Demand for ISO 27001 is Growing - Be Prepared
Cybercrime is rarely out of the news these days. News of the latest attack on a high-profile target seems to be a daily event, whilst the UK Government also seems to be taking it very seriously by pumping a reputed £1.9bn into cyber security.
It may seem like a new issue but, in truth, Information Security has always been a threat to individuals, organisations and governments, it’s just that new methods have been adopted as the technology has changed. The major factor in the last two decades has been increased internet use in all aspects of life, which has resulted in the scale of the problem growing exponentially.
To give you an idea of how big the problem now is:-
In 2015 8 million people fell victims to online fraud in England and Wales
44% of consumers report that they are worried about how their personal data is handled
60% of small businesses have been victims of a cyber breach
Cybercrime cost UK business £34bn
It may come as no surprise that businesses are becoming increasingly cautious when dealing with suppliers and third parties particularly if they are sharing data with them. Many larger companies now routinely carry out extensive security reviews on suppliers. Consumers are hearing about a steadily growing number of security breaches, and there is an increasing level of cynicism regarding corporate motives around the collection of their personal data.
These risks will only intensify as organisations further invest in ‘cloud’ and digital communications. Today, more than ever, businesses need to protect themselves and they must also safeguard the trust of their customers. Demonstrating effective Information Security Management isn’t just about mitigating compliance risk, it’s about building competitive advantage.
What is ISO 27001?
Following the groundwork on data and information security laid down BS 7799 and ISO 17799, the International Organisation for Standardisation published ISO 27001, a standard for creating an Information Security Management System, in 2005. It is adaptable to all organisations regardless of industry or size. The standard’s requirements ask you to assess and plan for information risks that affect your organisation.
One of the critical elements for the success of a management system is management buy-in at the highest level in the organisation. This is addressed by one of the fundamental requirements of ISO 27001. The standard expects organisations to demonstrate the link between overall business objectives and security priorities. It also recognises the importance of effective communication. Everyone in the organisation should understand their role in preventing Information Security threats.
Creating a Security Culture
ISO 27001 is often perceived to be an IT standard but Information Security is not just the IT team’s responsibility. Whilst IT is a significant part of it, ISO 27001 is a management standard which applied to the whole organisation. This is why ISO 27001 mandates that the security management structure be led from the Board Room in order to develop a security-conscious culture.
It is important to communicate the fact that many data breaches are not related to new technology or advanced malware and more to do with a lack of policy and education. 2015 statistics suggest that:-
60% of security events are inside attacks
39% of IT staff can get unauthorised access to sensitive information
11% of IT staff could take sensitive information with them if laid off tomorrow
42% of confidential data loss is through staff
External attacks get the attention but it is, in fact, threats that businesses should be more concerned about.
Independent research commissioned by Fellowes found that 32% of employees said they throw sensitive documents into the bin. It’s not surprising, therefore, that 64% of employees believe that waste bins are a bigger risk to personal information than computer systems. Controlling physical security is just as important as cyber security.
HR also has an important role, as they determine what check are carried out prior to employment and what happens when employment ceases. Hiring the right people and making sure equipment and information is returned are both important controls.
Prepare for Certification Before You Need to
Having a security management system which adheres to a recognised standard has become the expected norm. ISO 27001 is the de facto standard for information security management in the UK and across the world. The regulated sectors and government departments seek to mitigate their risk by raising expectations of suppliers and ISO 27001 certification is now required for many contracts that have potential Information Security risks.
Top level organisations do not want their reputation undermined by a supplier and are, consequently, asking more of their supply chain. Because of this downward pressure on suppliers, the UK is one of the leading countries for implementing IOS 27001, with the number of certificates issued growing by 24% last year.
SHCO are currently working with UK companies who are addressing the increasing requirement for demonstrable security management by implementing a security management system based on ISO 27001. This approach also leaves them well placed should ISO 27001 certification become a requirement in the future.
If You Need Help
If any of the points discussed above affect your company and you need help implementing ISO 27001 or assessing supplier security, please contact SHCO to see how we can help.
If you found this article useful, you may like:-
ISO 27001 Implementation Guide – No Sales Pitch
Security Gap Analysis
Implementing ISO 27001 – 3 Basic Approaches
Other ISO 27001 Articles