Discover how to implement and leverage ISO 27001 for better information security
With the right security framework, you can manage and improve your information security processes, protect your data assets from cyber threats and improve the ROI of your whole organisation through more intelligent decision-making.
In this blog, we will review the insights from a recent Cloud Insights Series webinar hosted by industry experts from Secure Agility and Pollé Consulting on the topic of security best practice, and how adopting a system aligned to ISO 27001 will improve your security posture.
ISO 27001 is designed to help organisations of all sizes manage their information security processes and protect their data and assets.
Start by understanding your risks
Soren Reichelt, Principal Consultant at Secure Agility, said as organisations continue to collect massive amounts of data, many struggle with persistent change and an understanding of who is responsible and where the risks are.
“We asked a group of CFOs what is most important when it comes to cyber security and, not surprisingly 71% reported ‘identifying our risk’ as most important,” Reichelt said.
Taminda Pollé, Owner and Security Quality Consultant at Pollé Consulting said that the finding is very consistent in the ISO community because one of the major struggle points in any organisation is identifying risk.
“That is a crucial starting point to determine how your need to invest in the risk mitigation plan,” Polle said. “Also, most identification programs only identify 30% of an organisations risk and this is scary.”
“It is not scary to identify the risks, but it is scary to not identify the risks. Only takes a few hours, or a few days depending on the size of the organisations, to identify risk and prioritise them, and you don’t necessarily have to act on them all.”
Struggling with security? ISO 27001 provides a framework
The panellists discussed a few reasons why organisations struggle with information security, including:
- Most organisations lack a clear picture of what information is sensitive and how to manage that.
- Information security isn’t just the job of IT, so there’s an education process that needs to happen.
- Both the threat and the consequence of the threat have grown exponentially over the past three to five years.
Pollé said there is not one quick answer to getting on top of security, but the ISO standard gives you the parameters and controls to support security in your organisation.
“You also need to ensure employees know that they, and everyone, is liable to a certain extent,” she said. “CEOs and board members understand accountability at a corporate level, but what is not well understood is that it is everyone’s responsibility. That’s what a lot of people don’t realise – that it’s actually an uninsurable risk.”
“For example, if I’m travelling and someone takes a photo of my laptop, that is a personal liability, and it is uninsurable.”
Sarah Dewan, GM of Operations & Compliance at Secure Agility, added the changing landscape, including what is happening across the globe can be very daunting from a security standpoint.
“Most people struggle on where to start because of the enormity of it,” Dewan said.
How ISO 27001 helps
ISO 27001 is the international standard of how to manage information security and its core tenants are:
1. Systematically examine information security risks, taking account of the threats, vulnerabilities, and impacts;
2. Design and implement a suite of information security controls and/or other forms of risk treatment to address those risks that are deemed unacceptable; and
3. Adopt a management process to ensure that the information security controls continue to meet information security needs on an ongoing basis.
“ISO is not just a checklist, it’s a framework and you are never done with ISO. It doesn’t need to be overwhelming, and auditors recognise it is a journey and it can create massive value for the organisation,” Polle said.
The panellists agreed you can’t just throw technology at ISO. It is about having the governance to decide what you need and what the requirements are rather than spending money on tech, which might not solve the biggest risks.
Getting value from ISO 27001. The ‘Ticket to Play’
Most people think of compliance as a burden, but organisations can gain value from ISO 27001.
How does a leadership team measure value? According to Dewan, ISO delivers value in many different ways.
“You can monitor performance on an ongoing basis, continuous improvement, regular reviews, and it opens a lot of doors in terms of business opportunities,” she said.
“At Secure Agility, ISO opens the demographic of who we can work with, for example, government agencies. It is becoming more of a requirement from customers so when we are talking to customers or putting a proposal in front of them they want to see a security questionnaire and as soon as you say you are ISO certified it cuts down the work you have to do.”
Pollé added a lot of private entities don’t realise they are housing government data and having the certification makes a massive difference. “It’s a ticket to play,” she said.
“Treat it as a project with a governance structure and it will become a unique selling proposition for your clients and your employees.”
By adopting an ISO process, you can identify risks, prioritise properly, and go through a cycle of continuous improvement.
Secure Agility has an ISO 27001 baselining package – a two-part engagement process that delivers more than 140 templates, a security consultation review, and selection of appropriate templates for your specific context. Read more here or view the related webinar here: