This blog has been created from our Webinar ‘How to protect your data and information; now and in the future’, which was hosted by Tim McGarr (Sector Lead, Digital) and Mike Edwards (Tutor). In order to watch the full webinar, you can register here.
So, why is ISO/IEC 27001, the Information Security Management System (ISMS), so relevant to organizations? It’s worth starting with the wider context of Organizational Resilience.
Organizational Resilience is the ability of an organization to anticipate, prepare for, respond, and adapt to incremental change or sudden disruptions, in o
rder to survive and prosper. In today’s modern business world, at the heart of that is going to be our information and our information systems.
To be able to deliver our products, our services to support our people, and to ensure that our processes are available, we need to make sure that we’ve got the right information and systems available to the right people at the right time. It is more accurate, therefore, to think of an ISMS as a business enabler- not just an IT issue. If we get this right, it’s going to help our organizations to not just survive but actually prosper in the long term.
ISO/IEC 27001 is about trying to manage confidentiality, integrity and availability of information.
Since the advent of GDPR, we’ve seen quite a sharp rise in the number of organizations who are certifying to ISO/IEC 27001. Over the last three or four years, we’ve seen between 20% to 30% year on year growth on organizations implementing and certifying to the standard. I don’t think it’s a coincidence to see this increase in the advent of GDPR.
However, ISO/IEC 27001 doesn’t excuse you from GDPR, or even a defence against it. What it does do is provide a robust Information Security Management System (ISMS) framework so you can put appropriate controls in place to help mitigate the risk of a data breach.
GDPR has highlighted the importance of protecting your data, and imposed huge fines when this isn’t followed correctly. Prior to GDPR, the UK Data Protection Act allowed for maximum fines of up to £500,000, with GDPR it’s €20m or up to 4% of the global annual turnover of the organization.
Large fines have been imposed; we’ve seen internationally recognized brands receive notice of intent fines reaching £100 million and above, with actual fines of nearly £20 million. What led to such fines? Phishing email attacks – when the email link was clicked it activated a virus which attacked the organizations system. This reinforces the importance of ensuring that our people are trained, they’re aware, and they understand the implications of not following the processes, the policies, and the procedures that we can put into place. We spend so much money and apply so much resource to those technical controls, that if we don’t balance that out with ensuring that we invest in our people, then sometimes it can be a lost cause.
Why did it happen? The root cause was a phishing email attack within BA. The phishing email link was clicked on, and the virus attacked the system. This goes to show the importance of ensuring that our people are trained, they’re aware, and they understand the implications of not following the processes, the policies, and the procedures that we can put into place. We spend so much money and apply so much resource to those technical controls, that if we don’t balance that out with ensuring that we invest in our people, then sometimes it can be a lost cause.
Is ISO/IEC 27001 just a tick box exercise because companies can set their own ISMS scope?
It shouldn’t be. If you want to benefit from 27001, or any standards, it’s about protecting your organization. To make that work properly, it’s meant to be adapted to how your organization works. A small manufacturer is very different from a global airline, and it should be adapted to what they do.
In terms of the scope, if you’re dealing with an organization that has had certification, you can easily verify what the scope is, and ensure it is the relevant part of their organization. I would encourage businesses not to view it as a tick box exercise but a way of protecting your business and preventing fines, reputational damages and protecting your staff.
ISO/IEC 27001 needs to be driven by senior leadership. That commitment needs to be demonstrated. They must provide direction and guidance. It is crucial to understand how information security and information security management is going to support that strategic direction for the organization. This boils down to a need to have an understanding of what the business wants to get out of the ISMS.
If you know that, then you can plan, you can understand your organization and the context of your business, and how you can apply information security management to that, putting in place those effective information security controls based upon risk. So, everything that you’re putting in is based upon the needs of the organization and the organization’s risk appetite.
ISMS and ISO/IEC 27001 is not an off the shelf solution. It is about demonstrating that what you’ve got is what we need, and that it is operating and working effectively for you in your organization. Everything at the heart of what we’re trying to do goes back to the information security triad: Confidentiality, Integrity and Availability of information.
About our expert:
Mike Edwards
Mike specializes in information security, business continuity and quality management systems. He has extensive security experience and has been a regular speaker at international conferences on information security in the defence sector. Mike is one of our tutors and regularly teaches delegates about ISO 9001, ISO 22301 and ISO/IEC 27001. Prior to becoming a BSI tutor, Mike spent over 20 years in the Royal Navy in a variety of information security roles.