Barnes Projects Logo

Barnes Projects

ISO 27k Standards and the Lack of Cyber Threat Categorization

The ISO/IEC 27000 series of standards are widely recognized for their comprehensive approach to information security management. However, the recent inclusion of "cybersecurity" in their titles and descriptions has not been accompanied by a corresponding increase in the granularity of cyber threat categorization. This paper compares the ISO standards with the "10 Top Level Cyber Threat Clusters" framework proposed in the white paper by Bernhard Kreinz, highlighting the need for a more structured approach to cyber threat management.

ISO/IEC 27001:2022 and ISO/IEC 27005:2022

The ISO/IEC 27001:2022 standard provides requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Similarly, ISO/IEC 27005:2022 offers guidance on managing information security risks. Both standards incorporate the term "cybersecurity" to reflect the evolving threat landscape. However, a closer examination reveals several shortcomings:

  1. Absence of Core Definitions: The standards do not provide explicit definitions for fundamental terms like "cyber risk" and "cyber threat." This omission leaves practitioners without clear terminology baselines, making it challenging to develop targeted mitigation strategies.
  2. Lack of Threat Differentiation: There is no clear distinction between traditional information security threats and cyber-specific threats. This lack of differentiation can lead to confusion and ineffective risk management strategies.
  3. Missing Cyber Threat Characteristics: The standards do not outline the specific attributes or characteristics that would classify a threat as a "cyber" threat. This gap makes it difficult to categorize cyber threats distinctly.
  4. Title-Content Misalignment: While "cyber" appears prominently in the titles, the content does not substantively develop or explore cyber-specific concepts. This misalignment can lead to a superficial understanding of cyber threats.
  5. Incomplete Control-Threat Mapping: Although ISO/IEC 27005 explicitly requires the identification of threats before identifying controls, neither it nor ISO/IEC 27002 provides a comprehensive control-threat mapping. This gap leaves organizations without clear guidance on which controls effectively address specific threats.

The 10 Top Level Cyber Threat Clusters Framework

In contrast, the "10 Top Level Cyber Threat Clusters" framework proposed by Bernhard Kreinz offers a structured approach to cyber threat categorization. This framework identifies ten distinct threat clusters, each representing a unique aspect of cyber risk based on underlying vulnerabilities. The clusters include:

  1. Abuse of Functions
  2. Exploiting Server
  3. Exploiting Client
  4. Identity Theft
  5. Man in the Middle
  6. Flooding Attack
  7. Malware
  8. Physical Attack
  9. Social Engineering
  10. Supply Chain Attack

This framework provides a clear cause-oriented view that supports practical risk management. Each cluster specifies the type of vulnerability being exploited and the methods commonly associated with the threat, enabling a more systematic application of preventive and reactive controls.

Comparative Analysis

  1. Structured Categorization: The 10 Top Level Cyber Threat Clusters framework offers a structured categorization of cyber threats, which is lacking in the ISO standards. This structured approach allows for a more targeted and effective risk management strategy.
  2. Clear Definitions: The framework provides clear definitions for each threat cluster, addressing the absence of core definitions in the ISO standards. This clarity is crucial for developing targeted mitigation strategies.
  3. Practical Application: The framework's cause-oriented view supports practical risk management by specifying the vulnerabilities and methods associated with each threat cluster. This practical application is missing in the ISO standards, which focus more on general risk management principles.
  4. Comprehensive Coverage: The framework covers a wide range of cyber threats, providing a comprehensive view of the cyber threat landscape. In contrast, the ISO standards offer a more general approach to risk management, which may not be sufficient for addressing the specific challenges of cyber threats.

Conclusion

While the ISO/IEC 27001:2022 and ISO/IEC 27005:2022 standards incorporate the term "cybersecurity," they lack the structured approach to cyber threat categorization provided by the "10 Top Level Cyber Threat Clusters" framework. This framework offers a more comprehensive and practical approach to cyber threat management, addressing the shortcomings of the ISO standards. Organizations seeking to enhance their cybersecurity posture should consider adopting a more structured framework for cyber threat categorization, such as the one proposed by Bernhard Kreinz.

By doing so, they can develop more effective risk management strategies that address the specific challenges of cyber threats, ultimately leading to a more robust and resilient cybersecurity posture.

PROJECT REFERENCE: Cyber Threat Clusters

EXTERNAL REFERENCE:ISO 27k Series - Edition 2022

No additional updates are scheduled at this time. last update: concept check with Mistral Le Chat 24/11/2024