Organisations that want a proven, structured approach to information security should look no further than ISO 27001.
The Standard describes best practice for implementing and maintaining an ISMS (information security management system), which is built around a system of controls that protects your information from a wide variety of threats.
The full list of controls is listed in Annex A of the Standard. There are 114 in total, divided into 14 sections.
If you think that’s a lot of work, relax. You don’t need to implement them all, only the ones that address issues identified in your ISO 27001 risk assessment.
In this blog, we identify three of the most important sets of controls for keeping information secure.
1. Asset management
It’s easy for security incidents to occur if no one in your organisation knows who’s responsible for information security.
Asset management is the process of identifying the owner of information at various stages of its lifecycle and the steps that must be taken to keep it secure.
The controls to ensure effective asset management are outlined in Annex A.8 of ISO 27001:
- A.8.1 Asset responsibility, which identifies the information assets in scope of your ISMS, as well as your acceptable use and return policies.
- A.8.2 Information classification,in which organisations determine the level of protection information should be given.
- A.8.3 Media handling, which prevents unauthorised disclosure, modification, removal or destruction of information stored on media.
2. Access controls
Organisations often don’t account for the threat employees pose, which is big mistake when you realise how many breaches are caused by human error or malicious action.
Many of those threats can be mitigated with access controls. These are measures that organisations implement to ensure that employees only have access to information that’s relevant for their job.
ISO 27001’s access controls are outlined in Annex A.9:
- A.9.1 Access control policy, in which the controls are documented and shared with employees. The policy should account for the security requirements that you identified during information classification and the information and network access necessary for each job role.
- A.9.2 User access management, which covers the way you give and remove access to employees, including privileged access.
- A.9.3 User responsibilities, which holds users accountable for safeguarding their authentication information.
- A.9.4 System and application access control, which prevents unauthorised access to systems and applications. This includes secure log-on procedures and password management systems.
3. Physical and environmental security
Organisations often overlook the importance of protecting their premises when addressing information security. However, it’s essential that you understand the risks associated with physical vulnerabilities.
Two of the most common types of physical vulnerabilities are environmental threats (snowstorms knocking out power lines, for example) and crooks finding sensitive information in a public part of the building.
The controls to ensure effective physical and environment security are outlined in Annex A.11 of ISO 27001:
- A.11.1 Securing your premises, in which you identify any locations that contain sensitive and critical information, and implement measures to prevent unauthorised physical access, damage and interference to information. This includes physical entry controls in your main entrance, delivery and loading areas, and any rooms or offices within your premises that house sensitive information. You must also protect against external and environmental threats and document processes for working in secure areas.
A.11.2 Equipment, which prevents the loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
Do you have the necessary controls in place?
With the threat of cyber crime so high, it’s vital that your organisation’s security controls leave nothing to be desired. One missing control could be the difference between a minor security scare and a major data breach. You can check whether your organisation is taking all the necessary steps by completing our cyber security self-assessment. This short questionnaire asks you about your defence measures and suggests ways for you to become more secure.