International reference guidelines for assessing information security controls have been updated to keep pace with the the changing risk. Developed by ISO and the International Electrotechnical Commission (IEC), ISO/IEC TS 27008, 'Information technology – Security techniques – Guidelines for the assessment of information security controls', provides guidance on assessing the controls in place to ensure they are fit for purpose, effective and efficient and in line with company objectives.

The technical specification has recently been updated to align with new editions of other complementary standards on information security management, namely ISO/IEC 27000 (overview and vocabulary), ISO/IEC 27001 (requirements) and ISO/IEC 27002 (code of practice for information security controls).

Prof. Edward Humphreys, head of the working group responsible for the standard, said ISO/IEC TS 27008 will help organisations to assess and review current controls managed through the implementation of ISO/IEC 27001.

“In a world where cyber attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organisation’s business processes,” he said.

“ISO/IEC TS 27008 can help give organisations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organisation faces.”

ISO/IEC TS 27008 is relevant to organisations of all types and sizes.

Share Story: