ISO27001

Done properly, an ISO 27001 cyber security system helps you put all the pieces together to counter the cyber threat.

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control, its key features include:

  • International standard, published by ISO
  • Developed by leading information security experts
  • Applicable to any industry
  • Applicable to any size company
  • More than 20,000 companies have certified worldwide

(ISO = International Organization for Standardization)

Developed by leading information security experts, ISO 27001 is the summary of best information security practices worldwide. Being a formal specification means that it mandates specific requirements.

Contact us today for your ISO27001 Gap Analysis review.

Structure

Data Protection and Cyber SecurityThe official title of the standard is “Information technology— Security techniques — Information security management systems — Requirements”.

27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system’s performance
10. Corrective action
Annex A: List of controls and their objectives.

This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management);[ this helps organisations who aim to comply with multiple standards, to improve their IT from different perspectives.

Purpose

The purpose of ISO 27001 is the preservation of:

  • Confidentiality = only the authorized persons can access the information
  • Integrity = only the authorized persons or systems can change the information
  • Availability = the information is available when needed

So information security is not only about confidentiality, it is also about preserving the integrity and availability of information.

Why ISO 27001?

Your company has laptops, servers, a complex network, lots of sensitive information in databases and on paper, clients. contractors and much, much more.

Protecting the information on a single laptop presents a challenge in itself; managing the security of all of the information assets in an organization is clearly several order of magnitudes more challenging. To meet that challenge you need a system, and ISO 27001 defines the Information Security Management System (or ISMS).

So, what is it that you need to do to set your ISMS? First you need to find out what can go wrong with your information – that is, how can the confidentiality, integrity and availability of each and every piece of information in your company be endangered – this is done through a process called risk assessment; once you know where the risks are, you need to select appropriate controls (or safeguards) for each risk you find unacceptable.

ISO 27001 myths

OK let’s debunk some myths!

“This is an IT job”

This is not how to view the process because security is everyone’s job – for example everyone needs to protect his or her laptop

“It’s all about writing policies and procedures”

No – the point is not in writing documents, but in applying them in practice – e.g., if the procedure says that backup needs to be done daily even for laptops, then this is something that everyone needs to do.

“We’ll get lost in all those documents”

You won’t because we will write only the documents that are really needed – we will try to keep the number of documents to a minimum. You will also have the final say over the documents before they are published.

“ISO 27001 will only make our job more difficult”

This standard may require some new things from you, but it will help you with other things. For example, implementation of ISO 27001 will decrease the number of IT incidents, meaning that employees in the IT department won’t have to lose time on resolving those incidents. Furthermore, it will decrease the chance of someone abusing your account and performing fraud (for which you could be held accountable).

“It will be implemented in 2 months”

Implementation of ISO 27001 requires changes in behaviour, and we cannot make several changes at the same time (imagine if we published 20 new policies and procedures in a single day). This is why documentation should be introduced gradually.

“We do it only because of the certification”

Certification is one of the goals, but not the only one. Cultural change and embedding a culture of IT security within the organisation is the ultimate goal.

Benefits

The benefits of information security, especially the implementation of ISO 27001 are numerous. The following four are the most important:

1. Compliance
It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way.

2. Marketing edge
In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.

3. Lowering the expenses
Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

4. Putting your business in order
This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.

Implementation

Your role in the implementation

  • Suggest which processes to document
  • Suggest changes in existing & new policies and procedures
  • Read all the new documents and attend awareness & training sessions
  • Comply with policies and procedures once they are published

Done properly, ISO 27001 helps you put all the pieces together