CYBER SECURITY & ISO 27001
A SHORT INTRODUCTION
August 2015
IT Governance Green Paper
© IT Governance Ltd 2015
Don’t risk it – cyber secure it with ISO 27001 !
Introduction
Automated cyber attacks are increasing in frequency and severity at an alarming rate, jeopardising the success of businesses of all sizes and sectors. According to the Department of Business, Innovation & Skills’ 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small business suffered a security breach last year. The urgent need to protect their information – and, moreover, to be seen to be protecting it – is therefore motivating more and more companies to achieve accredited certification to the international standard for cyber security, ISO 27001. ISO 27001 certification enables organisations to demonstrate an accredited level of cyber security that will assure their boards, customers, stakeholders and staff that they are following international best practice, and thereby preventing devastating cyber attacks.
The cyber threat landscape
Automated attacks are indiscriminate and easy to instigate, meaning every website – and every business – is equally at risk. Even if you don’t store financial information such as customer payment details, the data you do hold – such as username and login credentials, employee payroll details, proprietary data or client information – has a value to cyber criminals. Your website could also be used as a means of attacking a larger organisation in the supply chain: many massive hacks on big companies are known to have been perpetrated as a direct result of initial attacks on smaller third-party suppliers. Most alarmingly, it’s statistically likely that you’ve already been successfully attacked but don’t know about it: the 2015 Trustwave Global Security Report found that 81% of breached companies did not detect the breach themselves.
Vulnerabilities
Many SME websites use common, off-theshelf content management system (CMS) platforms, software, applications and plugins, which often contain vulnerabilities that can be exploited by criminal hackers. If another website has been compromised and login details have been stolen, criminals will also automate attacks using the username/password combinations they have gained to see what else they can gain access to. Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast. The threat you face as a direct result of the malicious or unwitting conduct of your own staff or suppliers is also regularly cited as one of the main security risks to companies: the IBM X-Force Threat Intelligence Quarterly report for 2Q, 2015 found that 95% of insider breaches were found to be the result of human error, such as clicking on malicious links in phishing emails.
ISO 27001
ISO 27001 is a technology-neutral and vendor-agnostic international standard that sets out the specifications of a best-practice information security management system (ISMS) – a risk-based approach to security specific to the organisation that implements and maintains it. An ISMS addresses people, processes and technology, reflecting the fact that cyber security threats are not solely technological in nature, but affect the whole organisation. By dint of this enterprise-wide approach, an ISO 27001-compliant ISMS will enable an organisation to mitigate the cyber security risks it faces with appropriate controls, limiting the threats posed by untrained staff, inadequate procedures, uncontrolled access rights, and out-of-date software solutions. Not only does every organisation have its own specific business model, objectives, unique selling points and culture, it also has its own appetite for risk. ISO 27001 therefore stipulates that every ISMS must be based on the outcome of a risk assessment, ensuring that each ISMS meets the individual requirements of the organisation that implements and maintains it.
Business value of ISO 27001 certification
In the UK, ISO 27001 certification is already a requirement of many business relationships: certain government contracts require tendering organisations to be ISO 27001-certified; ISO 27001 is the basis of G-Cloud accreditation; the NHS's Information Governance Toolkit is based on ISO 27001; and the Gambling Commission's remote gambling and software technical standards reflect ISO 27001. ISO 27001 supports compliance with international standards such as the PCI DSS, laws including the UK’s Data Protection Act 1998 (DPA) and the EU’s forthcoming General Data Protection Regulation (GDPR), and, in the US, state data breach notification laws and industryspecific federal regulations such as FISMA, the GLBA, HIPAA and SOX.
The market value of certification
As well as helping you to protect your information and comply with data handling laws, there is a distinct market value to ISO 27001 certification. Certification provides a valuable and visible proof of your organisation’s willingness to meet internationally accepted data security standards. Achieving certification to ISO 27001 is not simply marketing: as nations implement their own data protection, your organisation’s ability to prove that it complies with ISO 27001 is likely to open business opportunities across the globe.
International recognition
Certification to ISO 27001 is achieved through auditing by an accredited third party. In the UK, the accreditation of certification bodies is handled by the United Kingdom Accreditation Service (UKAS), which maintains a list of all organisations qualified to certify ISO 27001. Through a number of agreements with other international bodies, a certification in the UK is recognised across the globe. The International Accreditation Forum (IAF) ensures that ISO 27001 certification is recognised across the world through a mutual recognition arrangement, agreed by more than 60 national accreditation bodies. Many markets have already shown a desire for ISO 27001 certification: according to the latest ISO survey, nearly 23,000 organisations worldwide have achieved certification to ISO 27001.
ISO 27001 implementation
Although implementing an ISO 27001-compliant ISMS necessarily involves the whole organisation, it needn't be a complicated process; indeed, for some organisations it could be as straightforward as organising documentation and bringing policies and processes into line with the Standard’s requirements. The right route to certification you depends on your budget, experience and available resources. Take advantage of our free, no-obligation 15-minute consultation to talk about what is right for you.
Don’t risk it – cyber secure it with ISO 27001 !
Няма коментари:
Публикуване на коментар