ISO27001 in Plain English
7th June 2020
Often perceived as shrouded in an eerie mist of complexity and strange terminology, ISO27001 is an established information security standard. In this blog we’ll explain what this means – in layman’s terms – and explain why it is a sensible investment for organisations of all shapes and sizes. In its simplest form, it’s a structured framework which helps organisations to understand what their valuable information is, develop an appreciation for the sort of “bad things” which can happen to that information, and implement a sensible safety net of controls to stop them happening.
However, not all information has the same value or sensitivity (compare a confidential password database with publicly available product brochures, for example), so we need to take a look at three characteristics to determine how much protection it needs:
- Confidentiality – can it only be seen by persons that are authorised to see it
- Integrity – can the information be trusted, has it been modified without authority?
- Availability – ensuring that information can be accessed as and when required
We can start to see that sensible business systems and processes will help us provide appropriate protection for each of these considerations. For example, confidentiality can be maintained by user names, strong passwords and proper logging of user activity. Integrity is assisted by implementing access control to minimise access, or perhaps by having regular back-up media which could be recovered. Availability considers many things, from the resilience of power, networks and systems – through to our business continuity arrangements.
Sprinkle on some risks…
Think about all the things that could in some way affect your organisation’s valuable data, or perhaps the buildings or infrastructure upon which it depends for its security. There are many of these, for the sake of a short blog, here’s a small selection of risks which should be assessed by an organisation:
- risks of information theft by an employee, or a contractor
- damage to information from a computer virus outbreak, or theft by some form of malware
- disclosure of information to the wrong customer from unchecked software changes
- server failure due to hard drive capacity issues
- risks to your data centre environment due to historical flood risks or proximity to an airport
- increased risks from outsourcing sensitive data to a third-party cloud provider
Some risks will happen on a more frequent basis than others, whilst some will have a major impact and others relatively minor. So alongside the identification of risks, we should seek to understand the probability of them actually happening, and the impact if they did.
… and stir in carefully selected controls
There are lots of “bad things” which we need to identify, and do all we can to remove or at the very least minimise to an acceptable level. You’re hopefully already doing sensible things, so for our five examples above you could be implementing:
- employment contract clauses, supplier agreements, and appropriate activity monitoring
- robust anti-virus and anti-malware protection, ensuring it is updated regularly
- formal change management for all software changes, involving multiple personnel
- infrastructure capacity checks, taking action when pre-agreed thresholds are reached
- environmental checks, ensuring your valuable infrastructure is protected from risks
The ISO27001 (2013) standard offers a framework of 114 controls which could be implemented, but there’s nothing to stop you adding in additional controls if you think they are appropriate. There are alternative control sets which can be introduced if they are more relevant to the protection of our specific organisation or its sector.
Statement of Applicability
The ISO27001 standard requires the production of a “Statement of Applicability” to illustrate how controls have been implemented to protect your organisation’s assets.Your risk assessment activities above may indicate to you that some controls are weak or inappropriate, so opportunities should be taken to implement more robust controls, or perhaps transfer the risks to a more suitable third party, or maybe even stop undertaking the risky activities altogether.
And that’s it?
Not quite. Whilst asset identification, risk assessment and control implementation may require a clear head and a good supply of strong black coffee, there’s a number of related activities which ISO27001 expects to see. Once again we’ll spare you a long list, but think along the following lines:
- Involving your senior management, demonstrating their agreement and commitment to information security objectives which protect your business
- An appropriate framework of information security policies and procedures, and records to demonstrate how they’ve been followed
- A comprehensive employee and contractor security education programme – they need to understand their roles and responsibilities
- Internal audit activities, a programme of formal checks taking an objective view of how well your information security plans are working
- Improvement initiatives – doing things better when there is an opportunity to do so.
We hope that this end of the blog finds you more informed than ten minutes ago. With our help, protecting your business and gaining the recognition of formal ISO27001 certification is a realistic and achievable goal. Contact us to find out how we can help you with your information security requirements, using a combination of our services such as: