Who’s responsibility is Information Security?
In today’s data driven environment the threats to information security and the consequences of breaches have never been more prevalent and this is unlikely to change in the future. In fact, as our obsession with data and information grows it is likely that the risks associated with information security will increase and become more challenging.
There is a common misconception that robust information security controls are only relevant to large corporates and multinationals. In practice this is not the case and industry trends show that good governance in terms of information security, is relevant no matter what the size of the business. Indeed a requirement to have an information security management system such as ISO27001 in place is increasingly becoming a pass/fail requirement in tender selection criteria.
A recent government survey showed that almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Among this 46 per cent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (32%, vs. 22% in 2017).
*Source – Department for Digital, Culture, Media and Sport Report 2020.
ISO27001 – A suitable solution
ISO 27001 is the international standard which is recognised globally as a means to manage the risks to the security of information held or accessed by organisations. Certification to ISO 27001 allows an organisation to prove to its clients and other stakeholders that the security of their information is being effectively managed. ISO 27001 provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS. Organisations are also increasingly availing of the opportunity to use their ISO27001 ISMS as basis for the implementation of a Privacy Management System and obtaining further certification to ISO277001 (the standard for privacy specific information security management systems).
What does implementing the standard involve?
Implementation of ISO27001 involves the following key steps.
- Define an Information Security Policy and Objectives – this provides a framework for the establishment of the ISMS and provides a clear set of objectives which can be measured and used to assess the effectiveness of the ISMS.
- Define the scope of the ISMS – the scope of the ISMS needs to be clearly defined and the organisation will have a choice in terms of what the system is being applied to. The scope can include the complete business operation or can be restricted to cover certain business functions (e.g. IT), specific contracts or specific locations.
- Perform an information security risk assessment – this represents the cornerstone of the ISMS. This involves a systematic process of identifying the relevant information assets, identifying the threats and vulnerabilities associated with these assets and the performance of risk assessment. This information can collated in a risk register.
- Select controls to be implemented and developed a Statement of Applicability (SOA) ISO27001 is different from many of the other ISO standards in that provides a list of controls which the organisation must be review and select the applicable controls which it will adopt. Typical controls may include encryption.
- Manage the identified risk – risk management can take many forms. These can include risk treatment plans aimed at mitigating certain risks, policies and procedures to manage relevant risks (e.g. Access Management) or technical or physical controls aimed at reducing certain risks.
There are many online options to buy ready made ISO27001 documentation toolkits and whilst these might seem attractive in terms of a solution, it is important to exercise caution as fitting these to specific organisational requirements can be challenging, can cause serious issues during external audits and can also force organisations to change (unnecessarily) what they do to suit the requirements of a generic policy set.
So what benefits will ISO 27001 provide?
ISO27001 has seen a rapid growth in popularity and demand for certification to this standard has soared. This growth will continue as the standard makes it way into and becomes embedded in supply chain selection and tender processes. The main benefits experienced include:
- The ability to win new business and sharpen your competitive edge.
- Avoiding the financial penalties and losses associated with data breaches.
- Protection and enhancement of reputation.
- Compliance with business, legal, contractual and regulatory requirements.
- Improved governance and reporting.
If you’d like to know more about information security management and ISO27001 please visit https://quadraconsulting.com/iso-27001-informationsecurity/ or speak to Quadra for further information. We can also provide a range of ISO27001 implementation and audit training services.