How to adopt a comprehensive, risk-based approach to cyber security

Although some experts might say otherwise, there’s no one right way to address your organisation’s information security.

Sure, there are universal threats, and technologies and processes that tackle them. We hope every organisation has processes such as staff awareness training and anti-malware technology, for example.

However, it’s impossible to know how extensive these defences should be until you know how serious the threat is.

That’s why every organisation should build their defence measures according to the risks they face.

What is a risk-based defence?

You don’t have infinite amounts of money to spend on information security, so you need to pick your battles carefully.

The best way to do this is through a risk assessment to identify and prioritise your biggest threats. From there, you can select appropriate controls to mitigate those risks and allocate a portion of your budget on implementing and maintaining those controls.

This advice forms the basis of ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

By following ISO 27001’s risk-based approach, you can tailor your defences to your specific needs. This process ensures that you’re doing everything in your power to prevent security incidents as efficiently as possible.

How to implement ISO 27001

Implementing ISO 27001 isn’t straightforward, but it’s not as complex as you might think. The process can take anywhere from three months to a year, depending on the size of your organisation and your implementation team.

As with information security generally, there’s no one right way to implement the Standard. But if you think that sounds daunting, there’s no need to fear, because there’s plenty of help available, including a general nine-step process to follow.

1. Project mandate

The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:

  • What are we hoping to achieve?
  • How long will it take?
  • What will it cost?
  • Does it have management support?

2. Project initiation

Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.

3. ISMS initiation

The next step is to adopt a methodology for implementing the ISMS. ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security.

However, it doesn’t specify a methodology, and instead allows organisations to use whatever method they choose, which might mean continuing with their existing model.

4. Management framework

At this stage, you’ll need a broader sense of the ISMS’s framework. Part of this involves identifying the scope of the system, which will depend on the context.

Note that the scope of your organisation also needs to account for remote workers and the tools they use, such as Cloud servers. With the rapid rise in home working in the wake of the COVID-19 pandemic, this is something organisations must stay on top of.

The workspace of permanent homeworkers must be subject to a risk assessment to identify information security threats in the same way as an office on your premises.

5. Baseline security criteria

You now need to identify your core security needs – i.e. the minimum level of defence that enables you to conduct business security.

You can do this by reviewing your risk assessment and looking at which assets are used in your core business processes. Any controls that prevent risks that would otherwise render an asset unusable will form your baseline security criteria.

6. Risk management

ISO 27001 allows organisations to broadly define their own risk management processes.

The most common ways of doing this is are by looking at risks associated with specific assets or risks presented in specific scenarios. There are pros and cons to each approach, and some organisations will be much better suited to one method than the other.

We generally recommend following an asset-based approach because it’s more suited to ISO 27001’s focus on assessing assets.

Developing a list of information assets is a good place to start, but if your organisation has an existing list, most of the work will already be done.

Whichever approach you opt for, there are five aspects you need to cover:

  • Establishing a risk assessment framework
  • Identifying risks
  • Analysing risks
  • Evaluating risks
  • Selecting risk management options

7. Risk treatment plan

This is the process of building the security controls that will protect your organisation’s information assets.

To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls and that they are aware of their information security obligations.

You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.

8. Measure, monitor and review

For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance to see what’s working and what could be improved.

This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.

You will ideally have a baseline to measure these results against, which means gathering information security statistics before you begin your ISMS implementation project.

If that’s not possible, you’ll have to rely on whatever data you have – which may include anecdotal information – and set short-term goals.

9. Certification

Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.

The auditor will review the organisation’s management system documentation, and if everything is in order, they’ll move on to an on-site audit to test the procedures in practice.

Why certify to ISO 27001?

There are many benefits of certifying to ISO 27001. For example, it will help you:

  • Demonstrate your creditability when tendering for contracts.
  • Expand into global markets. An ISO 27001 certificate is often a supply chain requirement, while in Japan and India it is often a legal requirement.
  • Protect and enhance your reputation. When it comes to security breaches, loss of customer confidence can have far more serious consequences for an organisation than the fines levied by the country’s supervisor authority.
  • Satisfy audit requirements. By providing a globally accepted indication of security effectiveness, ISO 27001 certification negates the need for repeated audits, reducing the number of external audit days.
  • Avoid the financial penalties and losses associated with data breaches.

Become an ISMS expert

Are you looking to gain the necessary skills to implement an ISMS? If so, our Certified ISO 27001 ISMS Foundation Live Online Training Course is the perfect option.

This one-day training course provides a complete introduction to the key elements required to achieve compliance with the Standard.

With bite-sized videos presented by an experienced cyber security professional, you’ll receive get the same expertise as in a classroom course, but you can study at your own pace and from the comfort of your home.

Find out more


A version of this blog was originally published on 28 March 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.