ISO 27001 ISMS Audit vs Cyber Tabletop Exercise Assessment
Date: 6 May 2020
In this blog, I share why our clients who do ISO 27001 audits are including cyber tabletop exercises audits in their audit schedules.
Many of our clients who have been doing ISMS audits and other IT control assessments are now adding audits of cyber tabletop exercises to their audit schedules. These cyber incident response audits enable our clients to assess their breach-readiness providing insights into their ability and readiness to respond to a cyber-attack.
In this easy-to-read cybersecurity blog, we offer you a simple explanation of why you too should consider including our breach-readiness cyber tabletop exercise audit into your regular ISO 27001 or ISMS audit schedule. (FYI, we refer to these as Cyber Crisis Tabletop Exercises or CCTEs)
Why do you do an ISMS audit?
Cyber Management Alliance has a large network of global CISOs and cybersecurity executives and we asked them a simple question. To summarise their answers, the reasons they do ISMS audits and/OR other IT-Security control audits are:
- No choice: As in, if you are ISO certified you have to run a yearly audit. No two-ways around it. Your certification depends on it.
- Internal Audit Requirements: For those that don’t have the compulsory certification bearing down on them, it’s the organisation's internal audit department with their schedule. Again, not much choice there.
- Common sense: It’s just common sense to appraise and assess whether or not the cybersecurity controls, processes and procedures you have in place are effective and working.
So, do I stop my ISO 27001 Audits?Let’s start by asking another two questions before we answer the above.
- Does your organisation’s ISMS audit or other cybersecurity or IT-controls audit give you an indication of how cyber-attack ready your organisation is?
- Do you know how key stakeholders, like your Crisis management team executives and IT folks, will perform under the pressure of and in the midst of a cyber-crisis?
So, my answer to the above question of stopping your ISMS audits. No. However, it is our opinion that you must include our cyber tabletop exercise audits in your schedule this year onward. Why? Read on.
Why You Should Audit Your Cyber Incident Response Capabilities?
Yes, an ISO 27001 audit provides you visibility about the effectiveness of your approximately 100 controls but it stops there. An ISO 27001 audit does not answer two questions we asked earlier.
An ISMS audit OR generic IT-Control audit provides you little to zero clear insight into your organisation’s breach-readiness; its ability and capability to rapidly respond and recover from a cyber-attack.
Carrying out a Breach Readiness Assessment
Before you do anything, you must decide to run a cyber tabletop exercise with either management participants or technical attendees. Next:
- Plan it: You need to spend some time planning your tabletop workshop.
- Scenarios: You need to know what scenario you want to address in the cyber tabletop exercise
- Threats and Adversaries: You need to know what threat you are going to use in the scenario and you also need to understand what threat actors you are going to use in our narrative.
- Participants: You need to spend time on ensuring the right people attend the cyber incident response workshop.
Finally, you need an experienced facilitator who can hold your audience and engage with the participants. We discuss this more in our blog here.
Measure Your Cyber Crisis Tabletop Exercise
Once you have all your ducks in order and you have the suitable participants, you now need to ensure that you measure what is taking place during the actual cyber response exercise. What does that mean? It is our experience and opinion that a properly run cyber response test provides tremendous insight into how the participants will actually perform in a real cyber crisis.
At CM-Alliance, we have the expertise, the experience and requisite skills to support you in hosting a productive and effective cyber crisis tabletop exercise. We work with you on planning, creating scenarios, producing the scripts and artefacts and running the actual workshop. We can run a complete cyber tabletop exercise virtually using Zoom, Microsoft Teams or Google's Meet (previously known as Hangout)
Importantly, we will present you a formal audit report of the exercise that provides you with important data including a cyber breach-readiness score that provides a good indication about how ready you are to respond to a specific cyber-attack scenario.