ISO 27001: Best practices to secure business information
By Bernard Farrugia
Stories surrounding security breaches at major companies and even governments from stolen laptops to cybersecurity attacks hit the headlines on a regular basis. Most organisations have some form of IT solution to help them to achieve their objectives more efficiently. The information stored within such systems is usually of paramount strategic importance. However, most of these solutions do not have adequate built-in security features. It is up to management to ensure that processes and procedures enable the security of the systems and the information within them.
- How does one go about securing an IT environment?
- What would implementation entail and what are its benefits?
- About the author
How does one go about securing an IT environment?
For most companies, this is a daunting task, especially when the required expertise is not available in-house.
A number of standards are available that can help secure the businesses’ IT and information assets. One such standard is ISO 27001, which is well-known for providing requirements for an Information Security Management System (ISMS). According to the International Organisation for Standardisation (ISO), an “ISMS is a systematic approach to managing sensitive company information so that it remains secure.” The standards can be implemented in both small and large businesses in any industry sector.
What would implementation entail and what are its benefits?
To answer the first part of the question, when implementing a standard such as ISO 27001, one has to keep in mind that this has to be treated similarly to any other major IT project. There is no easy fast-track solution to implementing the ISO standard. The key points are:
1. Ensuring management support: it is very important that management supports the project. Without this support, implementing the standard (or any standard for that matter) would be doomed from the start. Management commitment should ensure that there are enough resources available to manage, develop, maintain and implement the ISMS.
2. Defining the scope: like any other project, one must define the scope and consider whether the whole or part of the organisation should be covered. The scope should be kept manageable to avoid increasing the project risk.
3. Defining and performing Risk Assessment: this is the most crucial stage of the project. It is important to choose a risk assessment method, for example SWOT and PEST analysis, to help identify the vulnerabilities and threats that may have an effect on the specific business, and to define the acceptable level of risk. If these are not clearly defined from the outset, the resulting processes will also be incorrect. The focus is to be able to get a comprehensive picture of the dangers facing the security of the organisation’s information.
4. Processing the Risk Treatment: the purpose is to decrease the risks identified in the previous step to an, as much as possible, acceptable level. There are four main ways in which this can be done:
- Apply the security controls as illustrated in Annex A of ISO 27001 (vide point 5 below)
- Transfer the risk to another party (ex. Insurance company)
- Stop the activity (avoiding) entirely
- Accept the risk, especially if the cost to mitigate the risk is much higher than the loss of the risk itself.
5. Applying the Statement of Applicability: Included in ISO 27001 is an annex referred to Annex A which provides a list of 133 controls which the company needs to assess and determine:
- whether these controls are applicable to or not)
- in each case the reasons as to why they are applicable (or not) and
- the control objectives to be achieved.
6. Documenting the Risk Treatment Plan: the purpose of the Risk Treatment Plan (or in layman’s terms, the Action Plan) is to take each of the applicable controls identified in the Statement of Applicability and define how they are to be implemented. This includes identifying the control owner and the frequency of the control, and a description of the implementation method.
7. Implementing the controls: This is the part where the applicable controls from Annex A have to be implemented. In this step, it is important to first define how to measure the effectiveness of the controls. This would include defining the measurement of the fulfilment of the control objectives. Implementing new controls, would mean implementing new technologies and behaviours in the organisation. It is often the case that resistance to change by the individuals responsible for the control is likely and this is why the next point (training and awareness) is crucial for avoiding this risk.
8. Implementing training and awareness programs: employees need to be aware of the new policies and procedures to be implemented. Training and awareness programs should be given periodically to employees so they are aware of the risks of non-compliance. There is no technology that can prevent someone falling for increasingly sophisticated social engineering attacks. Hence the necessity to have proper awareness is of utmost importance.
9. Monitoring the implementation of the ISMS: The ISO 27001 standard follows a Plan-Do-Check-Act (PDCA) cycle. In order for the ISMS implementation to be effective, it needs to be reviewed by management as part of the internal audit process in periodic, planned intervals. This should also include changes / improvements to policies, procedures, controls and staffing decisions. The results of audits and periodic reviews are documented, maintained and any recommendations actioned.
The implementation side of the standard may seem overwhelming and costly when compared to the risks perceived by management. Yet, management is often neither aware of all the risks nor of the benefits that come with implementing the standard. These include:
- An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of threats to which your information is regularly subjected. This should in itself provide the peace of mind that the systems within the business environment are safe.
- ISO 27001 certification proves that threats and vulnerabilities to the system are being taken seriously. Customers and third party suppliers are naturally concerned about the security of their data. Compliance with ISO 27001 gives confidence to all stakeholders that international best practice to mitigate such threats and vulnerabilities is being followed.
- ISO 27001 enables organisations to avoid costly penalties and financial losses. Over the past few years both small and large businesses have been subjected to a number of cyberattacks, which have been extremely costly, both from a regulatory and a reputational standpoint.
In conclusion, no business can afford to be complacent because they can be the victim of a costly security breach, regardless of its size. With proper implementation of standards such as ISO 27001, such risks can be substantially reduced.