The management of cyber security risk requires to be an ongoing iterative process, which reacts to a constantly evolving threat landscape, driven by the organisation’s understanding of their vulnerabilities and informed by an awareness of adversaries’ methods.
A Cyber security Management System (CSMS) should be developed, adopted by senior management, and incorporated into the organisation’s existing policies and management systems. The structure of the CSMS can follow existing management systems e.g. those outlined in specific security standards such as IEC 62443ISA TR84.00.09, or ISO 27001, as specified in the functional safety for the process industry sector IEC 61511, or other regulatory framework specific to the organisation.
Any CSMS should contain policies and procedures to address the following objectives and cyber security principles (excerpt from NCSC CAF)
The policy, procedures and management system documents produced will require to be adopted and championed at board level and trained out to all personal with the potential to interact with or impact the security of IACS assets. This effectively requires all personnel within an organisation to have a basic level awareness or enhanced, role-specific training in OT cyber security.
The CSMS documents will require to be frequently reviewed and updated, as necessary, in light of evolving threats and newly discovered vulnerabilities, in line with the concept of continuous improvement.
Appendix 2 of OG86 suggests suitable document types that organisations can present as evidence of each aspect of their CSMS.
Diagram 1. Cyber Security Risk Management Key Artefacts Maintenance Cycle
E: email@example.com. T: 44 (0)1462 713313. W: www.methodcysec.com