Headline making attacks almost always involve corporate giants, government departments or major service organisations, but no organisation however small can consider itself safe from the activities of what are effectively organised criminal operations.
Even before the pandemic, digitalisation and interconnectivity were becoming increasingly important for modern organisations. Allowing workers to connect to networks from almost any point around the globe maintained or even increased productivity and reduced costs.
While inevitable, increased digitalisation and interconnectivity brings risks that in many organisations are poorly understood. Computer viruses, worms and trojans have been circulating around the internet almost as long as its existence, often just seen as an annoying distraction to be dealt with by the IT department. The extent of possible disruption to business and financial losses involved is only just beginning to be realised.
Possibly the biggest threat at the moment is ransomware with organisations and owners of infected networks being blackmailed into handing over large sums of money to regain control of their systems. According to a report by US-based cybersecurity specialist SonicWall, there were around 623 million ransomware attacks in 2021. With such a high risk, it is vital that companies take steps to understand their business context and protect themselves.
Easy to say but where to start?
It is generally agreed that managing information, data and cyber security is not so different from managing any other form of business risk. That is, establishing procedures and training employees to understand how risks arise and the best way of preventing or at least managing them so as to minimise disruption. A first step on the way to do this is to look at how a certified information security management system (ISMS) helps companies understand their risk picture, manage and improve performance.
ISO/IEC 27001 is the most recognized international standard for information security management systems. It details requirements for establishing, implementing, maintaining, monitoring and improving an ISMS. It is the certifiable standard in the ISO/IEC 27000 series. The other standards provide guidance, like Annex A ISO/IEC 27002 which holds requirements for security controls to address threats related to Cloud and automation, malware and ransomware, cybersecurity and privacy.
This makes it ideal for managing a constantly changing risk picture in a structured way. As with all ISO management system standards, it is not a onetime “fit and forget” exercise. The standard is subject to revision to ensure that the protection it offers is as dynamic as the criminals’ attempts to devise new means of achieving their ends. The 2022 version is designed to better address current technological scenarios and be harmonized with the other main ISO management system standards, e.g. quality, environment and occupational health and safety.
Benefits of third-party certification
As already mentioned ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management. But even if followed to the letter and implemented successfully, how can you be completely assured that everything is in line and relay your performance to customers and other stakeholders?
In the modern business world, independent proof of performance is important to build confidence toward internal and external stakeholders. They need to know that you not only take things seriously but that you are committed and have implemented the necessary steps to manage relevant risks, improve performance and safeguard your business. In some instances, being able to provide proof is important for continued survival.
Information security is quickly rising on that list not only for internal confidence. As more and more organisations demand that their partners take steps to manage information, data and cyber security risks, third party certification is becoming an essential step.
The ISO/IEC 27001 standard may be unfamiliar to some, but there is no reason to doubt that embracing it and becoming certified will improve performance. Numerous studies suggest that across various management system standards, those that are certifiable enjoy significantly more success.
A certification body’s main role is to assess whether a management system complies with the requirements of ISO/IEC 27001. However, they have almost certainly seen many systems in operation and in their regular audits have identified all manner of problems and the best way of dealing with them. While not being able to guide improvements to avoid conflict of interest, the auditor competence and experience can add value insight on the biggest risks and actions applied by peers to address gaps.
