The Importance of ISO27001 in 2015
18th March 2015
Analysts and commentators seem to be giving over more column inches to the subject of information security this year than ever before, and the international information security standard ISO27001 is being frequently cited as the most effective approach for an organisation to demonstrate to its customers that data security is well and truly under control.
So why the increase in attention this year? We have identified two areas which we believe can explain much of this renewed interest.
The first of these is the mass media’s frequent reports on the rise of cyber terrorism, espionage, ransomware and other similar nasties all looking for the next ill-prepared casualty. Each week we learn of all scales of attack, from suggestions of state-sponsored hacks through to opportunistic students seeking out the mistakes made by inexperienced website and application developers. Of course there is no guarantee that ISO27001 will make an organisation bulletproof, but a structured approach to the identification, classification and risk assessment of data and related supporting assets would provide a significant reduction in opportunities for external threat actors to attack. In its simplest form, risks need to be identified and understood before appropriate controls can be implemented to address them. Simples, as the ubiquitous meerkat says.
The continued adoption of cloud computing has also focused interest on the need to have an effective system to manage risks. The UK Government is leading the way with its Digital Marketplace, which provides a framework for suppliers to provide a range of cloud services to the UK public sector. Previous versions of the framework provided for centralised accreditation of services by CESG (now NCSC), but the 2015 flavour instead requires cloud service providers to assert their information security capabilities against “14 Cloud Security Principles” – encompassing everything from premises security to data protection legislation and data erasure standards to employee security screening.
The seasoned ISO27001 organisation will readily be able to map this framework of cloud security controls onto their existing risk assessment and documentation capabilities, and indeed ISO27001 is recorded by the Government as being one way that credible evidence of capability can be demonstrated to customers. Clearly there are other ways, and an ISO27001 certificate may need to be enhanced by technical security checks of the cloud service offered, but it’s been widely accepted that suppliers in the Digital Marketplace are being expected to demonstrate an effective Information Security Management System. It’s not only the public sector – other industries such as pharmaceuticals and financial services are taking note of these cloud security principles and adapting them to meet their own needs. Cloud is very much with us for the long term.
So there has never been a more appropriate time for an organisation to sort out its data security, and that’s where InfoSaaS can help. For those making their first foray into this important area, our carefully designed risk management solution (securely hosted in a UK cloud environment) helps deliver an effective means of identifying and classifying assets, and assessing the vulnerabilities and threats that could cause a breach of confidentiality, integrity or availability. Our helpful library of template documentation provides a matured starting point for the policies, procedures, training material etc. that are needed to make information security a genuine cultural differentiator, ensuring that all of your team are on message and at all times acting in the best interests of your company.
For those who already have an ISMS in place, or an existing ISO27001 certification, InfoSaaS provides an opportunity to increase the effectiveness of your systems whilst reducing the resources needed to maintain them. We provide a free pre-populated demonstration system if you simply need to see an InfoSaaS system in action.
So 2015 is very much the year of ISO27001, and here at InfoSaaS we look forward to helping our customers realise their information security ambitions – whether as a differentiator from your competitors, as a means to demonstrate cyber security competencies in bid or tender responses, or most importantly to defend your organisation from the cyber unknown – ensuring that we’re not reading about you are not on the front page of tomorrow’s newspapers.