Barely a day goes by without a headline on cyber security hitting the news, with incidents ranging from personal data theft, system compromise, national infrastructure cyber security vulnerabilities to election manipulation, terrorism and the sale of our personal data all being regular stories. Governments, organisations and businesses of all shapes and sizes are now aware of the very real risks posed to them, and as more and more of our business and personal lives are e-based, and software often forms the core of our business systems, the more vulnerable we are to attack.
So when Government systems and the biggest brand-names such as Microsoft, Google and Target get hacked, what chance do the rest of us have? Well, actually quite a good one if we follow a robust, proportionate approach to cyber security and back this up with good procedures, systems and risk awareness amongst our staff.
ISO 27001: 2013 Information Technology – Security Techniques – Information Security Management Systems – Requirements (to give it its full name), offers a framework for assessing and managing information security to reduce exposure to the multitude of cyber security risks facing modern business.
ISO 27001 is not a typical ISO standard. Its basic structure is common to all the modern ISO standards, in that it adopts a common framework of ten sections covering areas such as organisational context, leadership, planning, support, operation, performance evaluation and improvement. This promotes a risk based, scalable approach that can bring information security within the same business management framework already used for areas such as safety, quality and environment. Where ISO 27001 differs is that it contains a highly detailed and structured annex that identifies 114 discrete risk areas in 18 groups, together with the risk controls that organisations need to consider and potentially implement to control the risk.
These range from basic good practice, such as ensuring that physical access to sensitive information is effectively controlled and that effective processes are in place to provide appropriate access and guidance for new users, through to ensuring that virus software and upgrade patching is effective to protect against new threats and vulnerabilities.
Most organisations use this annex as their checklist to systematically consider and implement effective controls to address the risks to the business. In most cases, this both confirms controls that are already in place and working, and also highlights gap areas where existing processes may not be fully fit-for-purpose, or where new controls are needed.
Depending on the level of expertise and available resource, some organisations work through this themselves, and others enlist external support to help them work through and effectively address each area.
Independent Certification to ISO 27001 provides assurance to the organisation that it has effective systems to manage its information security risks, and provides assurance to its customers, suppliers and other stakeholders that it takes its cyber security seriously. Increasingly it is also being specified as a ‘must have’ in order to undertake contracts in sensitive areas such as Government and Defence related activity and for companies handling sensitive consumer and commercial data. Most organisations have a keen interest in not becoming the next cyber security breach news headline.
TQCS International are independently accredited by JAS-ANZ to audit and certify organisations to ISO 27001 and have a pool of experienced auditors with wide-ranging ISMS experience who bring a thorough and common-sense approach to organisations that want to effectively manage cyber security.
If you’re not ready to go straight for full ISO 27001 accreditation or want a more affordable or scalable approach for your business, TQCS International have also produced an Information Security Code that will help you to embed the principles of ISO 27001 at lower cost.