Layer 1 Cybersecurity Management System - ISO 27001 clauses 4 – 10
Layer 2 Policy, Organizational Design, Legal Obligations, Asset Management
Layer 3 - Human Resources
Layer 4 - Incident Management
Layer 5 - Access Control
Layer 6 - Physical & Environmental
Layer 7 - Systems Acquisition, Development &
Maintenance
Layer 8 - Communications and Operations
Management
Layer 9 - Business Continuity
Management
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE

Layer
1
2
3
4
5
Rationale /Description
The overarching management system is necessary to coordinate tactical activities with strategic direction. Without a management system the organizations efforts to prevent breaches, mitigate known vulnerabilities, identify and eradicate threats is isolated. The management system includes establishing governance by defining roles and responsibilities for the program, scoping to identify facilities and assets in scope of the program, risk management and assessment, legal obligations defined within applicable statutes, regulations and internal /external facing contracts, and continual improvement. Without this program to guide and oversee the organization with Cybersecurity program the potential of new exposures arising due to the lack of coordination is highly probable. [Ref. ISO27k clauses 4 - 10]
Legal Obligations defined within statutes, regulations and contractual obligations set the baseline for early risk management programs. The organizational policy establishes managements expectations for employees conduction business. Organizational Design helps to define the human resources needed to carry out work. Asset Management helps scope the risks which the organization is immediately exposed to. [Ref. ISO27k clauses A.5, A.6, A.8 and A.18]
Once Organizational Design has completed it is now Human Resources responsibility to recruit and hire. In some organizations HR is also responsible for contractor sourcing. The ongoing recruitment, maintenance, security background checking, disciplinary action, and voluntary /involuntary terminations. [Ref. ISO27k clause A.7]
Before Incident Management can be successfully executed in-house a the overarching program needs to be established to define governance, roles /responsibilities, for the handling of incidents. Security incidents that occur without a program normally end internally with a termination and if it occurs from an external source federal or regional law enforcement gets the call. [Ref. ISO27k clause A.16]
Normally Access Control begins to be implemented from the first time that a computer, wireless router or server is turned on. These actions are often done based on best practices and not based on a risk assessment. This approach is managed in isolation of an overarching central point of control and can expose the organization to more risks. To provide assurance of Access Control must be implemented based on risks to the organization and security standards based on risk mitigation activities. [Ref. ISO27k clause A.9]
6
7
8
Similarly to Access Control - Physical & Environmental security begins to be implemented from the first time that someone walks into the front door, or a shipment of goods are received. However these actions are often done based on best practices and not based on a risk assessment. This approach is managed in isolation of an overarching central point of control and can expose the organization to more risks. To provide assurance of Physical & Environmental must be implemented based on risks to the organization and security standards based on risk mitigation activities. [Ref. ISO27k clause A.11]
At layer 7 deeper integration of service management best practices for procurement and contract management would be necessary. The associated risk mitigating controls defined within ISO 27001 Information Systems Acquisition,
Development & Maintenance, Suppliers help by identifying the most common areas of risk within these processes. [Ref.
ISO27k clauses A.14, A15 and A.16]
At layer 8 the integration of risk mitigating controls addressing the most common process vulnerabilities within
Communications and Operations Management are identified and executed. This layer further strengths the overall DiD by ensure that internal and external telecommunication risks are addressed with the use of technology like Cryptography. This layer also addresses the human side of security by formalizing procedures and standard for the operations teams. [Ref.
ISO27k clauses A.10, A.12 and A13]
9
At layer 9 we establish the propagation of operational knowledge and the establishment of a fall back plan should the organization lose its data or customers lose access to the organizations services. We accomplish the mitigation of related vulnerabilities and risks by establishing a Business Continuity Management process and plan. [Ref. ISO27k clause A.17]
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE