As works gets under way in earnest on developing the Security Controls Framework for the GB smart metering programme, businesses looking to take part should be aware of a potential issue around risk.
While the detail of the framework is still to be finalised by the Competent Independent Organisation (CIO), under the Smart Energy Code users will have responsibilities to identify and manage the risk of compromise of any assets which will be involved in the smart metering programme.
In practice that will mean complying with the ISO 27005 information security risk management standard, or equivalent, whilst also having a Users Information Security Management System (UISMS) which meets the ISO 27001:2013 standard.
Higher skill set required
For smaller organisations in particular, that poses a challenge. While an experienced internal risk or compliance manager may well be able to deal with the requirements of ISO 27001, ISO 27005 is altogether more complex.
While many organisations nowadays find using the related ISO 31000 standard for their risk management relatively straightforward given its broad approach, ISO 27005’s very specific requirement that organisations need to be able to identify threats and vulnerabilities means a higher skill set is needed.
The standard outlines a generic risk assessment process and provides guidance on qualitative and quantitative approaches, but leaves the choice of risk assessment techniques down to the business.
The risk assessment needs to address the security threats to an organisation’s information assets as well as vulnerabilities and impacts. Although examples of threats and vulnerabilities are included in the lengthy annexes to the standard, it is interpreting these where difficulties may arise.
For one thing, many of the terms used will be unfamiliar to those accustomed to broader risk management.
Government guidance highlights challenge
The issue is highlighted under guidance provided to the UK Government on information risk management by CESG, the definitive voice on the technical aspects of information security in Government It points out that most organisations will need to use external resources to align ISO 27005 with their operations and with any existing risk assessment techniques in place.
“Given the broad and generic nature of the guidance, specialist skilled resources will be needed to tailor the implementation to the requirements of the business. The cost of these resources should be considered along with the cost of purchasing the standards,” the guidance points out.
It isn’t just smaller organisations which may find complying with ISO 27005 a challenge.
While larger organisations may well have the internal expertise in place across different departments, being able to pull it all together into a coherent system to meet the requirements may not prove straightforward.
Given the potential business impact of organisations not being able to meet the requirements of the Security Controls Framework, the ISO 27005 issue is one which should be addressed sooner rather than later.
If you would like to find out more about the ISO 27005 or how we can help you please do not hesitate to get in touch with us.