I thought it would be a good idea to put together a series of short articles championing the value of ISO/IEC ISO27001 for people with little to no experience with information security and to put it in plain English so it can be read over a cup of coffee.
The threat of cyber crime is increasing for organisations of all shapes and sizes. Hopefully this series of articles will help you make good decisions on how to best protect your organisation, employees and clients from that threat.
The chances are, if you’re reading this, that you’re either a senior manager who’s IT person is banging on about security or an IT person that has had a frantic email from a ‘higher up’ asking what the company is doing in regards to cyber security. You could be just fed up of answering client RFIs with something that sounds right-ish and not really sure where to start when implementing ‘information security’ in your organisation.
Firstly, we should stop using the term ’implementing security’. You need to establish an information security management system (ISMS) in your organisation.
What’s an ISMS?
An ISMS is the policies, controls, procedures and audit methods for managing the CIA of data in your organisations. (Acronym hell exists even in Information Security)
What’s the ‘CIA’ of Data?
Don’t worry I’m not talking about secret agents, we are referring to the Confidentiality, Integrity and Availability of data in your organisation.
Now we’ve established what the purpose of an ISMS is, how do you build one? You can just go rogue and build something without any guidance but there are some pretty solid standards out there… but this series is about ISO/IEC 27001:2013.
ISO/IEC ISO27001 is part of the ISO27000 family of standards, which is published by the International Organisation for Standardization and the International Electrotechnical Commission. Consultation from some of the best security minds in the business are used to create the them, and pretty well recognised by most large businesses.
The standard can help give clients, investors, insurers and anyone involved with your organisation the confidence that the implementation, monitoring and improvement of information security is taken seriously by the whole organisation.
It’s important to note here this isn’t something that can be implemented and maintained by a couple of people so have ’Security’ in their job titles. It’s vital (and a requirement of the standard) that every person in the business is engaged and responsible for information security and this responsibility starts at the highest level of management.
The highest level of management in the business needs to be supportive, set objectives and have active involvement in the ISO27001 programme for it to succeed. Should you decide to get certified, auditors will need to see evidence of top level participation… it’s a requirement of the standard.
I’ll talk a little more about what standard looks like in my next blog.Stay tuned!