The information security management standard ISO 27001 and its code of practice ISO 27002...
As technology becomes increasingly integrated into business processes, security vulnerabilities are on the rise. More and more companies are feeling the backlash, and it has created serious concerns across nearly all sectors.
Costs from cyber crime are mounting, and experts predict they will double from $3 trillion in 2015 to $6 trillion by 2021. Small to mid-sized businesses in particular are at risk because they often lack the security of larger organisations who have dedicated IT security teams. With limited resources, they may feel susceptible and powerless.
One way that companies are shielding themselves is by adhering to the security information standard ISO 27001. Published in September 2013 by the International Organisation for Standardisation (ISO), its goal is to align security practices and methodologies with modern standards. Here are the details of ISO 27001 and how obtaining certification can keep your company safe.
The primary purpose behind this new standard was to replace and improve upon its predecessor, ISO 27001:2005. As cyber criminals become increasingly sophisticated and attacks more prevalent, it was necessary to implement changes to properly address the full scope of security threats that companies contend with today.
There’s a larger emphasis on security monitoring through metrics, setting objectives and analysing performance.
In order to accomplish this, new controls were added. Some of which include:
- 6.1.5 – This control makes it necessary to make information security a compulsory part of project management, regardless of the nature of a project.
- 12.6.2 – This control restricts every user from installing any unauthorised software on the company systems without getting permission and the verification of the analyst.
- 12.2.6 – This control ensures that all risks have been properly identified and assessed.
- 14.2.8 – This control makes it compulsory to implement and follow software testing procedures.
Combined, these new controls heighten security dramatically. Organisations that comply with ISO 27001 and obtain certification are better equipped to deal with modern cyber threats and can strengthen their overall security infrastructure.
One way the 2013 standard differs from the 2005 standard is there are now 14 domains versus what was formerly 11. These domains cover a wide variety of security elements including key areas such as:
- - Company security policy
- - Asset management
- - Physical and environmental security
- - Access control
- - Security incident management
- - Compliance
Although there are more clauses with the new standard, it’s ultimately easier to manage than the old version. Upon implementation, your company can improve its security in many ways. Here are some specific examples.
Mandatory Information Security
One of the main aims of ISO 27001 is to strengthen security across the board. It recognises that every project has inherent vulnerabilities that could potentially be exploited. To ensure homogeneity, your company will mandate information security regardless of the shape and scope of a project. It will be obligatory in nearly all situations.
Taking this kind of diligent approach is a huge step toward mitigating what has become an incredibly pervasive problem. Considering the fact that roughly 400,000 of the 2.1 Australian small to mid-sized businesses (19 percent) have encountered cyber threats, proactivity is essential.
Tighter Control on Software Installation
Your company is put in jeopardy anytime unauthorised software is installed onto company systems. Without parameters in place, you’re opening yourself up to attacks such as malware, ransomware, phishing and denial of service (DoS).
Another focal point of ISO 27001 is to make it mandatory for users to obtain permission from an analyst before anything is installed. This prevents rogue software from infiltrating your mainframe and endangering your network.
Heightened Security on User Access
Maintaining strict access control is a necessity. If unauthorised users are able to gain access to your network and are exposed to sensitive information, the walls of security can come crumbling down in a hurry. There’s a strong emphasis on access control to ensure the utmost in security protocol.
This makes it far more difficult for unauthorised individuals to cross security borders and creates a choke-point. By limiting access to only a handful of verified users, you’re able to continually keep tabs on what’s happening on your network. As a result, you greatly reduce the chance of sensitive data falling into the wrong hands.
One element of cyber security that’s sometimes overlooked is protecting the physical equipment at a facility. After all, computers, hardware, servers, etc. must be located somewhere within a physical environment. If intruders are able to gain access to this equipment, it can have devastating consequences that can be just as bad if not worse as a purely digital attack.
Another aspect of the new standard is to tighten the physical security of your company’s on-site premises. This can be done in several ways including the installation of surveillance cameras, commercial access control and even biometrics solutions involving fingerprint or retina scanning. The end results is comprehensive security that covers both digital as well as physical components.
Deeper Risk Assessment
A big part of being proactive and keeping calamities at bay is simply being aware of the risks you’re facing and the challenges you’re up against. There’s a heavy emphasis on the identification and assessment of potential risks and using a methodology that makes sense for your company and is fully customised for your unique processes.
It’s about implementing assessment policies that fit your specific needs and taking the necessary steps to determine where your greatest weaknesses lie. Once you’ve done this, you’ll have a better idea of how to prioritise your efforts and where you attention should be placed initially. From there, you can take appropriate action to optimise security as a whole.
Supplier Security Policy
Your organisation may be partnered with several different suppliers at any given time. Even though your company may be meticulous about its information security, it doesn’t mean that all of your suppliers are. This can be problematic because an oversight on their end can potentially compromise the security of your organisation.
One of the new controls is to mandate the development of a security policy for the supplier’s access that aligns with your current policy. This topic will be thoroughly discussed, and agreements will be made to eliminate unnecessary vulnerabilities.
Doing so increases security for both parties and ensures that you’re on the same page about setting parameters. In turn, you’ll have greater confidence and more peace of mind with your supplier interactions, and security threats are far less likely to occur.
Streamlined Incident Reporting
The way in which you respond to an incident is critical. A swift, systematic response enables your company to effectively handle the issue and take necessary action. It minimises the damage and costs, while simultaneously expediting the recovery time. You’ll know exactly what needs to be done to address the situation and which steps must be taken to get operations back on track.
With the 2017 SANS Institute Response Survey reporting 87 companies responding to at least one response within the past year, it’s not a matter of if but when. ISO 27001 certification greatly increases your chances of an effective resolution and can reduce your stress even in a worst case scenario.
Continued Compliance with Current Best Practices
Information security involves an ever-evolving set of practices. It’s an eternal cat and mouse game where organisations must stay one step ahead of cyber criminals. The best way to do that is to remain compliant at all times and conform to information security policies and standards as well as relevant laws and regulations.
ISO 27001 certification allows you to adjust and fine-tune your company’s security policies to ensure compliance with what’s regarded as current best practices. Even as technologies advance, you’ll be prepared for whatever attackers may throw at you.
Better Overall Organisation
Finally, you’ll experience a higher level of organisation as it relates to information security. Some specific examples include having:
- - A clearly outlined strategy in place
- - Effective policies to address key areas
- - An established outline of incident management procedures
- - A business continuity procedure to minimise or even eliminate downtime
When you put all of this together, your company will have a more systematic approach to mitigating cyber security risk.
Keeping Your Company Safe
Cyber threats are on the rise and are only going to increase in upcoming years. According to Telstra security solutions director, Neil Campbell, “We are seeing increases in security risks across the board. More than half of all businesses experienced a ransomware attack last year – 30 percent of Australian businesses surveyed have had a business email compromised, and the number of Distributed Denial of Service (DDoS) network attacks are up by more than 200 percent.”
This obviously presents a challenge for today’s businesses, but there is a solution. One of the best ways to keep your company safe is being ISO 27001 certified. This tackles all of the most pressing security obstacles and neutralises the common threats that companies face today. Not only does this protect your company right now, you’ll be better equipped for whatever security concerns arise in the future.