ISO 27001 certification is now a must for many organisations, especially those that gather and store large volumes of sensitive data.

This globally recognised certification can be granted to businesses in a wide range of industries, and at CRMG we had the pleasure of working with an international law firm specialising in construction and insurance law in its effort to apply for and achieve ISO 27001 certification.

The company was mature in its approach to cybersecurity but knew it had work to do if it was to meet the requirements needed for approval.

An essential step in achieving ISO 27001 certification is having an Information Security Management System (ISMS) that applies to the enterprise and covers offices, people, assets and third parties. When the company approached us, it did not have an ISMS in place.

There were other challenges to overcome, too. The geographies in the scope of the company’s ISMS were diverse with each having its own local business demands and different levels of cybersecurity maturity. There was also a need to highlight the benefits of gaining commitment and motivation for certification from the different business units.

To learn more about how CRMG worked with the international law firm to support its ISO 27001 certification, and the result of the collaboration, read the full case study below.

➡️ CRMG Case Study

The Cyber Threat Landscape is Multifaceted and Indiscriminate

Cybercriminals take many forms… it could be nation-states seeking to undermine their adversaries’ critical infrastructure, or organised criminal gangs deploying ransomware on an industrial scale. It may be unscrupulous companies trying to steal a march on their competitors, or even youngsters who do it for the thrill.

While it’s true that many cyber-attacks are targeted at high-profile organisations (look at recent events in the UK retail sector) or national capabilities (e.g. power infrastructure), many are indiscriminate. Cyber criminals can now simply buy ransomware/phishing ‘toolkits’ on the dark web, enabling them to try their luck across a vast array of individuals and organisations. No targeting needed. They just need enough individuals to be fooled by their techniques to justify the outlay.

And don’t forget about sheer accident (or incompetence). Many cyber incidents are down to internal mistakes or poor processes. The recent Crowdstrike incident, which affected many of the world’s IT systems in one fell swoop, is a great example.

A significant misconception is that many assume cybersecurity is a technical problem. Increasingly, it’s a people problem (in crude terms, I’d estimate it at 50% – at least). Why? Because cyber-attacks prey on people, and because strong cybersecurity still relies heavily on people to do the right thing, at the right time.

Vision 2030 Demands Strong Cybersecurity, Backed by Wide-Reaching Regulations

When it comes to the drive towards a cyber-secure society in KSA, the government is leaving nothing to chance. Against the backdrop of Vision 2030 and the National Cyber Security Strategy (NCSS), many organisations are already subject to the National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls (ECC) and related standards. In addition to this, many sectors are regulated by their own stringent cybersecurity regulations. Examples include the Saudi Monetary Authority’s Cyber Security Framework, the Capital Markets Authority’s (CMA) Cybersecurity guidelines and the Cybersecurity Regulatory Framework (CRF) for IT service providers.

Given the swift pace at which strong cybersecurity governance is being developed at the national level, it is likely that the role of cybersecurity regulation in KSA will continue to expand. If they aren’t already ‘all over it’, organisations should start preparing now!

As a side note, many of the current cybersecurity laws and regulations have overlapping requirements, which brings its own difficulties.

For the reader who understands cyber security control frameworks, you may find our recent blog on the topic, ‘Cracking the Code: Understanding Harmonised Cyber Security Control Frameworks,’ helpful. We also offer a dedicated Harmonised Control Library service to help organisations align compliance obligations with real-world operational needs.

Strong Cyber Risk Management is Non-Negotiable

Compliance with cybersecurity regulations is only part of the picture.

Ultimately, to remain viable, our approach to cybersecurity should align with our strategy to risk, in terms of our business risk appetite, our cyber threat profile, the degree to which we are vulnerable, and the resources available for cybersecurity. While much of this will inherently be centred on our own organisation, we mustn’t forget that our organisation may, in turn, be systemically important to others, so fit-for-purpose risk management can get complex.

The possible ‘leakage’ of cyber risk between suppliers and their clients (and vice versa) is key here. We no longer live in a world where we can put our metaphorical arms around the entirety of our organisation and protect it as we see fit. Interconnectivity between organisations is a reality of the modern world, and so we mustn’t forget that what is my cyber risk may also be your cyber risk. Cyber risk management techniques (and regulations) are increasingly focusing on this aspect.

Cyber Regulatory Compliance and Risk Management are Slowly Converging

Cybersecurity regulation and risk management are slowly converging. Emerging regulations – such as the EU’s NIS2 and the UK’s forthcoming Cyber Security and Resilience Act – require that your organisation’s cyber risk profile should shape how you comply with the regulation. One reason for this is that if every organisation were to apply every aspect of every cybersecurity regulation with the same degree of rigour, bottom lines would soon be creaking, which in turn would undermine economic growth.

Note that these same regulations also require you to consider your own systemic importance to other organisations (such as providers of financial services) and to have cyber risk oversight of your suppliers. In short, you must be able to demonstrate that you have applied a rigorous risk assessment technique, can evidence results of the risk assessment process, and have arrangements in place to monitor your cyber risk profile over time.

When it comes to this risk-based dimension to cybersecurity and its relationship with cyber regulation, there is every indication that KSA will follow suit.

Defining Cyber Resilience under the CRA

Cyber resilience under the CRA goes beyond traditional cyber security. It encompasses an organisation’s ability to prepare for, withstand, recover from, and adapt to adverse cyber events. At its core, the CRA aims to ensure that businesses can defend against attacks, maintain critical functions during disruptions and recover swiftly.

Key Principles:

1. Proactive risk management: Organisations must identify and mitigate vulnerabilities before they can be exploited.
2. Secure product development: Ensuring cyber security is embedded throughout the product lifecycle.
3. Incident readiness: Establishing protocols for swift detection, containment, and recovery from cyber incidents.
4. Accountability: Clear documentation and demonstration of compliance efforts to regulatory bodies.

By adopting these principles, businesses can create a culture of resilience that satisfies regulatory demands and builds trust with stakeholders.

Ryan Hides, Senior Consultant at CRMG, notes: “CRA compliance is not just a tick-box exercise. It’s about embedding resilience into your organisation’s DNA, ensuring you can weather the storm and emerge stronger.”

Implementing Secure Development Lifecycles (SDLCs)

The CRA places significant emphasis on the security of software and systems, mandating organisations to integrate cyber security considerations into their development processes. A Secure Development Lifecycle (SDLC) is essential for achieving this.

Steps to Implement SDLC:

1. Implement secure development practices, version control, and quality management measures into all system development processes, including agile iterations. Ensure the use of code management, secure coding techniques, and iterative code reviews.
2. Create a set of Project Initiation Documents (PID) for each development project, addressing essential project management elements such as scope, costs, timelines, quality, benefits, project risks, and acceptance criteria. Support each project with a documented set of project plans, based on approved functional and non-functional business requirements, including information security.
3. Adhere to a stringent process for releasing and deploying new or updated systems and applications to the production environment. Ensure they undergo thorough testing, including security checks, and meet strict acceptance criteria.

“A robust SDLC doesn’t just enhance security; it also improves the overall quality and reliability of software. This dual benefit is invaluable in today’s digital economy.”

– Simon Rycroft, Co-Founder CRMG

Risk Management Strategies for CRA Compliance

Effective risk management is a cornerstone of cyber resilience and a critical requirement under the CRA. Organisations must adopt structured methodologies to identify, assess, and mitigate risks.

Best Practices:

1. Conduct regular evaluations to identify vulnerabilities, threat actors, and potential impact.
2. Use frameworks like NIST or ISO 27001 to prioritise risks based on likelihood and severity.
3. Assess and monitor the security posture of suppliers and partners to minimise supply chain risks.
4. Develop and implement detailed plans to address identified risks, including technical controls and organisational measures.
5. Leverage tools and dashboards to maintain real-time visibility into your risk landscape.

By adopting a risk-based approach, organisations can allocate resources effectively and ensure that their security investments yield maximum impact.

Integrating Continuous Security Testing and Incident Response Protocols

In the face of evolving cyber threats, continuous security testing and well-defined incident response protocols are indispensable for maintaining resilience. These measures fortify defences and enable organisations to respond effectively when incidents occur.

Continuous Security Testing:

Rigorous security testing must be performed on a regular basis on critical target environments, including both systems under development and live systems. Testing the security of these environments must include determining the effectiveness of security controls, performing specific attack tests to identify weaknesses, using test data, resolving identified security weaknesses, threat intelligence, and root cause analysis of security incidents.

The use of reputable sources for common security-related software weaknesses, such as the OWASP Top 10 Web Application Security Risks, SANS/CWE Top 25 Programming Errors & MITRE ATT@CK Framework is highly recommended.

Incident Response Protocols:

Develop an information security incident management framework that encompasses a documented process, specialised personnel or teams, relevant information, and tools. Consistently identify, respond to, recover from, and follow up on information security incidents.

The forensic investigation of information security incidents or events is important to identify perpetrators and preserve evidence. It is essential to be prompt and effective in testing, reviewing, and applying emergency fixes to business applications, systems, networks, and endpoint devices.