Something very valuable revealed from this survey is the fact that none of these companies were certified against ISO/IEC 27001 at the time of the data breaches. They either were not implementing the ISO/IEC 27001 Information Security Management System, or were not implementing it properly.
Thus, the question of how these breaches can be avoided or at least reduced if Information Security Management System (ISO/IEC 27001) was implemented within organizations arises. The answer is that it can improve information security systems, quality assurance, increase security awareness among employees, customers, vendors, prevent violations caused, etc. It provides a framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with security policies, directives and standards.
In addition to this, ISO/IEC 27001 Annex A has 114 controls that help organizations to keep information assets secure, even though not all of them are related to technology, but indirectly, all of them are related to information security. Experts recommend a multi-layered approach to information security, suggesting the following steps, which can be pegged to the associated ISO/IEC 27001 controls.
“Independent third-party certification enables companies to validate that all ISO/IEC 27001 requirements are being implemented”.
Taking into consideration that some attacks have begun with phishing e-mails sent to employees, an organization wishing to comply with ISO/ IEC 27001 shall at least:
- Identify the skills required to ensure the proper functioning of the ISMS.
- Implement a training program for personnel performing work affecting the ISMS.
- Implement an awareness program on information security appropriate to different stakeholders.
- Implement a communication program to inform stakeholders of the ISMS about changes that may affect them.
- Evaluate the effectiveness of actions taken and keep records.
Some clauses of ISO/IEC 27001 are presented below that can help towards the above mentioned issues:
ISO/IEC 27001, clause 7.3 Awareness – Persons doing work under the organization’s control shall be aware of: security policy, their contribution to the effectiveness of the information security management system and the implications of not conforming to the information security management system requirements.
An organization should consider awareness of stakeholders as main objective to reinforce or modify their behavior and attitudes, and encourage them to adhere to the values of the organization. The awareness messages must be focused on the use and user behavior.
ISO/IEC 27001, clause 7.2 Competence – Determine the necessary competence of person(s) doing work under their control that affects their information security performance; ensure that these persons are competent on the basis of appropriate education, training, or experience.
ISO/IEC 27001, clause 7.4 Communication – The organization shall determine the need for internal and external communications relevant to the information security management system including on what to communicate, when to communicate, etc.
In this matter, an organization should ensure appropriate involvement of personnel whose competence is being developed, as part of the training process, and may result in personnel feeling a greater sense of ownership of the process, resulting in their assuming more responsibility for ensuring their success.
Data storage management
ISO/IEC 27001, clause 7.5.3 Control of documented information – (Protection, Distribution, Storage, Retention and Disposal)
Documented Information is the information required to be controlled and maintained by an organization and the medium on which it is contained. It can be in any format and media and from any source such as paper, magnetic, electronic or optical computer disc, photograph, master sample, etc.
ISO/IEC 27001, control A.11.1.2 Physical entry controls – Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
Secure areas provide controls that protect against unauthorized physical access, damage and interference to the premises, equipment and information, e.g. dedicated computer rooms and data centers. There are a number of considerations in implementing adequate security over nominated areas.
Network security management
ISO/IEC 27001, control A.13.1.1 Network controls – Networks shall be managed and controlled to protect information in systems and applications.
Controls should be implemented to ensure the security of information on networks and the protection of connected services from unauthorized access. In particular, the following items should be considered:
- Responsibilities and procedures for the management of networking equipment should be established;
- Appropriate logging and monitoring should be applied to enable recording and detecting actions that may affect, or are relevant to information technology;
- Systems on the network should be authenticated;
- Systems connection to the network should be restricted.
For more information, check ISO/IEC 27002 and ISO/IEC 27033.
ISO/IEC 27001, control A.13.2.2 Agreements on information transfer – Agreements shall address the secure transfer of business information between the organization and external parties.
To maintain the security of information transferred within an organization and with any external entity, formal transfer policies, procedures, and controls should be in place to protect the transfer of information through the use of all types of communication facilities.
Some of the analyzed companies have implemented the requirements of ISO 27001, but without an independent third-party certification. This fact makes it impossible to determine how well they comply to the ISO/IEC 27001 requirements. Obtaining a certification by an independent third-party registrar like PECB, serves as a proof for stakeholders and clients that all the requirements and controls are being implemented correctly.
ISO/IEC 27001 Certification
The ISO 2014 Survey of Management System Standard Certifications specifies that the information security standard experienced a 7 % growth of companies being certified against ISO/IEC 27001 in 2014. In 2013, 22,349 companies were certified against ISO/IEC 27001, and this number increased for 1,623 additional companies in 2014. However, it is important to point out that UK has the most important growth, reducing the cyber- security incidents.
“The information security standard experienced a 7% growth of companies being certified against ISO/IEC 27001 in 2014”
This implies that companies should pay more attention and get certified with ISO/IEC 27001 in order for them to reduce and/or eliminate data breaches resulting in millions of lost records and affected stakeholders.
Join the family of more than 5,000 professionals certified with ISO/IEC 27001 schemes, and don’t be part of the list