indian Data Protection bill, 2019 was significantly more stringent than the EU GDPR where such responsibility was held in the hands of the Data controller.

Conditions for processing of sensitive data

GDPR has provided 10 Legal bases for the processing of sensitive data. They are Explicit consent, exercising the right to employment, Life protection, legitimate activities, legal claims, medical emergencies, scientific research & and substantial interest specified by law. On the other hand, the Indian Privacy bill has laid the same grounds for the processing of both sensitive data and personal data. However, specified some provisions like the consent should be obtained explicitly. Further, the Indian Data privacy bill has provided that some cases can be exempted if authorised by the Data Protection Authority of India (e.g., Research Activities)

DPA Registration

According to Indian Data Privacy law, the Significant data fiduciaries shall need to register with the Data Protection Authority of India. A Data Fiduciary is notified as significant data fiduciary by taking account of the factors like high volumes of data, the sensitivity of data, company revenue, the risk involved and use of new technologies which was specified by DPA. However, there was no such provision in European Union General Data Protection Bill.

Audit Requirements

Indian Data Privacy Bill has perspicuously mentioned that Significant data fiduciaries must submit their data processing to annual audit by independent auditors qualified by the Data Protection Authority of India. Such Auditing shall assess the performance of data fiduciary through “Data Trust Score. Further, Data Protection Authority is empowered to direct the data fiduciary to conduct an audit if he believes there can be any harm to the data. EU’s GDPR has not provided any such provisions. Rather the processor must agree to audit provisions in the contract with the controller.
Therefore, to conclude the primary differences is that Indian Data Protection laws emphasise more on Personal Data protection whilst EU’s GDPR mostly Business-driven. The range of government interference in data protection frameworks like policy monitoring, profiling of sensitive data was much more consolidated in Indian data policy, which on the other hand EU’s law is mostly Organisation driven. Nevertheless, the EU’s GDPR is criticised for being excessively Stringent and imposing many obligations on the organisations. On the Other hand, Indian Data Law is criticised that the bill gives substantial authority to the government. Both the European union’s general data protection regulations and Indian data privacy law emphasise greater data protection and best privacy practices like Data Accounting, Data policy formulation, Maintaining Inventory and so on.

Is your organisations sensitive information safe? Get a cybersecurity assessment now, to know your current state of data security.

Distributed Denial Of Service (DDoS) Attack

Article / November 26, 2024

Understanding DDoS Attacks: Prevention and Impact

A DDoS attack is a cyberattack on a specific server or network with the intended purpose of crashing that network or server’s normal operation. This is done by flooding the targeted network or server with a constant flood of fake traffic such as fraudulent requests, which overwhelms the system. Excessive traffic overloads resources and disrupts connectivity, preventing the system from processing genuine user requests. Services become inaccessible, and the target company experiences delayed downtime, lost revenue, and disappointed customers.
 
While some hackers use DDoS attacks to blackmail a business into paying a ransom more common motives behind a DDoS are to:
  • Disrupt services or communications.
  • Inflict brand damage.
  • Gain a business advantage while a competitor organization’s website is down.
  • Distract the incident response team.
DDoS attacks can cause damage to businesses of all sizes. Statistically, DDoS hackers most often target:
  • Online retailers.
  • IT service providers.
  • Financial and fintech companies.
  • Government entities.
  • Online gaming and gambling companies.
A DDoS is an attack from numerous sources at the same time. The computer, which is the ringleader communicates with other computers around the world and co-ordinates an attack on a server. Instead of an attack coming from a single source, the server now has to deal with an attack from multiple sources and when this happens it overwhelms the server and eats up the network bandwidth. As a result, the legitimate computers are denied services because the server stays preoccupied with a DDoS attack.
Attackers typically develop a malware program, distribute it over the internet and put it on websites and email attachments. When a vulnerable computer visits these infected websites or emails, the malware gets installed on that computer without them having any knowledge and the infected computer then becomes a part of a group of other infected computers to perform a DDoS attack. This group of infected computers is called a botnet which could be hundreds or even thousands of computers that are scattered all over the world. The attacker who acts like a centralized command and control center for the botnet, then sends out commands to all these computers and asks to launch the attack at a certain date and time. Once the set time comes the attack begins. A DDoS can last for hours or even days and it depends on the attacker’s intent. 
According to Cisco, the total number of DDoS attacks will double from the 7.9 million in 2018 to over 15 million by 2023.
While a DDoS does not directly lead to a data breach, the victim spends time and money getting services back online. Loss of business, abandoned shopping carts, frustrated customers, and reputational hurt are usual outcomes of failing to prevent DDoS attacks. Hence it is important to be aware of the prevention techniques of this kind of attack.

Prevention:

1.    Create a DDoS Response Plan

A security team should develop an incident response plan that covers:
  • Clear instructions on how to react to a DDoS attack.
  • Steps to maintain business operations.
  • Go-to staff members and key stakeholders.
  • Escalation mechanisms.
  • Team responsibilities.
  • A checklist of all necessary tools.

2.    Ensure High Levels of Network Security

Safeguarding networking devices helps to prepare the hardware (routers, load balancersDomain Name Systems (DNS), etc.) for traffic spikes.
The following types of network security can help to protect business from DDoS attempts:
  • Firewalls and intrusion detection systems acting as traffic-scanning barriers between networks.
  • Anti-virus and anti-malware software detecting and removing viruses and malware.
  • Endpoint security that guarantees network endpoints (desktops, laptops, mobile devices, etc.) do not turn into an entry point for malicious activity.
  • Web security tools that eliminate web-based threats, block unusual traffic, and search for known attack signatures.
  • Tools that prevent spoofing by checking if traffic has a source address consistent with the original addresses.
  • Network segmentation that separates systems into subnets with unique security controls and protocols.

3.     Have Server Redundancy

Relying on multiple distributed servers makes it hard for an attacker to attack all servers at the same time. If an attacker launches a successful DDoS on a single hosting device, other servers remain unaffected and take on additional traffic until the targeted system is back online.
Since DDoS attacks work by overloading a server, a CDN (content delivery network) can share the load equally across several distributed servers.

4.     Look Out for the Warning Signs

If the security team can recognize the nature of a DDoS attack quickly, one can make a timely move and mitigate the damage.
Common signs of a DDoS are:
  • Poor connectivity.
  • Slow performance.
  • High demand for a single page/endpoint.
  • Crashes.
  • Uncommon traffic coming from a single or a small group of IP addresses.
  • A rise in traffic from users with a common profile (system model, geolocation, web browser version, etc.).
Please note that not all DDoS attacks accompany high traffic. A low-volume attack with a brief duration frequently goes under the radar as a random occasion. However, these attacks can be a test or diversion for a more hazardous breach (like ransomware). Hence, detecting a low-volume attack is as crucial as identifying a full-blown DDoS.

5.     Continuous Monitoring of Network Traffic

Using continuous monitoring (CM) to analyze traffic in real-time is an excellent technique for identifying traces of DDoS activity. The advantages of CM are:
  • Real-time checking ensures to detect a DDoS attempt before the attack takes full swing.
  • The team can build a strong sense of typical network activity and traffic patterns. When you know how regular tasks look like, it is easier to distinguish odd activities.

6.       Limit Network Broadcasting

A hacker executing a DDoS attack, probably sends requests to every device on a network to amplify the impact. A security team can counter this action by limiting network broadcasting between devices.

7.   Leverage the Cloud to Prevent DDoS Attacks

You can outsource DDoS prevention to a cloud provider as:
  • Cloud providers provide well-rounded cybersecurity, with top firewalls and threat monitoring software.
  • The public cloud has more bandwidth than any private network.
  • Data centers provide high network redundancy with copies of information, systems, and equipment.
DDoS threats are turning out to be riskier, but attacks are also expanding in number. Experts anticipate that the average number of yearly DDoS attacks will ascend to 15.4 million by 2023. That number indicates that almost every business will experience a DDoS sooner or later, so planning for minimizing the frequency and impact of this attack type should be at the top of your security to-do list.

Key Changes in ISO/IEC 27002:2022

Article / November 26, 2024

Key Changes in ISO/IEC 27002:2022

The draft version of ISO/IEC 27002:2022 has triggered people all over the world, especially the people who are dealing with information security. Let’s understand what are the changes are going to happen.
The progressions have just been directed and made principally to improve on the execution: the quantity of controls has diminished from 114 to 93 and has put in 4 areas rather than the past 14. There are 11 new controls, while none of the controls has been erased, and many controls were merged.

The Areas That Remain The Same

The primary piece of the ISO 27001, i.e., Clause 4 to 10, continue as before.
These clauses include the,
  • Context of the organization: Interested Parties, Context, Scope
  • Leadership: Policy, Roles & Responsibilities
  • Planning and Operation: Risk Management
  • Support: Awareness, Communication, Document Control
  • Performance evaluation: Metric & Measurement, Internal Audit
  • Improvement: Corrective Action Plan
The up-gradation has been made in the security controls listed in ISO 27001 Annex A.
The controls that have remained same with the new control number,
To get the complete list of controls which remains same in ISO/IEC 27002:2022 for free, please send us a message.

Six changes in ISO/IEC 27002:2022

1. The Structure:

2. Number of controls

The new form has decreased the number of controls from 114 to 93.
Technological progressions, and an improvement to the comprehension of how to apply security practices, appear to be the explanations behind the adjustment of the number of controls.

3. New Controls

The following controls have been introduced in the new version of the standard,
  1. Threat intelligence
  2. Information security for use of cloud services
  3. ICT readiness for business continuity
  4. Physical security monitoring
  5. Configuration management
  6. Information deletion
  7. Data masking
  8. Data leakage prevention
  9. Monitoring activities
  10. Web filtering
  11. Secure coding

4. Renamed Control

For simple arrangement, twenty-three (23) controls have had their names changed.
e.g.
To get the complete list of controls which are renamed in ISO/IEC 27002:2022 for free, please send us a message 

5. Merged controls

To accomplish more productive security fifty-seven (57) controls have been merged into twenty-four (24) controls by thinking about them in a solitary control.
e.g.
To get the complete list of controls which are merged in ISO/IEC 27002:2022 for free, please send us a message.

6. Split Controls

Only one control from ISO/IEC 27001: 2013 has split in ISO/IEC 27002:2022,

Conclusion

For the expansion of eleven new controls in ISO/IEC 27002:2022, risk management and documentation will be the most prior activities to perform for an organization.
This is the place where the new ISO 27002 will bring the most worth – during the progress time frame, an organization will have a lot of best practices follow, as well as a new set of attributes to use to make controls selection more straightforward and more compelling.
What’s more on the grounds that ISO 27002 is very itemized, the organization actually has the opportunity to pick just the proper stuff for its current circumstance, it will assist the organization with making this change simpler.

Know More

Refer to our webinar content to understand the changes and know more about the new controls.
 
You can also contact us for a pro bono discussion and know more about how to implement these controls in your environment effectively or for a cybersecurity assessment.

 

Six best privacy practices

Article / November 27, 2024

How best data privacy practices defines international data regulations?

By 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020. Today apart from the physical Assets which an organisation possess, Data has become one of the most valuable assets. In the Technology- driven business world, certainly data has created its significance. However, it is increasingly being complex to handle data with frequent cybercrimes, Ransomware, Data breaches both internal and external. With the increase in use of technology all over the world and the evolving Online business platforms, managing cyber threats has become a pivotal responsibility of an organisation. These data privacy laws aim to secure individual data and also to give control to individuals over their data and its processing. Businesses all over the world are necessitated to get compliance with these international frameworks and laws according to their range of business territory and legal liabilities. Although various countries had their own Data Privacy regulations, there are some standard universal data privacy and protection practices.

Six Best standard Data privacy practices:

 Data Privacy Policy
Data Privacy policies are legal document that guides employees of an organisation to follow specific guidelines and rules in alignment with various legislations. It was optimal for every organisation to have defined processes and practices that ensure effective implementation.
 
Minimum Data Collection
Every organization must ensure that only data necessary for the execution of the business is collected and stored until which time it is no longer necessary. Thereafter, the organization must ensure the safe disposal of the data. Minimizing data collection can also reduce storage costs and diminish the scope of compliance.
 
Maintain Transparency
It is important to ensure every individual was included and offer their consent in the privacy process including consent, notification, and options for them to modify their choices in data collection.
 
Data Inventory
One way to ensure data privacy is by creating an inventory of data and classifying it based on its sensitivity. Policies should be defined based on how the information is collected, stored and processed for establishing maximum security.
 
Privacy By Design
Data privacy by design helps to ensure that systems and processes are in alignment with the data privacy and security standards and regulations. An organization should strive to imbibe privacy as an essential component at every stage of development and process.
 
Training & Awareness
Data privacy and security should be embedded in the business culture and work process. Every employee in this regard should be adequately trained about the industry practices, should regularly update themselves about the evolving cyber threats and the international data security guidelines and principles.

Currently 128 countries world wide have regulated their data protection laws to deal with personal data and privacy. It is the fundamental responsibility of an organisation dealing with data especially personal data to ensure the data processed is safe and secure. India was one of the countries recently to join in regulating data protection law called as “Personal Data Protection law(Bill).

Some of the prominent data privacy regulations around the world:

GDPR
General Data Protection Regulation is the European Union law on Data protection and privacy. It covers nearly 447 million citizens personal data protection. 
GDPR-UK
Post-Brexit United Kingdom has come up with its Data protection law which is currently closely aligned with EU’s GDPR. However, Businesses in the UK for the time being should get compliant with both EU and UK GDPR regulations.
HIPPA
The Health Insurance Portability and accountability act, 1996 is a US act that protects the Health Information of Individual patients. It is regarded as one of the efficient Data protection laws which prevent unauthorised sharing of individual data. 
CCPA
California Consumer protection act was the first state-regulated data privacy law in the United States. It regulates the data privacy processing in California and gives its citizens control over the processing of their data. 
PIPEDA
Personal Information protection and electronic documents act were a Canadian data protection act that regulates the collection, usage and disclosure of personal information by commercial business in Canada.

A Critical Comparison

Article / March 2, 2022

Over the years many standards and frameworks have been developed and adopted to address information security concerns. Information security which was once a niche domain and often an afterthought for business executives has come to occupy the centerstage.

It is the result of wholesale migration of enterprise data to computer systems which are networked with each other and with different parts of an organizations network and/or to third party networks through VPN and leased lines and to an always on internet which is accessed by a variety of endpoints from different locations. 

The situation is made more challenging by the plethora of technologies and software which increase the attack surface and the ever-evolving threat landscape which has become more and more sophisticated over time. The other reason is the overwhelming dependence of present-day business on information which is not just an asset but the most important asset. So much so that the focus of all BCP and DR programs is on securing and restoring information.

Given the above scenario it is understandable why there are so many information security standards and why they are so important. It is to give organizations and nations a direction and guidance as to how to approach and best secure information and information assets and how to evaluate effectiveness. Otherwise, every organization will have to reinvent the wheel and most will not be able to do it to any degree of efficiency and whatever they do will be disputed as to its effectiveness and intent. 

As mentioned above, there are many information security standards – some global, some national and some industry specific. In this article we will discuss 2 such standards, namely, ISO 27001 and NESA. Both are hugely different but have a lot of common ground. Let us discuss the 2 standards briefly before we go into a comparison and into how they should be approached at by an organization for the purpose of implementation and compliance.

ISO 27001

ISO 27001 is the global de facto information security standard which comes from ISO or the International Organization for Standardization. The latest iteration of the standard is ISO/IEC 27001:2013 (IEC means International Electrotechnical Commission, a body which works with ISO to produce standards on electrical, electronic, and derived technologies). In fact, it is one among many standards from the family of ISO 27000 standards all of which are devoted to information security. ISO 27001 is the main standard against which an organization can be audited and certified while the other standards in the family support ISO 27001. The chief among the other standards in the family are ISO 27000 (introductory standard which defines information security terms and terminologies), ISO 27002 (provides guidance about implementing the controls listed in Annexure A of ISO 27001), ISO 27005 (provides guidance on performing information security risk management), ISO27011 (provides guidance about ISO 27001 implementation for the telecom sector) etc.

ISO 27001 follows the same uniform format as that of other ISO standards which will be easily recognizable to anybody who is acquainted with ISO standards. ISO standards are very neat and easy to read even by laypeople. ISO 27001:2013 is particularly very well-crafted, elegant, and easy to navigate. Being an international standard, it is very broad based and does not go into specifics but provides enough wherewithal to design an ISMS which best suits one’s purpose. A copy of the standard can be purchased from the ISO website at https://www.iso.org/standard/54534.html.

The standard follows a risk-based approach to information security and consists of 7 mandatory clauses which is the core of the standard. The clauses guide an organization about how to design, implement and operate an Information Security Management System, commonly referred to as an ISMS. The different clauses are shown mapped to the stages of a PDCA cycle below to give context and for better understanding.

The clauses are followed by an annexure which lists control areas, control objectives and controls to achieve the control objectives for each area. There are 14 control areas (also called control sets) and 114 controls to achieve the control objectives identified for each area. It is not mandatory to implement all of them but it is mandatory to consider all of them and implement those which are relevant. Any exclusion is to be thoroughly justified. Most organizations end up implementing all the controls. The result of the process of evaluating (i.e., selecting and implementing a control or rejecting and excluding it from implementation) the 114 controls is a document (called documented information in ISO parlance) called the ‘Statement of Applicability’. The below list reproduces the control sets and the number of controls against each control set.

ISO 27001:2013 Control Sets

A.5 Information security policies (2 controls)

A.6 Organization of information security (7 controls)

A.7 Human resource security (6 controls)

A.8 Asset management (10 controls)

A.9 Access control (14 controls)

A.10 Cryptography (2 controls)

A.11 – Physical and environmental security (15 controls)

A.12 Operations security (14 controls)

A.13 Communications security (7 controls)

A.14 System acquisition, development, and maintenance (13 controls)

A.15 Supplier relationships (5 controls)

A.16 Information security incident management (7 controls)

A.17 Information security aspects of business continuity management (4 controls)

A.18 Compliance (8 controls)

NESA

The full form of NESA is National Electronic Security Authority. It is an UAE government body constituted in September, 2012 under the aegis of the Supreme Council of National Security and responsible for UAE’s information security strategy. It also aims to foster a culture of information security awareness and best practices among all concerned and strengthen the security of UAE’s information assets and digital infrastructure. The current name of NESA is SIA or Signals Intelligence Agency though it still goes by its old name. The body has formulated standards and documentation which is collectively called the NESA Information Pack. The chief formulations in the NESA Information Pack include the IAS (Information Assurance Standards), Critical Information Infrastructure Protection Policy (CIIP) and Cyber Risk Management Framework (CRMF). 

Of the mentioned formulations, IAS is the standard set by the UAE with respect to information security for organizations. A copy of the standard can be purchased from sites like scribd.com, coursehero.com etc. NESA does not clearly define the applicability of the IAS but puts it as applicable to all government and private organizations which processes, deals with or is part of UAE’s critical information infrastructure. What it basically means is that it is applicable to all organizations which deal in and provide utility products and services to customers in the UAE or the government of UAE. 

The IAS is heavily influenced by ISO 27001 and NIST standards (National Institute of Standards and Technology, an American body that develops standards). However, its approach is different than that of ISO 27001:2013. We will go through the differences at length in the difference section that follows.

NESA’s IAS is based on a threat-based model. To put it very simply, NESA identified and compiled a list of cyber security threats from industry data and categorized the threats in terms of severity and frequency of occurrence. 

Then it devised controls to counter those threats and prioritized the controls corresponding to the threat level it addressed. There are 4 priority levels from P1 to P4. Implementing IAS in an organization begins with implementing the P1 controls. An organization must demonstrate that it has successfully implemented the P1 controls at least to be considered compliant. Apart from the priority levels the controls are also grouped into 2 broad groups called families depending in the type or nature of the control. 

The two control families are the Management and Technical Controls families. There are 188 controls in all out of which 60 are management controls and 128 technical controls. They are further broken down into 564 sub controls. 

The below tables show the control categorization. Table 1 shows the priority breakup of controls and tables 2.1 and 2.2 shows the breakup of controls into management and technical control families.

Global Privacy Regulations

Article / November 27, 2024

Global Privacy Frameworks: Securing Data and Building Trust

The digital age started around 1980 with the Internet and the traditional industry witnessed a rapid shift to the present era which is entirely based on information technology. Slowly information started forming the foundation of every organization and businesses around the globe and it began floating freely without restriction and adequate protection, inviting several threats and encouraging hackers or people with malicious intentions to exploit it for their personal benefits.

Digital data like photos, conversations, health information, online transaction details, finances, identification number etc are the personal data or sensitive personal data that are mostly exposed to chances of being misused as these are critical information that identifies a person and reveals a lot about his privacy. And in today’s world where we like posting our lives on social media and make payments or shop on online platforms, we ourselves give away a lot of our personal data to applications or organizations.

Hence to build some kind of restrictions around this free movement of personal data and to preserve the human rights to privacy in the digital world there had been several privacy regulations or laws that were enacted and there are some which are currently getting drafted.
These laws ensure robust protection to personal data through compliance with its principles.
Following are some of the Privacy Regulations around the globe:

These Privacy regulations highlight certain key concepts and talk about how data could be made secured throughout its entire lifecycle.

A typical lifecycle of data or several ways of processing the data are:

  • Collection of data
  • Recording
  • Storing
  • Using
  • Analyzing
  • Disclosing
  • Transferring
  • Deleting

The diagrammatic presentation of data transfer/ movement captures the various roles who handle the data at different stages:

When the Data subject provides his personal data or sensitive information like racial origin, political views, bank account numbers, sexual orientation, to the Data Controller:

  • Data Subject’s consent is obtained for Processing his data
  • Legal obligations are fulfilled
  • Legitimate interests of the Organization and Data Subjects’ privacy rights are established
  • The Rights of Data Subject are informed like
  • Right to access his own personal data
  • Right to ask for deletion of data
  • Right to not be subject to automated decision making
  • Data is processed in a pre-informed way and only for the required purpose
  • Data is processed ensuring all the legal obligations are met
  • Data subject is informed about the method and purpose of the processing
  • Data is made secured adequately at every stage of processing
  • Data is kept secured while transferring it to other countries for required purposes
 

 

Conclusion

 

Considering the importance of protecting the personal data, if you want your organization to comply with the data privacy laws that might be applicable to your geography, keep exploring ways to get certified on the required standard or regulation.

Subscribe to our newsletter for similar kind of short articles and stay updated.

Join Our Newsletter (Don't worry. We do not spam)

Top 10 Personal Data Breaches of 2020 – 2021

Article / November 27, 2024

Top Data Breaches of 2021: Lessons for Better Cybersecurity

Data Breach is defined as a security violation, which involve Sensitive, Unauthorised and confidential Data to be copied, Transmitted, exposed, stolen by an unauthorised individual for the purpose of personal gain or Malicious intentions. Data Brach influence a wide range of impact ranging from an Individual to the Giant corporations and Governments. With the increase in User Dependence on Internet of things and the rapid evolution of technology, it is much easier to collect, process data. 

However, the ineffective information security or the security mechanism to protect information is vulnerable to Data Breaches.

ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed”

 

Personal Data Breachs expose millions of Personal details or billions worth of corporate details like Intellectual property details and government data. Data Breach can happen from internal or external. It directly or indirectly cost great expense for organisations dealing with high volumes of data. Much of the data breach may not have any effect or likely to be mitigated with low amount of damage. However, some data breach may cost huge burden for some Organisations. Till date yahoo data breach in 2016, was the most expensive data breach with costing nearly $1 Billion. 

 

“The cost of cybercrime continues to climb; it’s expected to double from $3 trillion in 2015 to $6 trillion by the end of 2021 and grow to $10.5 trillion by 2025. The average cost of a single data breach in 2021 was $4.24 million, a 10% jump from 2019, according to Deloitte”

 

With the increase in technology and altering user behaviour with evolving IOT, Information security has become a Substantial affairData breaches can be classified by amount of user information leaked; Value of Information leaked etc. Healthcare, energy, banking, utilities are some of the industries which are mostly affected with Data Compromises. The top 10 Data Breaches of 2021 are:

 

1.   LinkedIn:

Around 700 million LinkedIn user data was compromised in June 2021. This was Second Data Breach in LinkedIn after 2012 where 200 million users’ data was leaked. 

 

2.   Facebook

In April 2021, nearly 533 million Facebook user data has been compromised containing usernames, passwords, locations etc.

 

3.   Social arks

In January 2021, around 200 million user data has been breached from this Chinese social media agency through its unsecured Elasticsearch database. The scrapped data was mostly non encrypted and not password protected.

 

4.   Bonobos

This Men’s clothing brand suffered a data breach in January 2021 compromising 12.3 million user data. The company claims that the data breach was targeted by cybercriminals through backup servers containing customers data.

 

5.   Twitch

125GB of sensitive data with potentially 7 million user data has been leaked from this company owned by Amazon. Unlike other data breaches, the data leaked from Twitch 

was almost the entire twitch data code. Hence it may have impacted all of its users.

 

6.   Neiman Marcus

This US based Retailer lost nearly 4.8 million user data information. Most of the data was banking details of the users.

 

7.   Meet mindful

The Dating app lost nearly 2.28 million user data. Most of the data posted on dark web was primarily private information of the users.

 

8.   Pixlr

Nearly 1.9 million user database of Pixlr was breached in January 2021.

 

9.   Four Sports warehouse brands

The most recent data breach reported in 2021. About 1.8 million user data of four sports stores namely Tackle Warehouse LLC, Running Warehouse LLC, Tennis Warehouse LLC, and Skate Warehouse LLC were breached. Most of the Credit card details of customers were breached.

 

10. Gradd

About 1.1 million user data of UK based Jewellery store was Breached. User data of high-end customers like Donald Trump, Saudi crown prince were leaked.

 

*Breach related information are taken from Public Sources

 

Points to consider

 

Most of the data breaches happen because of ineffective cybersecurity practices followed by the organisations dealing with data. In the past most data breaches have been unexposed or Concealed by the Data Fiduciaries. However, with the evolving strict data protection laws, it was made mandatory to notify any data breach and the measures taken by company to mitigate the damage. 

 

Many organizations decrease the risk of a data breach by implementing a Privacy Information Management System (PIMS) to safeguard internal and external personal data stored by them. Privacy Frameworks based on Generally Accepted Privacy Principles and certification frameworks like ISO 27701 are becoming even more popular for organizations to adopt to.

A critical comparison between ISO 27001 & NESA

Article / December 6, 2023

A critical comparison between ISO 27001 & NESA

Over the years many standards and frameworks have been developed and adopted to address information security concerns. Information security which was once a niche domain and often an afterthought for business executives has come to occupy the centerstage.

It is the result of wholesale migration of enterprise data to computer systems which are networked with each other and with different parts of an organizations network and/or to third party networks through VPN and leased lines and to an always on internet which is accessed by a variety of endpoints from different locations. 

The situation is made more challenging by the plethora of technologies and software which increase the attack surface and the ever-evolving threat landscape which has become more and more sophisticated over time. The other reason is the overwhelming dependence of present-day business on information which is not just an asset but the most important asset. So much so that the focus of all BCP and DR programs is on securing and restoring information.

Given the above scenario it is understandable why there are so many information security standards and why they are so important. It is to give organizations and nations a direction and guidance as to how to approach and best secure information and information assets and how to evaluate effectiveness. Otherwise, every organization will have to reinvent the wheel and most will not be able to do it to any degree of efficiency and whatever they do will be disputed as to its effectiveness and intent. 

As mentioned above, there are many information security standards – some global, some national and some industry specific. In this article we will discuss 2 such standards, namely, ISO 27001 and NESA. Both are hugely different but have a lot of common ground. Let us discuss the 2 standards briefly before we go into a comparison and into how they should be approached at by an organization for the purpose of implementation and compliance.

ISO 27001: Information Security Management System

ISO 27001 is the global de facto information security standard which comes from ISO or the International Organization for Standardization. The latest iteration of the standard is ISO/IEC 27001:2013 (IEC means International Electrotechnical Commission, a body which works with ISO to produce standards on electrical, electronic, and derived technologies). In fact, it is one among many standards from the family of ISO 27000 standards all of which are devoted to information security.

ISO 27001 is the main standard against which an organization can be audited and certified while the other standards in the family support ISO 27001. The chief among the other standards in the family are ISO 27000 (introductory standard which defines information security terms and terminologies), ISO 27002 (provides guidance about implementing the controls listed in Annexure A of ISO 27001), ISO 27005 (provides guidance on performing information security risk management), ISO27011 (provides guidance about ISO 27001 implementation for the telecom sector) etc.

ISO 27001 follows the same uniform format as that of other ISO standards which will be easily recognizable to anybody who is acquainted with ISO standards. ISO standards are very neat and easy to read even by laypeople. ISO 27001:2013 is particularly very well-crafted, elegant, and easy to navigate. Being an international standard, it is very broad based and does not go into specifics but provides enough wherewithal to design an ISMS which best suits one’s purpose. A copy of the standard can be purchased from the ISO website at https://www.iso.org/standard/54534.html.

The standard follows a risk-based approach to information security and consists of 7 mandatory clauses which is the core of the standard. The clauses guide an organization about how to design, implement and operate an Information Security Management System, commonly referred to as an ISMS. The different clauses are shown mapped to the stages of a PDCA cycle below to give context and for better understanding.

The clauses are followed by an annexure which lists control areas, control objectives and controls to achieve the control objectives for each area. There are 14 control areas (also called control sets) and 114 controls to achieve the control objectives identified for each area. It is not mandatory to implement all of them but it is mandatory to consider all of them and implement those which are relevant. Any exclusion is to be thoroughly justified. Most organizations end up implementing all the controls. The result of the process of evaluating (i.e., selecting and implementing a control or rejecting and excluding it from implementation) the 114 controls is a document (called documented information in ISO parlance) called the ‘Statement of Applicability’. The below list reproduces the control sets and the number of controls against each control set.

ISO 27001:2013 Control Sets

A.5 Information security policies (2 controls)

A.6 Organization of information security (7 controls)

A.7 Human resource security (6 controls)

A.8 Asset management (10 controls)

A.9 Access control (14 controls)

A.10 Cryptography (2 controls)

A.11 – Physical and environmental security (15 controls)

A.12 Operations security (14 controls)

A.13 Communications security (7 controls)

A.14 System acquisition, development, and maintenance (13 controls)

A.15 Supplier relationships (5 controls)

A.16 Information security incident management (7 controls)

A.17 Information security aspects of business continuity management (4 controls)

A.18 Compliance (8 controls)

National Electronic Security Authority (NESA)

The full form of NESA is National Electronic Security Authority. It is an UAE government body constituted in September, 2012 under the aegis of the Supreme Council of National Security and responsible for UAE’s information security strategy. It also aims to foster a culture of information security awareness and best practices among all concerned and strengthen the security of UAE’s information assets and digital infrastructure. The current name of NESA is SIA or Signals Intelligence Agency though it still goes by its old name. The body has formulated standards and documentation which is collectively called the NESA Information Pack. The chief formulations in the NESA Information Pack include the IAS (Information Assurance Standards), Critical Information Infrastructure Protection Policy (CIIP) and Cyber Risk Management Framework (CRMF). 

x

Of the mentioned formulations, IAS is the standard set by the UAE with respect to information security for organizations. A copy of the standard can be purchased from sites like scribd.com, coursehero.com etc. NESA does not clearly define the applicability of the IAS but puts it as applicable to all government and private organizations which processes, deals with or is part of UAE’s critical information infrastructure. What it basically means is that it is applicable to all organizations which deal in and provide utility products and services to customers in the UAE or the government of UAE. 

The IAS is heavily influenced by ISO 27001 and NIST standards (National Institute of Standards and Technology, an American body that develops standards). However, its approach is different than that of ISO 27001:2013. We will go through the differences at length in the difference section that follows.

NESA’s IAS is based on a threat-based model. To put it very simply, NESA identified and compiled a list of cyber security threats from industry data and categorized the threats in terms of severity and frequency of occurrence. 

Then it devised controls to counter those threats and prioritized the controls corresponding to the threat level it addressed. There are 4 priority levels from P1 to P4. Implementing IAS in an organization begins with implementing the P1 controls. An organization must demonstrate that it has successfully implemented the P1 controls at least to be considered compliant. 

There are 4 priority levels from P1 to P4. Implementing IAS in an organization begins with implementing the P1 controls. 

An organization must demonstrate that it has successfully implemented the P1 controls at least to be considered compliant. The below tables show the control categorization. Table 1 shows the priority breakup of controls

Apart from the priority levels the controls are also grouped into 2 broad groups called families depending in the type or nature of the control. The two control families are the Management and Technical Controls families.  There are 188 controls in all out of which 60 are management controls and 128 technical controls. They are further broken down into 564 sub controls. Below tables show the breakup of controls into management and technical control families.

Generic Similarities Between ISO 27001 & NESA

    Both are information security standards.
  1. Both follow a PDCA (Plan Do check Act) model. The clauses of ISO 27001:2013 and the activities of IAS correspond to a PDCA cycle.
  2. Both mandatorily require risk assessment and risk treatment of unacceptable risks.
  3. Both result in the implementation and operation of a robust ISMS.
  4. Both focus on securing information and not IT assets or the IT function and hence require involvement of staff from all quarters.
  5. Both require a high degree of management involvement and commitment for success. At the same time both require a good understanding and commitment towards information security and information security practices by all employees and stakeholders.
  6. Both are a continuous process and need to be treated as a program and not a project with a beginning and end

11 Differences Between ISO 27001 & NESA

1. Approach:

ISO 27001 is based on a business risk approach. It identifies and grades information and information assets based on their criticality to the business and then applies appropriate controls depending upon the level of risk associated with the information or information asset.

NESA IAS follows a threat-based approach and is geared towards mitigating those threats to the information infrastructure. A threat-based approach means that organizations do a risk assessment of the 24 threats identified by NESA to determine which are applicable to it and which it should be most concerned about and then work towards their mitigation by applying appropriate controls.

2. Scope:

ISO 27001 gives organizations the liberty to decide on the scope of implementation. The scope can be defined in terms of location, function, process, department, product etc. Usually, organizations go for a phased implementation and begin with a particular department, location etc. Once it is successfully implemented and certified the success is replicated either across the entire organization or phase wise to different departments, locations etc.

NESA IAS does not give the flexibility of defining scope to the organization. If an organization falls under its ambit, it is the whole of the organization. This makes it more challenging to implement and maintain.

3. Risk Assessment:

ISO 27001 mandates risk assessment and management but does not mandate the basis for it. Asset based, process based, scenario based, threat based etc. all are valid. Usually, most organizations prefer to do an asset-based risk management till today despite the free hand given to them. The standard also does not prescribe the risk management methodology to be adopted though we have ISO 27005 for that purpose. An organization can use any of the numerous methodologies available like the Risk IT Framework, OCTAVE, MEHARI, ISO 27005 etc.

NESA IAS does not accept an asset-based risk assessment and mandates a threat based or process-based risk assessment. Also, the risk assessment should be ideally as per NESA’s Cyber Risk Management Framework (CRMF). Though it is not a stated requirement but it is an unstated requirement of sorts.

4. Specificity:

ISO 27001 is more broad-based and less specific and prescriptive. NESA IAS is more specific and precise in its definition and requirements. 

5. Controls:

ISO 27001 does not categorize controls on a weighted basis. All controls are equal in weight and significance and are either applicable or inapplicable in a certain context.  NESA IAS categorizes controls into management and technical controls and prioritizes them from P1 to P4 levels of priority (weighted) depending upon the level of threat it addresses.

6. Compliance:

In ISO 27001, compliance measurement is graded into major non-conformity, minor non-conformity, observations (qualified and unqualified) and opportunity for improvement. In NESA IAS, compliance is measured in binary i.e., either compliant or non-compliant.

7. Evaluation & Certification:

ISO 27001 certification is achieved through an external audit conducted by an accredited certification body. Internal audits do not provide certification but are a part of continual improvement and a certification requirement.  Certification depends on the overall performance of the organization’s ISMS. Usually, a major non-conformity or multiple minor conformities or multiple minor non-conformities pertaining to a single process prevents certification or loss of existing certification. In NESA IAS, a formal audit is not required even though almost all organizations do it to ensure that they are compliant. Organizations can attest their compliance with the standard by performing a self-assessment and sharing the result to NESA. If NESA sees fit it can probe further by seeking additional information or by intervening itself or by authorizing someone or an entity to conduct additional test of controls. The level of involvement in the evaluation process on the part of NESA or relevant government regulatory bodies depends upon the organization and its criticality to UAE’s information infrastructure or the kind and nature of non-conformity or suspected non-conformity.

8. Applicability:

ISO 27001 is a global best practice standard with universal acceptance and is mostly voluntarily adopted. The standard does not make itself applicable to anyone. NESA IAS is a national standard which makes itself a requirement to organizations and is enforced by the UAE government and entities and processes authorized to do so.

9. Age:

ISO 27001 is a much older standard which has undergone several revisions. The initial version was launched in November 2005 and the last revision was in 2017. NESA IAS is a newer standard which came into existence in 2015. 

10. Pros & Cons:

ISO 27001 is very good in developing and implementing an all-encompassing robust ISMS but may fall short in taking care of real-life threats posed by sophisticated and new cyberattacks especially zero-day attacks and APT (Advanced Persistent Threat).
  • It is more customizable and can fit a larger basket. ISO 27001 is almost the precursor and pioneer of information security standards which has bred standards like the NESA IAS. NESA IAS is very good at tackling real life threats posed by cyberattacks but may fail to prevent data leakage, data pilferage especially through social engineering and by insiders. It is intended to be strict and specific to the security context of the UAE. NESA IAS is a hybrid standard and combines the best from many standards.

    • 11. Non-compliance consequences:

    Since ISO 27001 is a non-governmental standard from an international body non-compliance leads to not being able to certify or re-certify. ISO does not have any means or authority to enforce compliance. ISO certifications work by virtue of their credibility and moral authority. Since NESA IAS is a national standard with government and legal sanction non-compliance can lead to escalation and punitive measures in the form of increased scrutiny, imposition of additional requirements, having to bear the cost of additional audits, fines, lawsuits and in the worst-case scenario arrest of top executives or a complete ban to do business in or with the UAE. 

    Comparison of Controls of ISO 27001 & NESA IAS

    ISO 27001
    ISO 27001 has only 114 controls which is much less compared to IAS.
    NESA IAS
    NESA has a total of 188 controls which are further divided into 564 sub controls which is a huge volume.
    It only considers specific activities and measures to address specific risks or to attain specific security objectives as controls.
    It considers high level management activities as controls which is different and unique. It is somewhat controversial as to how high-level management activities can be considered as control. Usually, high level activities are responsible for producing, modifying, and fine-tuning controls. An example is M.1.1.1 (Understanding the entity and its context) which corresponds to clause 4 (Context of the Organization) of ISO 27001
    Technically speaking, none of the controls specified in the Annexure A of ISO 27001 is mandatory even though practically speaking most of them are relevant to most organizations and implemented voluntarily.
    NESA IAS on the other hand has a set of 35 management controls which are always applicable (unless justified by the risk assessment as not being so) and must be mandatorily implemented. 

    ISO 27001 does not go into the details of how to implement a control to be compliant or how to measure the success of the control implementation. In fact, it just lists the controls and does not do anything apart from identifying areas which need to be addressed through the suggested controls and control activities. Even ISO 27002 which contains the guidelines about implementing the ISO 27001 controls do not go beyond a point except for handholding and showing the way.

    NESA IAS goes into great depth for each security control specifying how exactly to implement it to be compliant (sub controls), how to measure it (performance indicators), how to automate the control if and where possible (automation guideline), the type of cyberattack it protects against (relevant threats and vulnerabilities) and additional implementation help and suggestion (implementation guidance). So, it is very much unlike ISO 27001 in this regard leaving little to the imagination.

    ISO 27001 or NESA IAS, Which Should be Implemented First?

    With respect to the UAE implementing ISO 27001:2013 is optional but NESA is mandatory. So, the decision to implement either or both will depend upon the organizations coverage or to be more precise upon the organization’s clientele or customer base. If the organization has an international clientele or customer base extending beyond the UAE then it might have to and should ideally implement ISO 27001:2013. Otherwise NESA IAS might suffice. If an organization must and/or decides to implement both the standards my suggestion would be to start with ISO 27001:2013 and then follow it up with NESA IAS. Since NESA IAS is inspired from ISO 27001:2013 and follows a similar approach but to a slightly different end it might be easier to implement IAS followed by ISO 27001:2013 implementation. An IAS implementation followed by an ISO 27001 implementation can be easily achieved through a gap analysis and working to fill the gaps especially in terms of control compliance since the framework of policies, processes and procedures which make up the management system will be already there.

    Challenges in Implementation & Maintenance of ISO 27001 &/or NESA

    Given the expansive nature of both the standards implementing any one of them is a huge challenge with implementing IAS being a bit more challenging. The challenge with IAS arises because of its applicability to the entire organization, its huge set of 564 sub controls all of which must be implemented for every security control (unless it can be excluded through risk assessment) and the need to monitor control performance as specified by the standard (unless a custom means to measure can be justified by the context of the organization). ISO 27001 on the other hand requires a lot of high-level activities and voluminous documentation. Performing so much in one go is almost impossible even for the most sophisticated IT corporations. For non-IT companies for whom IT is a supporting cost function it is too much of an ask. Therefore, most companies including IT companies need a qualified full time information security consultant to help them in their journey to compliance. There are many such independent consultants and consultancy firms that one can choose from.

    Implementation Pitfalls and how to Avoid them

    It is no wonder that such complex standards will have pitfalls for anyone trying to navigate them. It is also no wonder that many organizations (especially those without adequate expertise or domain knowledge) fall for them and founder. Some of the most common pitfalls that can be identified with respect to organizations trying to interpret and operate the standards are as below:
    • Loss of focus – Given the length and breadth of the standards it is quite natural for one to get lost along the way and lose focus as to the real purpose and how it is to be achieved. The result might be that an organization remains complaint with open but undetected security issues. It might also lead to a situation where the organization loses sight of the fact that the standards are not technical standards but management system standards for better management of enterprise information. The technical aspect is a small part as to how to use the most suitable and cost-effective technology and technology configuration to achieve that.
    • Control Risk – Too much focus on controls and sub controls especially in the case of IAS pose the threat of overdoing and overcompensating paving the way for control risk (risk posed or introduced by a faulty or ill designed control) which is a serious security threat. 
    • Too much management focus – It might also happen that too much high-level deliberation and intervention by the management might lead to unnecessary complication and paralysis on the ground and the entire exercise is reduced to meetings and documentation and maintaining and manufacturing evidences to demonstrate compliance.
    • Confusion and Fatigue – It is very important that there is someone especially at the top of the ISMS team who really understands the standard and has a clear mind to be able to take accurate decisions and give unambiguous direction. This will avoid loss if time, wasted effort all of which ultimately leads to losing steam and burning out.
    • Performing without realizing – It might also happen that the ISMS becomes so much a part of the culture that people practice it mechanically without applying their mind unless they are jolted by a disaster. This is a dangerous situation as complacency with respect to information security can be very costly. So, there must be continuous trainings and workshops for the relevant people and a robust and independent internal audit process to keep everybody awake and aware.
    To avoid the above it helps to gather as much information as possible from all quarters and do a thorough study of the standards. It helps one to understand what is expected and how it can be done with the least pain and without running into serious trouble. Also, professional help from a qualified and experienced consultant is not just desirable but almost indispensable at least to begin with. Both standards allow a phased implementation and organizations should make use of the facility. ISO 27001 does so in terms of scope and NESA IAS does so in terms of a phased implementation of the security controls as per priority. An organization is expected to demonstrate compliance with the implementation of P1 controls and ‘always applicable’ controls to begin with to be considered compliant and on the right track.

    Conclusion

    Both the standards are critical in today’s business context for any enterprise. In order to appreciate them better, it is important to know about further details of their controls and where these standards intersect and where they diverge.
  • It is also critical to appreciate their similar but slightly different contexts of operations and the purposes that they fulfil. If implemented in a contextual way, both the standards can help the enterprises benefit immensely. Consultants Factory provides ISO 27001 & NESA related IT management consulting services.