Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Cybersecurity and Privacy Law Handbook
Cybersecurity and Privacy Law Handbook

Cybersecurity and Privacy Law Handbook: A beginner's guide to dealing with privacy and security while keeping hackers at bay

eBook
$9.99 $41.99
Paperback
$51.99
Audiobook
$9.99 $51.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Cybersecurity and Privacy Law Handbook

ISO27001 – Definitions and Security Concepts

My aim in writing this book is providing you a comfortable way to understand and enhance the cybersecurity and privacy within your entity. Of course this book is not targeted at seasoned experts in ISO27001 implementation; moreover, when I planned it, my targets were managers that know almost nothing about cybersecurity and privacy but want to improve company security, even using third-party consulting (and therefore wanting to know whether the external service is wasting internal budget), or novices that, for some reason, have to deal with IT security in a smoooth way.

It’s a long trip, although I will try my best to help you digest an enormous amount of information in a short, agile book. I hope you find it interesting and forgive those mistakes that, unfortunately, will appear no matter how many corrections I make.

Since it’s a long trip, I suggest you prepare by putting on a pair of comfortable slippers and making a huge cup of coffee (or tea, as you wish), and sit down and relax.

In this chapter, we will cover the following topics:

  • The 27k family of standards
  • Confidentiality, integrity, and availability
  • Information security concepts and definitions
  • Governance, policies, and incident management
  • Differences of NIST

The 27k family of standards

There’s more than walls and fences, if any, to protect in your company. Let’s suppose your company has developed a new product. This product can guarantee a nine-figure income for at least the next decade. So, what’s the most important asset of your company?

One of your company’s most significant assets is information.

As you continue to read this book, this sentence will soon become your mantra. Ensuring the confidentiality, integrity, and availability of information is the goal of information security. These fundamental information security factors aid in ensuring that an entity’s data is secure. So, getting back to your product, what does your company need to defend itself from?

The main pain points are the following:

  • The leakage or disclosure of sensitive or confidential information, exposed either by accident or design
  • The compromise of personally identifiable information
  • Critical information being tampered with, either by mistake or on purpose, without the knowledge of the entity
  • Critical corporate data disappearing without a trace or the possibility of recovery
  • The unavailability of critical business information when it is required

The preceding statements lead us to a couple of valuable mantras about information:

Everyone within the company should be responsible for the information system, and they must do their best to ensure that their information is secure.

A human being is always the weakest link of the security chain.

Let’s put it simply: everyone within the company needs to understand and help out to improve the security posture, and often, just following the company policies and procedures (or even using common sense) will vastly improve the standard security. For instance, just adopting and respecting a clean desk policy may prevent the cleaning staff from viewing unauthorized documents (and we don’t know whether the cleaning staff is somehow ready to sell our company and/or private information – insiders can wear any kind of hat).

Let’s see another example: your company spends thousands of dollars on implementing privacy screens (privacy filters designed for computer users to keep their private and confidential information safe). But if you leave your laptop unattended, then they are completely useless.

Information is adequately maintained and safeguarded against several threats.

Every entity can be at risk of data leakage by different means, and if a company wants to improve its security standards, it feels the need to improve those. The vast majority of companies (at least in Europe) use so-called frameworks (such as ISO 27001/27002, NIST, etc.) simply because they’re ready to apply and use. More specifically, in regard to European entities, by implementing ISO 27001, you are also implementing things such as General Data Protection Regulation (GDPR, aka the European privacy law) and security over the cloud. Basically, you’re killing three birds with one stone.

The following ISOs give us a foundation to establish an effective information management system:

  • Information security management systems – ISO/IEC 27001:2017
  • Security approaches – Requirements and ISO/IEC 27002:2022

While ISO 27001 has been prepared to provide requirements for establishing, implementing, maintaining, and continually improving an information security management system, ISO27002 is designed for organizations of all types and sizes. It is to be used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001

Born as an independent, non-governmental entity, the International Organization for Standardization (ISO) comprises the national standards bodies from the 165 countries that make up its membership. There are more than 1,500 voluntary international standards developed by ISO.

According to Wikipedia:

More than 20,000 standards have been established, encompassing everything from manufactured goods and technology to food safety, agriculture, and healthcare services. ISO is a voluntary entity whose members are recognized authorities on standards, each one representing one country. Members meet annually at a General Assembly to discuss the strategic objectives of ISO. The entity is coordinated by a central secretariat based in Geneva.

A council with a rotating membership of 20 member bodies provides guidance and governance, including setting the annual budget of the central secretariat.

The technical management board is responsible for more than 250 technical committees, who develop the ISO standards.

Products and services of high quality can be produced by adhering to the standards. Using the standards, businesses can boost productivity while reducing waste and errors. Comparing products from different markets makes it easier for businesses to expand into new markets and helps global trade develop on an equal footing. The standards also protect consumers and end users of products and services by ensuring that certified products meet international minimum standards.

Since we are interested in the information security side of ISO, let’s set aside what’s irrelevant to our scope.

The ISO/IEC 27001 requirements for approved third-party Information Security Management System (ISMS) certifications can be applied to third-party accreditations of ISMSs. ISMS audits are conducted by accredited certification bodies as part of the accreditation process. With the help of ISO/IEC 27001, they can be confident that their management systems and procedures comply.

ISO/IEC 27002, a guidance document, provides information security best practices and implementation guidance. As part of the risk management process, ISO/IEC 27001-compliant entities can use these controls to protect their information assets.

Confidentiality, integrity, and availability

One of the main components of ISO 27k is something called the CIA triad (of course, this has nothing to do with either the Mafia and/or the US Central Intelligence Agency).

In information security, the CIA triad is widely accepted as a model. It’s not a single doctrine, and there is no single author of it either. On the contrary, the model seems to have evolved over time, with roots that go back as far as modern computing. It appears that Ben Miller, vice president of Dragos, is the only one who has done any research into the triad’s origins. When he went looking for the origins of this model, more than a decade ago, he couldn’t find anything. Concepts appear to have been pulled from a variety of sources, including a 1976 Air Force report and a paper from the 1980s comparing commercial and military computer systems.

It’s mostly based on a triangle made of confidentiality, integrity, and availability, which are the main pillars of IT security.

Figure 1.1 – CIA triad

Figure 1.1 – CIA triad

Whatever the case may be, the CIA triad includes the following three elements:

  • A company’s data must be kept private to maintain confidentiality. This usually means that data should only be accessed or modified by processes and users who have been granted permission to do so.
  • Integrity is the quality of being able to have confidence in one’s data. An accurate and authentic record should be kept in a safe place where it cannot be changed or tampered with.
  • Authorized users should be able to access data at any time (availability), just as it is critical to keep unauthorized users out of an entity’s data in the first place. Maintaining a stable network of computers, servers, and other devices is to be considered an integral part of availability.

Let’s see an example to better understand these concepts.

You are sending an email to me because you’d like me to clarify some concepts you don’t understand (probably because they were badly explained by me – who knows). While preparing the email, you also attach a document in which there’s the part you don’t understand. Finally, you send the email.

In this case, confidentiality means that you sent this email to me and to me only. Unless a third party was involved in our email exchange, this email is sent exclusively to me.

If you send me a message with a few words, including Dear Mr., some sort of body text, some salutation at the end, and an attachment, I will receive exactly that message body and that attachment (this is integrity; if we want, we can measure the number of kilobytes used to send that message and you can bet that the body text and attachment are the same size).

Finally, we can log in to an email server at any time, 24/7, using our email client, and check whether there are new messages: that’s availability.

But, of course, this is just an example of how to adopt the CIA triad.

Access control methods such as two-factor authentication and passwordless sign-on are examples of confidentiality. However, it’s not just about allowing authorized users access; it’s also about preventing certain files from being accessed. Both accidental disclosure and malicious attacks can be prevented by using encryption.

Access control and encryption can help maintain data integrity, but there are many other ways to protect data integrity, both from attacks and corruption. It can be as simple as making a file read-only at times. In some cases, data can be audited using hashing or data checksums, which ensure the integrity of the data. In some cases, the integrity of a system may be shielded from external influences.

Availability refers to the ability of your systems to remain operational in the event of an attack. Distributed Denial of Service (DDoS) attacks, for example, are based on a lack of resources. You can ensure uptime by building redundancy into your systems to combat DDoS attacks. In the absence of an attack, systems can still fail and become unavailable, so load balancing and fault tolerance can be used to prevent systems from failing.

It is important for security professionals of all kinds to understand these concepts. For information security professionals, the triad of these three concepts makes it easier to think about the interrelationships, overlaps, and conflicts between them. Security professionals can use the tension between the triad’s three legs to determine their information security priorities and procedures.

Information security concepts and definitions

Other best practices to remember are as follows:

  • Know thy system.

Knowing the system is perhaps the most critical factor when attempting to defend it. It makes no difference whether you’re protecting a castle or a Linux server if you don’t understand the intricacies of what you’re defending.

Knowledge of what software is running on your systems is an excellent illustration of this in the area of information security. What daemons do you have running? What kind of exposure do they generate? A decent self-test for someone in a small- to medium-sized environment would be to choose an IP address at random from a list of your systems and see whether you can recall the precise list of ports that are open on the computers.

It’s a web server, therefore everything’s just running on ports 80, 443, and 22 for remote management; that’s it,” a skilled administrator should be able to say—and so on for each sort of server in the ecosystem. When seeing port scan findings, there should be no surprises.

In this kind of test, you don’t want to hear, “Wow, what’s that port?” Having to ask that question indicates that the system administrator is not entirely aware of everything operating on the computer in question, which is exactly what we want to prevent.

  • The least privilege

The next crucial principle is that of least privilege. Least privilege simply states that people and objects should be able to do only what they need to do their tasks. I include these kind of examples because administrators frequently configure automatic processes that must be able to perform specific activities, such as backups. What usually occurs is that the administrator adds the user performing the backup to the domain admins group, even if they could get it to function in another way. Why? Because it is less difficult.

Finally, this is a philosophy that is intended to directly contradict human nature, namely laziness. It is always more difficult to grant granular access that allows only specified tasks than it is to grant a higher level of access that covers everything that needs to be done.

This rule of least privilege just reminds us not to succumb to this temptation. Don’t back down. Take the time to make all access as granular and as minimal as feasible.

  • Defense in depth

Defense in depth is likely the least understood of the four concepts. Many people believe that it is as simple as stacking three firewalls instead of one or running two antivirus applications instead of one. This is technically correct, but it is not the fundamental nature of defense in depth.

The true concept is to build various types of protection between an attacker and an asset. These layers don’t even have to be products; they might be applications of other notions, such as least privilege.

Consider an attacker on the internet attempting to breach a web server in the Demilitarized Zone (DMZ; basically a physical or logical subnetwork that contains and exposes an entity’s external-facing services). Given a huge vulnerability, this may be quite simple, but with an infrastructure utilizing defense in depth, it may be substantially more difficult.

We need to take into consideration activities such as hardening (appliances such as routers, firewalls, IPDs/IDSs, and target hosts) and widely implementing antivirus and antimalware—any of these procedures can potentially prevent an attack from being totally or partially successful. The notion is that instead of thinking about what has to be put in place to stop an attack, we should think about what needs to happen for it to be successful. Perhaps an assault had to pass via network infrastructures to get to the host, execute, build an outbound connection to a host outside, download stuff, run it, and so on.

What if any of those steps were to fail? The key to defense in depth is to place barriers at as many sites as possible. Our aim is to try to make it so that it’s hard for potential intruders to get into our network. By using this kind of approach, it will be difficult for hostile code to run on your systems, run your daemons and/or services as the least-privileged user, and so forth.

The advantage is straightforward: you have more chances to prevent an attack from succeeding. Someone may go all the way in, all the way to the box in question, and be stopped by the fact that the malicious code would not run on the host. However, once that code is modified so that it may run, it may be detected by an upgraded IPS or a more stringent firewall ACL. The goal is to secure whatever you can at every stage. Secure everything—file permissions, stack protection, ACLs, host IPSs, limiting admin access, running as limited users; the list is endless.

The core premise is also straightforward: don’t rely on a single solution to protect your assets. Consider each layer of your defense as though it were the only one. When you follow this method, you have a better chance of stopping attacks before they reach their aim.

Also, in IT security (and ISO 27001 itself, which is a framework that is continuously improving), new concepts are arising on almost a yearly basis, and one of the most interesting concepts around is called zero trust.

Conventional security models are based on perimeter security. In practice, the protection of the corporate ecosystem trusts all traffic and action flowing within the perimeter.

The zero trust approach, on the other hand, is designed to address even all those so-called lateral threats that move through networks. How? By exploiting an approach linked to microsegmentation and the definition of granular perimeters, based on users, data, and their location.

  • Prevention is preferable, but detection is required.

This is a basic concept, yet it is incredibly significant. The concept is that while it is preferable to stop an attack before it is successful, if it is, it is critical that you are aware that it occurred. For example, you may have safeguards in place to prevent code from being executed on your system, but if code is executed and something is done, it is vital that you are notified and can act immediately.

The difference between learning about a successful attack within 5 or 10 minutes and learning about it weeks later is enormous. Having the knowledge early enough can often result in the attack not being successful at all; for example, the attacker may get on your box and add a user account, but you get to the machine and take it offline before they can do anything with it.

Regardless of the situation, detection is critical because there is no guarantee that your prevention actions will be effective.

Other remarkable best practices are as follows:

  • Protection and utility must be balanced.

Computers in a workplace could be entirely safeguarded if all networks were destroyed and everyone was thrown out—but then they would be of no use to anyone.

  • Determine your vulnerabilities and make a plan.

Not all of your resources are equally valuable. Some data is more vital than others, such as a database holding all accounting information on your clients, such as bank IDs, social security numbers, addresses, and other personal information (we’ll talk about privacy later). Identifying what data is more sensitive and/or significant will assist you in determining the level of protection required to safeguard it and designing your security tactics accordingly.

  • Use uncorrelated defenses.

Using a single strong protection mechanism, such as authentication protocols, is only effective until it is breached. When numerous layers of separate defenses are used, an attacker must apply a variety of tactics to get past them.

Because the causes of breaches aren’t always obvious after the fact, it’s critical to have data to track backward. Even if it doesn’t make sense at first, data from breaches will eventually help to improve the system and prevent future attacks.

  • Run frequent tests.

Hackers are constantly honing their skills, so information security must evolve to keep up. IT professionals should run tests, conduct risk assessments, reread the disaster recovery plan, double-check the business continuity plan in the event of an attack, and then repeat the process.

  • The bottom line.

IT security is a difficult job that requires both attention to detail and a high level of awareness. However, like many seemingly complex tasks, IT security can be broken down into basic steps that can simplify the process. That’s not to say it’s easy, but it keeps IT professionals on their toes.

So, while we have seen some ways to improve your security posture, I am afraid to tell you that we have only scratched the tip of a huge iceberg. Although hardening is a very important topic and everyone dealing with security should at least understand these basic concepts, an entity is a bit more than a document with a plethora of how-tos.

An entity is the sum of many elements: core values, community, respect and many more, but also ethics, risk management, compliance, and administration, which form the governance of a company.

Governance, policies, and incident management

We are going to talk about what makes an entity (or company, association, or whatever you want to call it).

Governance

We can define corporate governance as “a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders are balanced.” (This definition is taken from https://www.itgovernance.co.uk/.)

A strong corporate governance framework can assist you in meeting the requirements of laws and regulations such as GDPR, that is, the European privacy law.

GDPR, for example, requires data controllers and processors to verify compliance with its standards through specific documentation, such as applicable logs, rules, and procedures.

Throughout this book, I will use examples from GDPR, although there are several other legislations around, such as LGPD (the Brazilian privacy law) or CCPA from California, and many more about to come. But GDPR is, with the UK variant, an umbrella for roughly 400 million people in 28 countries and therefore, the most popular.

Using IT governance aspects will assist you in creating and maintaining proper policies and procedures to help satisfy your data privacy obligations.

IT governance is a component of corporate governance that aims to improve overall IT management and get more value from investments in information and technology.

IT governance frameworks have the following functions:

  • Assisting entities in efficiently managing their IT risks and ensuring that information and technology operations are aligned with their overall business objectives
  • Showing demonstrable achievements in relation to broader business plans and goals
  • Complying with applicable legal and regulatory duties, such as those outlined in GDPR
  • Assuring stakeholders that your entity’s IT services are trustworthy
  • Facilitating a higher return on IT investment
  • Following any business governance or public listing guidelines or procedures

According to ISACA (https://www.isaca.org), we can break IT governance (ISO 38500) into five different domains:

  • Value delivery
  • Strategic alignment
  • Performance management
  • Resource management
  • Risk management

Consider that there are several frameworks and methodologies to comply with IT governance, such as ISO 27001, NIST, ISO 27000 (aka ITIL), COBIT, ISO 31000, ISO 38500, and ISO 22301. Since we are dealing with a security compliance framework, it would be better to stick to the most popular, that is, ISO27001 and NIST, alongside ISO 27701 (privacy framework).

Policies and procedures

Policies and procedures are the documents that describe how your business is run in the information security industry.

A policy is a set of rules or guidelines that your entity and its employees must follow in order to comply:

  • Policies provide answers to the questions of what employees do and why they do it
  • A procedure is a set of instructions for implementing a policy

So, what exactly is a policy?

A policy is defined as a set of rules or guidelines that your entity and employees must follow in order to achieve a specific goal (i.e., compliance).

What is the function of a policy?

An effective policy should outline what employees must and must not do, as well as directions, principles, and decision-making guidance. It should answer the questions What? and Why?. Both are related to the meaning of a policy and it’s important to understand what a policy is and why it is needed.

What exactly is a procedure?

A procedure is the inverse of a policy; it is the instructions on how to implement a policy:

  • It is the step-by-step guide for implementing policies, outlined previously
  • A policy defines a rule and a procedure defines who is expected to do what and how
  • Procedures provide answers to questions such as how, when, and where

What is the importance of documented policies, procedures, and protocols?

Too many businesses regard policies and procedures as a necessary evil, failing to consider their purpose. It’s not about following best practices or becoming a soulless corporate entity; the goal of policies and procedures is to explain what management wants to happen and how it will happen.

I’ve come to believe that the primary difference between a small and medium business is not found in quantifying a company’s maturity by revenue or employee count, but rather in whether or not management has taken the time to develop, implement, and maintain policies and procedures.

So far, this definition has not disappointed me; companies with mature policies, procedures, and systems are easier to audit, have a better understanding of their security posture and risk, and appear to be operating far more sustainably than those that haven’t paid much attention to governance.

Objections about policies and procedures

Once management understands the definitions of policies and procedures, they will no longer ask, “What are policies and procedures?” or “What is the purpose of a policy?” and instead proceed to ask, “Why do I have to write policies and procedures?

Management in small businesses generally has the same set of objections to writing down a set of policies and procedures, all of which are related to difficulty, company culture, and time constraints. But keep in mind that the benefits outweigh the inconvenience of policies and procedures. The goal of policies and procedures is much more than simply writing down some rules.

It’s difficult to create policies and procedures.

But it’s extremely difficult! Yes, but also no. Most businesses that do not have mature policies and procedures are doing fairly well; otherwise, they would not be in business. It’s certainly easier to define security from the start, but that doesn’t mean it can’t be simple to start with what you’re doing now and refine it later.

Sometimes, the real objection isn’t how difficult it is to write down policies and procedures, but how afraid most people are of writing down how they’re doing things incorrectly. Begin with where you are, and then be realistic about where you want to go. You may not be keeping up with best practices in some areas, but if you let embarrassment keep you from putting policies in writing, you’re missing the point. Knowing exactly what you’re doing now allows you to determine what you should be doing tomorrow. It’s how you can create a real budget, identify real enterprise risks, and respond effectively when something goes wrong.

But no worries, we’ll deep dive into these things later.

Incident management

The goal of the incident management procedure is to restore normal service operation as soon as possible and to minimize the negative effect on business activities while maintaining agreed-upon standards of service quality. The incident management process’s goals are to do the following:

  • Ensure that standardized processes and procedures are utilized for effective and timely incident response, analysis, recording, continuous improvement and reporting
  • Increase incident visibility and communication to business and IT support personnel
  • Improve the business view of IT by taking a professional approach to addressing and communicating problems as they might arise
  • Align incident management efforts and priorities with business priorities
  • Maintain satisfaction among users with IT service quality

So, we conclude a very rapid journey on the essential topics concerning governance. Let’s move on to an interesting topic, differences of NIST.

Differences between ISO 27001 and NIST

As it has fewer controls to implement, and since there’s no control over it (NIST doesn’t have a certification scheme), NIST is considered somewhat less mature; also, as it is backed by the US government and not an international committee, it is not considered much outside the US. But if you like plain instructions and don’t want to spend a fortune, at least in the beginning, it can be a good idea to use NIST. Finally, it is possible to get the best of both worlds by implementing both at the same time.

What’s NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory US government agency founded in 1901 that develops technology, standards, and metrics to drive innovation in the US science and technology sectors. NIST is headquartered in Gaithersburg, Maryland.

NIST publishes the Special Publication 800 series, which contains guidance documents and recommendations. As part of the previous series, they released Special Publication 800-53, which catalogs 20 security and privacy control groups. NIST recommends that entities implement these security and privacy controls as part of their risk management strategies. These controls cover access control, security awareness training, incident response plans, risk assessments, and continuous monitoring.

The NIST compliance framework was developed to provide a customizable guide for entities on how to manage and reduce cybersecurity-related risks. In its guide, NIST combines existing standards, guidelines, and best practices. However, it is critical to understand that simply adhering to NIST guidelines will not make your entity 100% secure, which is why the NIST guidelines begin by instructing entities to use a value-based approach to protect their assets.

The NIST Cybersecurity Framework (CSF) is a voluntary (recommended by the Department of Commerce) cybersecurity framework that allows businesses to develop information security, risk management, and control programs. NIST standards are now used in fields ranging from nanotechnology to cybersecurity. Through an executive order in 2013, NIST was tasked with developing a cybersecurity framework, and in February 2014, it published version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1 was released to the public in April 2018.

The CSF is one of NIST’s voluntary programs that is based on existing standards and guidelines and is designed to assist entities in better managing and reducing cybersecurity risk. The CSF is presented in a 48-page document that details various cybersecurity activities and desired outcomes that entities can use to assess their cybersecurity risk, risk maturity, and information security infrastructure.

What is the purpose of the NIST CSF?

The CSF has three major components, the framework core, implementation tiers, and profiles, all of which are designed to help you benchmark your entity’s risk maturity and prioritize actions to improve it.

At its core, it has five functions: identify, protect, detect, respond, and recover.

Figure 1.2 – The five functions, NIST

Figure 1.2 – The five functions, NIST

While the CSF focuses on cybersecurity issues, these activities are common in most risk management systems. The functions are further subdivided into 23 categories that cover the fundamentals of putting together a cybersecurity program.

The CSF has implementation tiers. For each of these five functions, the NIST CSF employs a ranking system on a scale of 0-4 to generate a final number that can be used to benchmark an entity’s level of risk maturity.

A profile, which is based on a tier, allows an entity to pinpoint its current level of risk tolerance and prioritize security controls and risk mitigation tactics. This section is intended to assist an entity in growing by comparing its current profile to target profiles, thereby assisting you in determining how to allocate budget and employee resources to improve cybersecurity practices over time.

What are the parallels between ISO and NIST?

When comparing NIST CSF and ISO 27001, both provide strong frameworks for cybersecurity risk management. It would be simple to integrate ISO 27001 standards and NIST CSF into a company that wants to become ISO 27001 compliant. Their control measures are comparable, and their definitions and code are fairly interchangeable across frameworks. Both frameworks provide simple vocabulary, which enables clear communication about cybersecurity issues across multidisciplinary teams and with external stakeholders.

What’s the distinction between ISO and NIST?

There are a few key differences between NIST CSF and ISO 27001, including risk maturity, certification, and cost.

Risk maturity

ISO 27001 is a good choice for operationally mature entities seeking certification, whereas the NIST CSF may be best for entities in the early stages of developing a cybersecurity risk management plan or attempting to mitigate previous failures or data breaches.

ISO 27001 certification provides globally recognized certification through third-party auditing, which can be costly but can improve your entity’s reputation as a business that stakeholders can rely on. The NIST CSF does not provide such certification.

Cost

The NIST CSF is free to use, whereas ISO 27001 requires a fee to access the documentation—another reason why a start-up might want to start with the NIST CSF and then make a larger investment in the process as it scales with ISO 27001.

NIST versus ISO – which is better for my company?

Finally, what is best for your company is determined by its maturity, goals, and specific risk management requirements. ISO 27001 is an excellent choice for operationally mature entities that are under external certification pressure. However, you may not be ready to embark on an ISO 27001 certification journey just yet, or your entity may be at a stage where it would benefit from the NIST CSF’s clear assessment framework. A NIST audit can provide you with an idea of where your entity stands before developing and implementing more stringent cybersecurity measures and controls.

As your entity matures, the two frameworks can be integrated—following the NIST CSF can be a useful precursor to your ISO 27001 certification journey. The NIST CSF provides a framework for growing entities to structure their Information Security (IS) risk assessments. If you already have these structures in place, you may want to pursue ISO security and compliance certifications. A proactive and efficient ISMS benefits from the right software, whether you’re starting with NIST CSF or growing with ISO 27001.

Summary

In this chapter, we spent some (hopefully useful) time understanding the basics of cybersecurity. We had a walk-through of ISO 27001 and 27002, then we discussed the definition of the CIA triad, alongside the definition of confidentiality, integrity, and availability, using some examples to better understand these concepts. Then, we had a look at information security concepts and definitions. We had a glance at governance, policies, and incident management. Then, we moved on to the NIST CSF and how ISO 27001 and NIST can be used at once.

In the next chapter, we will talk about ISMS, commitment, project management, context, scope policy, and objectives. We will look at how to identify, protect, detect, respond, and recover and ponder the question can ISO27001nd NIST coexist?

Left arrow icon Right arrow icon

Key benefits

  • Comply with cybersecurity standards and protect your data from hackers
  • Find the gaps in your company's security posture with gap analysis and business impact analysis
  • Understand what you need to do with security and privacy without needing to pay consultants

Description

Cybercriminals are incessantly coming up with new ways to compromise online systems and wreak havoc, creating an ever-growing need for cybersecurity practitioners in every organization across the globe who understand international security standards, such as the ISO27k family of standards. If you’re looking to ensure that your company's data conforms to these standards, Cybersecurity and Privacy Law Handbook has got you covered. It'll not only equip you with the rudiments of cybersecurity but also guide you through privacy laws and explain how you can ensure compliance to protect yourself from cybercrime and avoid the hefty fines imposed for non-compliance with standards. Assuming that you're new to the field, this book starts by introducing cybersecurity frameworks and concepts used throughout the chapters. You'll understand why privacy is paramount and how to find the security gaps in your company's systems. There's a practical element to the book as well—you'll prepare policies and procedures to prevent your company from being breached. You’ll complete your learning journey by exploring cloud security and the complex nature of privacy laws in the US. By the end of this cybersecurity book, you'll be well-placed to protect your company's data and comply with the relevant standards.

Who is this book for?

If you’re a seasoned pro with IT security and / or cybersecurity, this book isn’t for you. This book is aimed at novices, freshers, students, experts in other fields, and managers, that, are willing to learn, understand, and manage how a security function is working, especially if you need to be. Although the reader will be able, by reading this book, to build and manage a security function on their own, it is highly recommended to supervise a team devoted to implementing cybersecurity and privacy practices in an organization.

What you will learn

  • Strengthen the cybersecurity posture throughout your organization
  • Use both ISO27001 and NIST to make a better security framework
  • Understand privacy laws such as GDPR, PCI CSS, HIPAA, and FTC
  • Discover how to implement training to raise cybersecurity awareness
  • Find out how to comply with cloud privacy regulations
  • Examine the complex privacy laws in the US

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 16, 2022
Length: 230 pages
Edition : 1st
Language : English
ISBN-13 : 9781803242415
Category :
Languages :
Concepts :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Dec 16, 2022
Length: 230 pages
Edition : 1st
Language : English
ISBN-13 : 9781803242415
Category :
Languages :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 143.97
Digital Forensics and Incident Response
$54.99
Cybersecurity and Privacy Law Handbook
$51.99
An Ethical Guide to Cyber Anonymity
$36.99
Total $ 143.97 Stars icon
Banner background image

Table of Contents

16 Chapters
Part 1: Start From the Basics Chevron down icon Chevron up icon
Chapter 1: ISO27001 – Definitions and Security Concepts Chevron down icon Chevron up icon
Part 2: Into the Wild Chevron down icon Chevron up icon
Chapter 2: Mandatory Requirements Chevron down icon Chevron up icon
Chapter 3: Data Protection Chevron down icon Chevron up icon
Chapter 4: Data Processing Chevron down icon Chevron up icon
Chapter 5: Security Planning and Risk Management Chevron down icon Chevron up icon
Part 3: Escape from Chaos Chevron down icon Chevron up icon
Chapter 6: Define ISO 27001 Mandatory Requirements Chevron down icon Chevron up icon
Chapter 7: Risk Management, Controls, and Policies Chevron down icon Chevron up icon
Chapter 8: Preparing Policies and Procedures to Avoid Internal Risk Chevron down icon Chevron up icon
Chapter 9: Social Engineering, Password Guidance, and Policy Chevron down icon Chevron up icon
Chapter 10: The Cloud Chevron down icon Chevron up icon
Chapter 11: What about the US? Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
(2 Ratings)
5 star 50%
4 star 0%
3 star 0%
2 star 0%
1 star 50%
Luca Intini May 26, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book offers profound insights into cybersecurity, touching upon the most pressing challenges of our times, such as cloud computing and GDPR concerns. The in-depth discussion on the seven pain points of cloud computing, including reduced visibility, compliance violations, and the absence of a cloud security strategy, makes this book an essential read for anyone looking to safeguard their digital presence.Rocchi's lucid style allows readers to grasp intricate concepts quickly, making the complicated world of cybersecurity law more accessible. The author dives deep into intricate details and challenges, offering actionable steps to protect against security threats. For instance, the importance of maintaining visibility in a cloud-based ecosystem, understanding compliance requirements, or implementing a robust cloud security strategy is examined in-depth.In a memorable chapter on the cloud, Rocchi insightfully notes, "An asset in the cloud may not be visible. And if it is not visible, it cannot be protected, increasing the likelihood of data loss and data breaches." This simple but powerful statement epitomizes the book's essence – encouraging a proactive approach towards managing cybersecurity risks.The book's structure, divided into accessible chapters dealing with a specific topic such as ISO27001, Data Protection, Risk Management, or The Cloud, allows readers to digest the content at their own pace. It can serve as a comprehensive guide to be read cover to cover or as a reference book to consult when facing specific cybersecurity dilemmas."Cybersecurity and Privacy Law Handbook" is a timely resource no business leader, IT professional, or engaged digital citizen can afford to miss. As we plunge deeper into the digital era, understanding the complexities of cybersecurity and privacy law is no longer optional but vital. Kudos to Walter Rocchi for creating such a practical, comprehensive, and highly readable handbook.
Amazon Verified review Amazon
Mr C Mar 29, 2023
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
I didnt find this book very helpful.I would not recomend this book to myself what so ever.If I hadnt wasted a bunch of highlighter ink on it already, I would ask for a refund.There's also a part about internal dating being kept secret...in Canada that's a lawsuitlooks like I need an actual cyber security and privacy law textbook because theres absolutely nothing in here.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.