Amid all the expert advice about how to keep your organisation safe from data breaches, it’s important to remember that there’s no one right way to address information security.
Sure, there are universal threats, and technologies and processes that address them. We hope every organisation has fundamental security processes, like staff awareness training anti-malware technology.
However, it’s impossible to know how extensive these defences should be until you know how serious the threat is. That’s why every organisation should build their defence measures according to the risks they face.
What is a risk-based defence?
Organisations don’t have infinite amounts of money to throw at information security, so they need to pick their battles carefully. This means conducting a risk assessment to identify and prioritise their biggest threats. From there, they can select appropriate controls to mitigate those risks and allocate a portion of their budget on implementing and maintaining those controls.
This advice forms the basis of ISO 27001, the international standard that describes best practice for an ISMS (information security management system).
The Standard is based around risk assessments, enabling organisations to tailor their defences to their specific needs. This process ensures that you’re doing everything in your power to prevent security incidents.
How to implement ISO 27001
Implementing ISO 27001 isn’t straightforward, but it’s not as complex as you might think. The process can take anywhere from three months to a year, depending on the size of your organisation and your implementation team.
As with information security generally, there’s no one right way to implement the Standard. But if you think that sounds too daunting, there’s no need to fear, because there’s plenty of help available, including a general nine-step process to follow.
1. Project mandate
The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:
- What are we hoping to achieve?
- How long will it take?
- What will it cost?
- Does it have management support?
2. Project initiation
Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.
3. ISMS initiation
The next step is to adopt a methodology for implementing the ISMS. ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security. However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they already have in place.
4. Management framework
At this stage, the ISMS will need a broader sense of the actual framework. Part of this will involve identifying the scope of the system, which will depend on the context. The scope also needs to take into account mobile devices and teleworkers.
5. Baseline security criteria
Organisations should identify their core security needs. These are the requirements and corresponding measures or controls that are necessary to conduct business.
6. Risk management
ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to one method than the other.
There are five important aspects of an ISO 27001 risk assessment:
- Establishing a risk assessment framework
- Identifying risks
- Analysing risks
- Evaluating risks
- Selecting risk management options
7. Risk treatment plan
This is the process of building the security controls that will protect your organisation’s information assets. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.
8. Measure, monitor and review
For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance. This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.
Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.
The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice.
Why certify to ISO 27001?
There are many benefits of certifying to ISO 27001. For example, it will help you:
- Demonstrate your creditability when tendering for contracts.
- Expand into global markets. An ISO 27001 certificate is often a supply chain requirement, while in Japan and India it is often a legal requirement.
- Protect and enhance your reputation. When it comes to security breaches, loss of customer confidence can have far more serious consequences for an organisation than the fines levied by the country’s supervisor authority.
- Satisfy audit requirements. By providing a globally accepted indication of security effectiveness, ISO 27001 certification negates the need for repeated audits, reducing the number of external audit days.
- Avoid the financial penalties and losses associated with data breaches.
Want to get your security project started?
Before you begin your information security project, it’s a good idea to assess your current set-up. This will help you determine the scale of the task and how urgent it is.
With our cyber security self-assessment, you can get the answers you need within a few minutes.
Simply fill in the form to see how your organisation’s security processes stack up against your competitors, and receive advice on the steps you should take to shore up your defences.