Working towards ISO 27001
In today’s information economy, it is extremely likely that most of an organisation’s most critical assets are in digital form.
Unfortunately, the convenience of the digital world comes with a downside: the cyber security risks that are a constant fixture in the news. Because these assets are both valuable and potentially vulnerable, we should strive to protect them.
Taking a proactive approach to information and cyber security will allow our organisation to protect its data and intellectual property. It will also help us comply with the data protection and cyber security laws that have emerged across the globe, including the General Data Protection Regulation (GDPR), Data Protection Act (DPA) 2018 and Network and Information Systems (NIS) Regulations 2018.
On your Marks...
To protect confidential and sensitive information – and to be seen to be protecting it – more and more organisations are becoming certified to ISO27001, which provides the specification for a best-practice information security management system (ISMS). ISO 27001 describes specific controls to secure information and information systems, which will help us comply with laws such as the GDPR.
Furthermore, seeking contracts with governments or large corporate clients will increasingly find ISO 27001 to be a prerequisite for doing business. Certification is seen as a powerful assurance of our commitment to meet the obligations to customers and business partners.
So What's Involved
Most people think of information security as a technology issue. They believe that anything to do with securing data or protecting computers from threats is something that only technical specialists – and specifically computer security professionals – can deal with. This could not be further from the truth.
Within an organisation, information security decisions should be made by management, not the IT team – they are, after all, related to business risks. An ISMS specifically recognises that the decision-making responsibility should sit with senior management, and that the ISMS should reflect their choices and provide evidence as to how effective the implementation has been.
Additionally, it is important to recognise that people are a vital part of your defence, alongside any technological measures. For instance, almost a third (32%) of all breaches between November 2017 and October 2018 involved phishing. Documented policies and procedures – ideally as part of an ISMS – as well as mandatory staff training can prove invaluable to help guide employees in specific situations, such as reporting a potential breach of security. They also clearly demonstrate your organisation’s standpoints on security, which can in turn help embed a security culture.
The implication for an ISMS project is that it need not be led by a technology expert. In fact, there are many circumstances in which that could prove counterproductive. These projects are often led by quality managers, general managers, or other executives who are in a position to develop something that has organisation-wide influence and importance.
Governance
ISO 27001, as with many other management system standards, requires top management to demonstrate its commitment to the ISMS. Securing that commitment will help embed information security as part of the organisational culture and ensure the necessary resources to make the project a success will be available.
Risk Assessment
One of the most important elements of information security is risk assessment. Not assessing risks in a structured manner will make it hard to know and understand exactly what risks your organisation faces, making it difficult to put effective security measures in place.
Documenting the management system
One of the most time-consuming parts of an ISMS implementation project is developing the documentation that sets out how the management system works, as well as the documentation explicitly required by the Standard.
Continual improvement
An ISMS project can be complex, and implementation may well take many months or, in some cases, years. ISO 27001 does not mandate specific project stages, but we need to establish a continual improvement process, as the Standard requires evidence of continual improvement.
3 reasons why ISO 27001 certification is good for you
1.Organisations that adopt ISO 27001 demonstrate that they take cyber security seriously, which is a growing concern among clients. Committing to information security via the Standard gives organisations a competitive advantage, which will be passed on to employees.
Sales teams and marketers, for example, can use the organisation’s reputation for security to win new business. This increases the amount of work across the organisation and offers employees the opportunity to prove how valuable they are.
2.ISO 27001 outlines information security policies and procedures for staff to follow. This is helpful for employees in two ways.
First, it mitigates the risk of data breaches, which are often very damaging and can threaten jobs. This isn’t necessarily because the organisation needs to balance the cost of responding to a breach (although it’s a possibility), but because of the reputational damage caused by a data breach. Customers and third parties might stop working with the organisation, reducing profits and forcing the organisation to scale back.
Second, if employees follow ISO 27001’s guidance, the organisation won’t be able to blame them for a data breach. This ensures that senior staff fully investigate the reason for the breach instead of scapegoating an employee, who may have been doing everything that they should have.
3.Staff should rightfully be concerned about protecting clients’ data, but they should be just as concerned about the personal data they give to their employer. Organisations hold a lot of employee information, so staff will be relieved to know that their personal data is being protected in line with best practices. For example, it mandates that organisations create a centrally managed framework for keeping information secure and that they regular assess its performance against a set of predetermined criteria.
Written by Nick Bennett - Director