The technical specification for assessing information security controls has been updated to align with new editions of other complementary information security standards—namely ISO/IEC 27000, ISO/IEC 27001, and ISO/IEC 27002.
ISO/IEC TS 27008, Information technology – Security techniques – Guidelines for the assessment of information security controls, provides guidance on assessing the security management controls to ensure they are fit for purpose, effective, efficient, and are in line with the objectives of the company.
ISO/IEC TS 27008 was developed by ISO and the International Electrotechnical Commission complements the information security management system defined in ISO/IEC 27001. The standard can benefit organizations of all types and sizes, including public, private, or not-for-profit organizations.
Prof. Edward Humphreys, leader of the working group that developed ISO/IEC TS 27008, said the standard will help organizations to assess and review their current controls that are being managed through the implementation of ISO/IEC 27001.
“In a world where cyber attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organization’s business processes,” Humphreys said.
“ISO/IEC TS 27008 can help give organizations confidence that their controls are effective, adequate and appropriate to mitigate the information risks the organization faces.”