In this article, we will continue our adventure through the organisational controls in Annex A, covering A.5.5 through to A.5.7 with a theme of keeping connected and in contact with others, including authorities and special interest groups to keep up to date with the threat landscape or “threat intelligence”.
A.5.5 Contact with authorities
You need to be in contact with authorities and local special interest groups for this control and for A.5.6. The aim of both these controls is to keep abreast of the latest threats and legal and regulatory requirements.
Depending on your industry, there may be other authorities and bodies with whom you should maintain contact so that you can learn about the latest legislation and regulatory requirements. These can include having HR keep contact with payroll legislation and tax changes, to industry specific requirements such as ensuring that you are across extra requirements if you are involved with critical infrastructure such as the SOCI Act in Australia, or if you are involved in medical device industry, the TGA.
A.5.6 Contact with special interest groups
Similar to A.5.5, this control is about ensuring you keep aware of the latest trends in the specific industries and technologies relevant to your business. It also allows you to become aware of any issues or experiences that others in your industry have encountered, and how they solved them.
You can do this by becoming a part of the local tech society or user groups relevant to your technology stack to keep abreast of the latest tech news and developments. Attending meetups associated with groups is another good way of networking and collaborating with others to achieve best practices.
As a bonus to this, it gives you the opportunity to help others and give you that warm and fuzzy feeling of knowing that you have helped others!
A.5.7 Threat intelligence
This clause has the objective of ensuring that awareness of existing and emerging threats to your information. This involved both making sure you are aware of threats, and helping to “spread the word” about the threats to make sure others are also aware.
Information about existing or emerging threats should be collected and analysed in order to facilitate informed actions to prevent the threats from causing harm and to reduce the impact of these threats.
Activities around threat intelligence should include establishing objectives, collecting relevant, insightful information from vetted sources, both internal and external. This information should then corroborated and analysed to understand how it relates to your business, and sharing it so that it can be used and actioned as appropriate to mitigate the risks posed by the threats.
Making use of the authorities and special interest groups who often publicise threats, like the Australian Cyber Security Group, and CERTNZ, and other special interest groups identified in clause A.5.6, such as OWASP is a good place to start.
Conclusion
The main aims of these controls are to ensure that your business, and teams are informed and aware of the latest threats and changes which affect you. By ensuring that you are informed and involved within the both regulators, government and the community surrounding your industry, you can work others to better ensure that everyone is best prepared to protect themselves.
The key action point is to keep connected and talk with others in the industry to make sure you stay up to date with the current cyber threats.
- View the previous post in the series: Organisational Controls: Crafting Policies and Defining Responsibilities in A.5.1 - A.5.4.
DQS Newsletter
Stay informed and subscribe to our newsletter!
