CST2530 Cybersecurity: Legal and Standardisation Aspects Report
VerifiedAdded on 2022/08/30
|21
|5706
|16
Report
AI Summary
This report delves into the legal and standardisation facets of cybersecurity, encompassing both legal and standardisation aspects. Part A explores the overview of Computer and Information Security Laws, their aims, international laws, and national laws. It analyzes the Computer Misuse Act 1990, Fraud Act 2006, and Malicious Communication Act 1988, while also performing a gap analysis. Part B provides an overview of computer and information security standards, including the ISO/IEC 27000 family, with a focus on ISO27001. It describes the standards as a tool, examining their practical application and relation. Part C focuses on the role and use of in-house security rules in meeting legal and best practice requirements, along with relevant standardisation information. The report offers a detailed analysis of the laws, standards, and their practical implications within the cybersecurity landscape.
Running head: LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
Legal and Standardisation Aspects of Cybersecurity
Name of the Student
Name of the University
Author Note
Legal and Standardisation Aspects of Cybersecurity
Name of the Student
Name of the University
Author Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
Table of Contents
Part A – Legal Aspects...............................................................................................................2
Overview of the Computer and Information Security Laws:.................................................2
Aims:......................................................................................................................................2
Selection of Key Laws:..........................................................................................................5
Gap Analysis:.........................................................................................................................7
Conclusion:............................................................................................................................7
Part B: Standardization Aspects.................................................................................................8
Overview of computer and information security standards:..................................................8
ISO/IEC 27000 family of standards:......................................................................................9
The ISO/IEC 27000:............................................................................................................10
ISO27001, the information security management system standard:....................................10
An additional standard:........................................................................................................12
Conclusion - Future Cyber Security Standards:...................................................................13
Part C: Process and Procedures................................................................................................14
The role and use of in-house security rules in meeting legal and best practise requirements:
..............................................................................................................................................14
Relevant standardisation information..................................................................................14
References:...............................................................................................................................16
Table of Contents
Part A – Legal Aspects...............................................................................................................2
Overview of the Computer and Information Security Laws:.................................................2
Aims:......................................................................................................................................2
Selection of Key Laws:..........................................................................................................5
Gap Analysis:.........................................................................................................................7
Conclusion:............................................................................................................................7
Part B: Standardization Aspects.................................................................................................8
Overview of computer and information security standards:..................................................8
ISO/IEC 27000 family of standards:......................................................................................9
The ISO/IEC 27000:............................................................................................................10
ISO27001, the information security management system standard:....................................10
An additional standard:........................................................................................................12
Conclusion - Future Cyber Security Standards:...................................................................13
Part C: Process and Procedures................................................................................................14
The role and use of in-house security rules in meeting legal and best practise requirements:
..............................................................................................................................................14
Relevant standardisation information..................................................................................14
References:...............................................................................................................................16
2LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
Part A – Legal Aspects
Overview of the Computer and Information Security Laws:
The computer and Information Security Laws are actually some appropriate rules and
regulations which are implemented for protection of the computer and the information
systems (Kalman 2019). The main aim of implementing these laws is protection of the
important and confidential information which resides within a computer system or an
information system.
These are also known as the cybersecurity regulations with having same aim of
safeguarding computer systems and the information technologies (Bada, Sasse and Nurse
2019). By safeguarding these systems, the main purpose of these laws is forcing
organizations and companies for protection of their systems and confidential information of
them from various of cyberattacks which includes worms, viruses, phishing, Trojan horses,
unauthorised access and denial of service attacks (Layton 2016). There are various of
measures which can be implemented to provide protection against this type of attack.
These cyber security laws are actually developed in respective of some specific aims.
The primary target of the information security and computer laws are discussed below.
Aims:
One of the primaries target of information security and computer laws is prevention of
unauthorised access of the network (Kushwaha et al. 2016).
Creating awareness among the local citizens regarding the cyber security aspects is
another aim of these laws.
Providing advices to the peoples and guiding the peoples on their day to day legal
issues regarding usage of the cyberspace (Weber and Studer 2016).
Part A – Legal Aspects
Overview of the Computer and Information Security Laws:
The computer and Information Security Laws are actually some appropriate rules and
regulations which are implemented for protection of the computer and the information
systems (Kalman 2019). The main aim of implementing these laws is protection of the
important and confidential information which resides within a computer system or an
information system.
These are also known as the cybersecurity regulations with having same aim of
safeguarding computer systems and the information technologies (Bada, Sasse and Nurse
2019). By safeguarding these systems, the main purpose of these laws is forcing
organizations and companies for protection of their systems and confidential information of
them from various of cyberattacks which includes worms, viruses, phishing, Trojan horses,
unauthorised access and denial of service attacks (Layton 2016). There are various of
measures which can be implemented to provide protection against this type of attack.
These cyber security laws are actually developed in respective of some specific aims.
The primary target of the information security and computer laws are discussed below.
Aims:
One of the primaries target of information security and computer laws is prevention of
unauthorised access of the network (Kushwaha et al. 2016).
Creating awareness among the local citizens regarding the cyber security aspects is
another aim of these laws.
Providing advices to the peoples and guiding the peoples on their day to day legal
issues regarding usage of the cyberspace (Weber and Studer 2016).
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
These laws also aim to coordinate with the other concerned stakeholders within the
digital environment so contribution can be done on the evolving cyberlaw
jurisprudence.
Also, to provide legal assistance and important advices to the peoples who are
already the victim of misutilization of the cyberspace applications and associated
services (Anwar, Gill and Beydoun 2018).
International Laws and Harmonization:
For protection against these cybercrimes there are several of international laws are
there. The first international law is regarding the privacy and the security of the individuals.
As per this, choice and control over the disclosure of the information is directly associated
with freedom of the individuals to identify their actions and themselves. The main thing
which is associated in this case the right to privacy (Liu and Greene 2020). This defines that
each of the individuals have their rights to protect their own privacy and it should not be
disclosed by anyone else without permissions. The right to privacy of the individuals are
associated with the international human right laws.
Proper protection of individual’s data is also very much important as it holds various
of confidential and crucial data (Carey 2018). Here, the personal data of the individuals are
protected through under the right to privacy in international human rights instruments. One
example is the European Court of Human Rights can be presented. It holds the email,
telephone and the internet utilization data and all of the data are stored within the servers
(Aletras et al. 2016). All of these data considered under protection scope of Article 8(1) of
the European Convention on Human Rights.
In this aspect another important international law is the Data Breach Notification
Law. This law requires an entity or the individuals who are affected by a data breach, to
These laws also aim to coordinate with the other concerned stakeholders within the
digital environment so contribution can be done on the evolving cyberlaw
jurisprudence.
Also, to provide legal assistance and important advices to the peoples who are
already the victim of misutilization of the cyberspace applications and associated
services (Anwar, Gill and Beydoun 2018).
International Laws and Harmonization:
For protection against these cybercrimes there are several of international laws are
there. The first international law is regarding the privacy and the security of the individuals.
As per this, choice and control over the disclosure of the information is directly associated
with freedom of the individuals to identify their actions and themselves. The main thing
which is associated in this case the right to privacy (Liu and Greene 2020). This defines that
each of the individuals have their rights to protect their own privacy and it should not be
disclosed by anyone else without permissions. The right to privacy of the individuals are
associated with the international human right laws.
Proper protection of individual’s data is also very much important as it holds various
of confidential and crucial data (Carey 2018). Here, the personal data of the individuals are
protected through under the right to privacy in international human rights instruments. One
example is the European Court of Human Rights can be presented. It holds the email,
telephone and the internet utilization data and all of the data are stored within the servers
(Aletras et al. 2016). All of these data considered under protection scope of Article 8(1) of
the European Convention on Human Rights.
In this aspect another important international law is the Data Breach Notification
Law. This law requires an entity or the individuals who are affected by a data breach, to
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
notify the associated parties and customer with them. This law also instructs to take proper
steps as a remedy depending on the legislature of the state.
Harmonization of the laws is actually related with the European Union and it is the
process of creation of common standards across the internal market (Öberg 2018). The
harmonization of the laws is done with having some specific aims, which are:
Creation of consistency among the laws, standards and regulations so that same type
of rule can be applied to the business that is currently operating in more than one-
member state (Jintapitak and Liu 2017). In this way business of one specific state will
not be able to achieve some economic advantage.
Also, the regulatory burdens and the compliance will be reduced for the business
which are operational trans-nationally or nationally.
National Laws:
Currently, in the national level also there are proper legislations are available for
stopping and limiting the effect of cybercrime. In the national level one of the important laws
is the “Computer Misuse Act 1990”. This is the main UK legislation which is associated with
attacks or offences against any type of computer system (Montasari, Peltola and Carpenter
2016). Another law in UK that is designed to stop the cybercrime is the “Fraud Act 2006”.
This law is applicable for various of cyber frauds by making a focus on the underlying
deception and dishonesty. In many of the cases the cyber space is also utilized for selling
illegal items and are generally done through the Dark Web. For stopping this kind of
situation, in UK there are “Criminal Law Act 1977” is applicable. Malicious of offensive
communication is also done using the cyber space and it falls under the category of one type
of cybercrime (Cooper 2017). Thus, for protection against this type of situation “Malicious
notify the associated parties and customer with them. This law also instructs to take proper
steps as a remedy depending on the legislature of the state.
Harmonization of the laws is actually related with the European Union and it is the
process of creation of common standards across the internal market (Öberg 2018). The
harmonization of the laws is done with having some specific aims, which are:
Creation of consistency among the laws, standards and regulations so that same type
of rule can be applied to the business that is currently operating in more than one-
member state (Jintapitak and Liu 2017). In this way business of one specific state will
not be able to achieve some economic advantage.
Also, the regulatory burdens and the compliance will be reduced for the business
which are operational trans-nationally or nationally.
National Laws:
Currently, in the national level also there are proper legislations are available for
stopping and limiting the effect of cybercrime. In the national level one of the important laws
is the “Computer Misuse Act 1990”. This is the main UK legislation which is associated with
attacks or offences against any type of computer system (Montasari, Peltola and Carpenter
2016). Another law in UK that is designed to stop the cybercrime is the “Fraud Act 2006”.
This law is applicable for various of cyber frauds by making a focus on the underlying
deception and dishonesty. In many of the cases the cyber space is also utilized for selling
illegal items and are generally done through the Dark Web. For stopping this kind of
situation, in UK there are “Criminal Law Act 1977” is applicable. Malicious of offensive
communication is also done using the cyber space and it falls under the category of one type
of cybercrime (Cooper 2017). Thus, for protection against this type of situation “Malicious
5LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
Communication Act 1988” is applicable (Rowbottom 2017). Also, there is “Serious Crime
Act 2015” which is applicable in such situations of cyber stalking and online harassment.
Selection of Key Laws:
In this aspect, three key laws are the Computer Misuse Act 1990, Fraud Act 2006 and
Criminal Law Act 1977. In the following section these legislations are described briefly.
Computer Misuse Act:
The Computer Misuse Act 1990 is mainly designed to deal with the misconduct
regarding altering and accessing stored data within a computer system without having proper
authorization (Guinchard 2017). This law has been chosen as it is directly associated with the
security of the information in computer systems.
Here, the choice is used depending on the safety provided to the computer system
which is effectively good for this particular law.
The law defines that unauthorised access to a computer system and modification or
accessing the information is a punishable offence.
This law is currently applicable to wide range of situations where unauthorised access
is gained by some attacker or hacker. By using this law, the attacker and the hackers can be
punished, which will help to reduce the overall number of these cases.
The law is currently very much effective as various of penalties are associated with
this. The minimum penalty for this crime is up to two years of imprisonment and a fine of
5,000 pounds (Karagiannopoulos 2016). In cases where extreme damage is done by the
attacker then the criminal can face lifetime imprisonment.
Communication Act 1988” is applicable (Rowbottom 2017). Also, there is “Serious Crime
Act 2015” which is applicable in such situations of cyber stalking and online harassment.
Selection of Key Laws:
In this aspect, three key laws are the Computer Misuse Act 1990, Fraud Act 2006 and
Criminal Law Act 1977. In the following section these legislations are described briefly.
Computer Misuse Act:
The Computer Misuse Act 1990 is mainly designed to deal with the misconduct
regarding altering and accessing stored data within a computer system without having proper
authorization (Guinchard 2017). This law has been chosen as it is directly associated with the
security of the information in computer systems.
Here, the choice is used depending on the safety provided to the computer system
which is effectively good for this particular law.
The law defines that unauthorised access to a computer system and modification or
accessing the information is a punishable offence.
This law is currently applicable to wide range of situations where unauthorised access
is gained by some attacker or hacker. By using this law, the attacker and the hackers can be
punished, which will help to reduce the overall number of these cases.
The law is currently very much effective as various of penalties are associated with
this. The minimum penalty for this crime is up to two years of imprisonment and a fine of
5,000 pounds (Karagiannopoulos 2016). In cases where extreme damage is done by the
attacker then the criminal can face lifetime imprisonment.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
Fraud Act 2006:
The fraud act is not totally associated with the cybercrime, still chosen as it covers
one of the important aspects of cybercrime which is online fraud.
The law has been chosen in this case depending on the applicability of this law to
minimise the cyber frauds (Johnson 2018).
This law describes that if a person found guilty of executing a fraud an imprisonment
of up to twelve months or a fine can be levied.
This law is currently applicable in three main areas which are obtaining services
dishonestly and performing a fraudulent business that can done using the application of
cyberspace (Johnson 2018). Thus, by using this law potential frauds can be minimised.
This law is quite effective for stopping the frauds including the online frauds as large
amount of penalties are associated with this. Penalties start from one year to twelve years of
imprisonment.
Malicious Communication Act 1988:
The Malicious Communication Act 1988 has been chosen as it is associated with
malicious communication done using the cyberspace (Williamson 2018).
The choice has been done as this law can effectively reduce the malicious
communication done on an online environment.
The Malicious Communication Act 1988 describes that it is illegal to send articles or
letters to someone which can cause anxiety or distress which is also applicable for the online
environment (Rowbottom 2017).
This law is applicable to minimize the malicious type of communication.
Fraud Act 2006:
The fraud act is not totally associated with the cybercrime, still chosen as it covers
one of the important aspects of cybercrime which is online fraud.
The law has been chosen in this case depending on the applicability of this law to
minimise the cyber frauds (Johnson 2018).
This law describes that if a person found guilty of executing a fraud an imprisonment
of up to twelve months or a fine can be levied.
This law is currently applicable in three main areas which are obtaining services
dishonestly and performing a fraudulent business that can done using the application of
cyberspace (Johnson 2018). Thus, by using this law potential frauds can be minimised.
This law is quite effective for stopping the frauds including the online frauds as large
amount of penalties are associated with this. Penalties start from one year to twelve years of
imprisonment.
Malicious Communication Act 1988:
The Malicious Communication Act 1988 has been chosen as it is associated with
malicious communication done using the cyberspace (Williamson 2018).
The choice has been done as this law can effectively reduce the malicious
communication done on an online environment.
The Malicious Communication Act 1988 describes that it is illegal to send articles or
letters to someone which can cause anxiety or distress which is also applicable for the online
environment (Rowbottom 2017).
This law is applicable to minimize the malicious type of communication.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
By using this law one can face maximum 6 months of imprisonment if found guilty.
Gap Analysis:
In this case the selected laws actually cover protection of individuals against the
misuse of cyber space. Here, different types of laws can work together as all of these laws
covers different areas of cybercrimes. If one individual violates more than one law then extra
fine should be levied. The current discussed laws are missing protection against cyber trolling
where any individual is unnecessarily insulted over the cyber space (Lumsden and Morgan
2018). In this case, the international corporation is not applicable as the current laws operates
only within the national level. Particularly, in this case the harmonization of the laws is
applicable. In the aspect of cybersecurity, the role of the laws in future should be the
protection of the individual’s privacy and fraud related concerns (Carron et al. 2016). This
laws also should be providing protection against cyber bullying and protection of the
intellectual properties. These laws can be very much effective in this area if proper penalties
are applied over the criminals. These laws will surely minimise the overall crimes within the
cyberspace.
Conclusion:
From the above discussion it can be concluded that cyber security is one of the
important aspects in the current environment. Within the aspects of cyber security, the
computer and information security laws play an important role. In this report, first overview
of the information security and computer laws regarding the cybercrime has been presented.
Following that three current laws has been discussed briefly. In the further section of this
report, gap analysis of the current laws has been done.
By using this law one can face maximum 6 months of imprisonment if found guilty.
Gap Analysis:
In this case the selected laws actually cover protection of individuals against the
misuse of cyber space. Here, different types of laws can work together as all of these laws
covers different areas of cybercrimes. If one individual violates more than one law then extra
fine should be levied. The current discussed laws are missing protection against cyber trolling
where any individual is unnecessarily insulted over the cyber space (Lumsden and Morgan
2018). In this case, the international corporation is not applicable as the current laws operates
only within the national level. Particularly, in this case the harmonization of the laws is
applicable. In the aspect of cybersecurity, the role of the laws in future should be the
protection of the individual’s privacy and fraud related concerns (Carron et al. 2016). This
laws also should be providing protection against cyber bullying and protection of the
intellectual properties. These laws can be very much effective in this area if proper penalties
are applied over the criminals. These laws will surely minimise the overall crimes within the
cyberspace.
Conclusion:
From the above discussion it can be concluded that cyber security is one of the
important aspects in the current environment. Within the aspects of cyber security, the
computer and information security laws play an important role. In this report, first overview
of the information security and computer laws regarding the cybercrime has been presented.
Following that three current laws has been discussed briefly. In the further section of this
report, gap analysis of the current laws has been done.
8LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
Part B: Standardization Aspects
Overview of computer and information security standards:
The information security and computer standards are one of the important aspects for
ensuring security and safety of computers. The security of the computer systems and the
information system is not optional. It is one of the essential aspects and within this aspect, the
computer and information security standards plays an important role (Peltier 2016). The
standards for the computer and information security is important as it addresses the
professional and legal obligations within the computer and information security among core
areas. Regarding the computer and information security standards there are total 12 standards
that can be considered in this aspect. The first standards is regarding the roles and the
responsibilities. Here, the team members need to manage the information and computer
security. The second standard is the assessment of the risks (Peltier 2016). In this case
structured risk assessment of computer and information security is done and the
improvements are implemented. The third standard is related with the information security
policies and procedures. In this aspect, policies and procedures are documented for managing
the computer and information security. The fourth standard is the managing access (Peltier
2016). The fifth standard is the business continuity and information security. Here,
documentation is done and the plans are tested for performing continuity of the business and
recovery of the information. The sixth standard is associated with the email and internet
utilization (Peltier 2016). In this case, processes are developed to ensure proper and safe
utilization of email and internet service to manage the information security. Information
backup is the next standard to ensure a reliable information backup system to support the
business (Peltier 2016). The eight standard is ensuring security against the virus, malware and
email threats. Computer network perimeter control is the ninth standard of computer and
information security. Here, appropriate practices are developed for appropriate computer
Part B: Standardization Aspects
Overview of computer and information security standards:
The information security and computer standards are one of the important aspects for
ensuring security and safety of computers. The security of the computer systems and the
information system is not optional. It is one of the essential aspects and within this aspect, the
computer and information security standards plays an important role (Peltier 2016). The
standards for the computer and information security is important as it addresses the
professional and legal obligations within the computer and information security among core
areas. Regarding the computer and information security standards there are total 12 standards
that can be considered in this aspect. The first standards is regarding the roles and the
responsibilities. Here, the team members need to manage the information and computer
security. The second standard is the assessment of the risks (Peltier 2016). In this case
structured risk assessment of computer and information security is done and the
improvements are implemented. The third standard is related with the information security
policies and procedures. In this aspect, policies and procedures are documented for managing
the computer and information security. The fourth standard is the managing access (Peltier
2016). The fifth standard is the business continuity and information security. Here,
documentation is done and the plans are tested for performing continuity of the business and
recovery of the information. The sixth standard is associated with the email and internet
utilization (Peltier 2016). In this case, processes are developed to ensure proper and safe
utilization of email and internet service to manage the information security. Information
backup is the next standard to ensure a reliable information backup system to support the
business (Peltier 2016). The eight standard is ensuring security against the virus, malware and
email threats. Computer network perimeter control is the ninth standard of computer and
information security. Here, appropriate practices are developed for appropriate computer
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
network perimeter control. The tenth standard is associated with the mobile electronic
devices which ensures proper use of the mobile electronic devices. Eleventh standard here is
related with physical facilities and computer software, hardware and operating system (Peltier
2016). In this aspect the physical facilities are maintained to protect the information system.
The last security standard is the security regarding sharing of information. In this aspect,
reliable systems are ensured for secure electronic share of the confidential information.
ISO/IEC 27000 family of standards:
According to the International Organisation for Standardization or ISO and the
International Electrotechnical Commission or IEC, the series of information security
management standards specifying the Information Security Management System is a family
of set standards that forms a framework of developing and information security management
with the best practices developed. Using the family of standards for ISO / IEC 27000, and
organisation can have a safe and secure environment for the information assets (Pratama and
Kurniawan 2016). The family of standards health organisation in managing the information
security for the assets of the organisation including intellectual property, financial
information and employee details. It even ensures the security of the other information assets
like the information interested on the organisation by third parties (Hamdi et al. 2019). It is
one of the best-known family of standards that provides the requirements of the structure that
ensure the systematic approach of managing the information within an organisation that are
extremely sensitive and keep secure.
The ISO / IEC 27000 is a family of standardization that has a broader scope of
application in organisations irrespective of their sizes and the sectors in which they belong.
There are a huge range of continually evolving family of standards, including new and
developed standards continually adapting to the changing requirements of information
security within the industry and environment (Meriah and Rabai 2019). Currently, several
network perimeter control. The tenth standard is associated with the mobile electronic
devices which ensures proper use of the mobile electronic devices. Eleventh standard here is
related with physical facilities and computer software, hardware and operating system (Peltier
2016). In this aspect the physical facilities are maintained to protect the information system.
The last security standard is the security regarding sharing of information. In this aspect,
reliable systems are ensured for secure electronic share of the confidential information.
ISO/IEC 27000 family of standards:
According to the International Organisation for Standardization or ISO and the
International Electrotechnical Commission or IEC, the series of information security
management standards specifying the Information Security Management System is a family
of set standards that forms a framework of developing and information security management
with the best practices developed. Using the family of standards for ISO / IEC 27000, and
organisation can have a safe and secure environment for the information assets (Pratama and
Kurniawan 2016). The family of standards health organisation in managing the information
security for the assets of the organisation including intellectual property, financial
information and employee details. It even ensures the security of the other information assets
like the information interested on the organisation by third parties (Hamdi et al. 2019). It is
one of the best-known family of standards that provides the requirements of the structure that
ensure the systematic approach of managing the information within an organisation that are
extremely sensitive and keep secure.
The ISO / IEC 27000 is a family of standardization that has a broader scope of
application in organisations irrespective of their sizes and the sectors in which they belong.
There are a huge range of continually evolving family of standards, including new and
developed standards continually adapting to the changing requirements of information
security within the industry and environment (Meriah and Rabai 2019). Currently, several
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
standards included in the ISO / IEC 27000 that has published series of standards (Tjirare and
Shava 2017). This can be mentioned and specified as below:
The ISO/IEC 27000:
ISO / IEC 2700:2018 (ISO 27000): The standard provides Information Technology security
and apply security methods for information security management systems and provides
vocabulary and overview (Pratama and Kurniawan 2016). The formation provides an
overview of the applicable size of the organisation, which are commercial enterprises, non-
profit organisation and government agencies.
It covers the most common definitions and the terms that ISMS family of standards
practical uses but excluding the terms and definitions that do not cover the ISMS family of
standards. This does not caps the family of standards that defines new terms in use.
ISO27001, the information security management system standard:
ISO / IEC 27000:2013 (ISO / IEC 27001): This is a standard that provides an
overview of the version that includes the corrigendum where it is supplied by the IT
governments for detailed specification on the information security management
system so that an organisation can improve the current state information security
(Humphreys 2016). As per annexure SL, it has provided a common structure to the
management system standards which enables an organisation to have an integrated
approach over the system implementation and unnecessary duplicate procedures can
be eliminated. Here, the ISO / IEC 27000 performs its operations by outlining the
requirements for the requirement achieving guidelines, certification, and the
guidelines for accrediting organizations. This standard provides various of useful
recommendation to the organizations which are seeking for a proper certification and
standards included in the ISO / IEC 27000 that has published series of standards (Tjirare and
Shava 2017). This can be mentioned and specified as below:
The ISO/IEC 27000:
ISO / IEC 2700:2018 (ISO 27000): The standard provides Information Technology security
and apply security methods for information security management systems and provides
vocabulary and overview (Pratama and Kurniawan 2016). The formation provides an
overview of the applicable size of the organisation, which are commercial enterprises, non-
profit organisation and government agencies.
It covers the most common definitions and the terms that ISMS family of standards
practical uses but excluding the terms and definitions that do not cover the ISMS family of
standards. This does not caps the family of standards that defines new terms in use.
ISO27001, the information security management system standard:
ISO / IEC 27000:2013 (ISO / IEC 27001): This is a standard that provides an
overview of the version that includes the corrigendum where it is supplied by the IT
governments for detailed specification on the information security management
system so that an organisation can improve the current state information security
(Humphreys 2016). As per annexure SL, it has provided a common structure to the
management system standards which enables an organisation to have an integrated
approach over the system implementation and unnecessary duplicate procedures can
be eliminated. Here, the ISO / IEC 27000 performs its operations by outlining the
requirements for the requirement achieving guidelines, certification, and the
guidelines for accrediting organizations. This standard provides various of useful
recommendation to the organizations which are seeking for a proper certification and
11LEGAL AND STANDARDISATION ASPECTS OF CYBERSECURITY
also improves the overall security (Meriah and Rabai 2019). In this way the ISO / IEC
27000 helps the organizations to improve itself.
ISO/IEC 27001:2013/Cor 2:2015 (ISO27001): The standard version is the 2015
version of the same 27001 ISO / IEC standard patronizes the uplifting of the
terminology of an updated standard. The terms and definitions where changed from
the year 2015 and has been enhanced since the 2013 edition. The process by which
the treatment of risks is made easier has also provided the organisations in having a
better control adaptation of the frameworks. (Bochtler, Quinn and Bajramovic 2017)
Annexure A has been elaborated Annexure B has been deleted while the adaptation of
this modification since the year 2015. The terminology and risk assessment
requirement are less perspective and all are aligned with ISO 31000 which is the
International standard for risk management. The ISO 27001 is actually related with
the information risk management process of the organization as it includes all the
physical, legal and the technical controls. The ISO 27001 helps the organizations in
establishing, operating, implementing, monitoring, maintaining, reviewing and
improving the information security management system. Here, the 27001 performs
this operation by using a top-down and a risk based approach (Hsu, Wang and Lu
2016). In this case, it is done by defining the security policy, scope of the information
security management system, performing a risk assessment, management of the
identified risks and by preparing an applicability statement.
ISO / IEC 27002: An additional standard may be introduced in the form of ISO / IEC
27002. This is one information technology standard that secure the code of practices
for the controls of information security with covering of the improved information
security standards and its management within an organisation (Rianafirin and
Kurniawan 2017). It is updated so that the reflection of the changes would take an
also improves the overall security (Meriah and Rabai 2019). In this way the ISO / IEC
27000 helps the organizations to improve itself.
ISO/IEC 27001:2013/Cor 2:2015 (ISO27001): The standard version is the 2015
version of the same 27001 ISO / IEC standard patronizes the uplifting of the
terminology of an updated standard. The terms and definitions where changed from
the year 2015 and has been enhanced since the 2013 edition. The process by which
the treatment of risks is made easier has also provided the organisations in having a
better control adaptation of the frameworks. (Bochtler, Quinn and Bajramovic 2017)
Annexure A has been elaborated Annexure B has been deleted while the adaptation of
this modification since the year 2015. The terminology and risk assessment
requirement are less perspective and all are aligned with ISO 31000 which is the
International standard for risk management. The ISO 27001 is actually related with
the information risk management process of the organization as it includes all the
physical, legal and the technical controls. The ISO 27001 helps the organizations in
establishing, operating, implementing, monitoring, maintaining, reviewing and
improving the information security management system. Here, the 27001 performs
this operation by using a top-down and a risk based approach (Hsu, Wang and Lu
2016). In this case, it is done by defining the security policy, scope of the information
security management system, performing a risk assessment, management of the
identified risks and by preparing an applicability statement.
ISO / IEC 27002: An additional standard may be introduced in the form of ISO / IEC
27002. This is one information technology standard that secure the code of practices
for the controls of information security with covering of the improved information
security standards and its management within an organisation (Rianafirin and
Kurniawan 2017). It is updated so that the reflection of the changes would take an
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 21
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2026 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.