Efficacy of an IT process after a cyber attack

MDRepair Canada

Starting to get Involved
Hi!
I just joined a company who faced a huge cyber attack that destroyed some data.
I am auditing our IT process (using ISO 9001 standard) and i was wondering if i could conclude on the efficacy of this process knowing what happened. Apart from this big issue, the results are satisfactory.
After this attack some actions have been implemented (containment, corrective and preventive).

Thanks in advance for your help!
MD
 

yodon

Leader
Super Moderator
I think it would be hard for anyone here to offer any conclusions of efficacy without knowing more.

The question that jumped to my mind was why you were auditing to 9001 and not something seemingly more appropriate to security like ISO 27001? I don't think (just) 9001 will give a sufficient foundation for information security.
 

Tagin

Trusted Information Resource
I agree with Yodon: we cannot offer anything on efficacy (do you mean 'effectiveness'?) without much more detail.

When using 9001 for IT defense, you are relying primarily on risk-based thinking (RBT), since 9001 does not offer prescriptive guidance specifically on IT practices. But RBT can work, if you use some best-practices as references or prescriptive guidance in your risk assessment. A good starting point would be the NIST Cybersecurity Framework:
Cybersecurity Framework

Also, look at CISA cybersecurity guidance:
CYBERSECURITY | CISA
 
Top Bottom