The International Chamber of Commerce (the “ICC”) has released a new cyber security guide for business, the ICC Cyber Security Guide for Business (the “Guide”). The Guide was inspired by the Belgian Cyber security guide and aims to assist businesses in identifying and managing cyber security risks.
The Guide is made up of the following four main areas:
- Principles: Five principles to steer development of an organisation’s cyber security risk management activities.
- Actions: Six essential actions to optimise cyber security systems, including backing up information; keeping IT systems up to date, training staff on security issues; monitoring for security breaches; layering security defences to reduce risk and making contingency plans to deal with breaches.
- Implementation: Ways in which the principles can be implemented into policies.
- Self-Assessment: A security self-assessment questionnaire, to allow businesses to evaluate the current state of their cyber security management and to identify ways in which it can be improved, in accordance with the guidance in the preceding sections.
The five principles to steer development of an organisation’s cyber security risk management activities set out in the guide are:
- Focus on the information, not on the technology: This principle encourages business to focus on protection of their most valuable information and systems where loss of confidentiality, integrity or availability would seriously harm the company.
- Make resilience a mind-set: This principle is about ongoing assessment of the company’s resilience to cyber threats.
- Prepare to respond: This principle encourages the development of organisational response plans in addition to technical response measures.
- Demonstrate a leadership commitment: This principle is about business leaders being seen to be supportive of risk management activities, including by allocating adequate resources (both financial and human resources) to protection of company assets.
- Act on your vision: This is about translating the company’s vision for cyber security risk management into practice by ensuring the company has in place appropriate information security policies.
The Guide takes a pragmatic approach and sets out some useful basic tips for businesses to consider. In practice we suspect that in terms of the actions most large companies are already acting in the manner envisaged by the Guide therefore, in this regard it will be of more use to SMEs.
However, in terms of the key principles for development of an organisation’s cyber security risk management activities, these principles will be of interest to SMEs and large organisations. Principles such as “demonstrate a leadership commitment” and “make resilience a mind-set” are about presenting a certain behaviour as regards the business’ stance on information security and will be of benefit to organisations of all sizes.