You scored between 5 and 10 points.
You’ve clearly implemented some information security management measures that align with the international standard ISO 27001, but you could be doing more to protect your information. Implementing a full ISMS (information security management system) that conforms to the Standard will improve your security posture, as well as give you access to new contracts and a range of other new business opportunities. By using the right solutions for your organisation, you can implement an ISMS that conforms to the Standard within budget and a reasonable time frame.
Find out more about the measures you should be taking:
1. Do you have a set of information security objectives or some method to determine them?
Information security objectives are an effective way of setting your information security goals and establishing a way to determine when these goals have been met. ISO 27001 says that, where possible, these goals should be measurable so you can avoid inconsistencies or bias. For instance, an objective might be to have all customer-facing servers available 99% of the time.
2. Are resources (individuals and budget) available for managing information security on a continual basis?
Without adequate resources, it is very difficult to implement or maintain effective security. Budgets are top management’s domain, so you’ll need them to understand both the resources you require and how those resources will be used. Allow enough room in the budget for both technology and expertise, whether in-house or outsourced.
3. Is your management team willing and able to contribute to the effectiveness of your information security programme?
Securing support from the top of the organisation is essential for your information security programme. Ensuring management buy-in is also a good way of developing a security culture across the organisation, and enforcing policies and procedures.
4. Do you have an up-to-date information security policy that is supported by your management team and communicated across the organisation?
An information security policy is arguably the most important part of an organisation’s security, because it sets out the organisation’s position on information security and shows that it is taken seriously. The policy doesn’t need to be detailed, but it does need to clearly state how the organisation and its employees are expected to treat information security.
Ensuring that the policy is communicated across the organisation, and clearly backed by management, helps employees know where to look as well as enforce it. As risks are prone to change, it is also important to regularly review and, if necessary, update the policy.
5. Have all legislative, statutory, regulatory and contractual requirements been identified, and are actions being taken to address these requirements?
All organisations are subject to external pressures, many of which relate to information security. These include the GDPR (General Data Protection Regulation), the PCI DSS (Payment Card Industry Data Security Standard), and contracts with clients and suppliers. All of them need to be identified so that your information security programme can take them into account and help you meet their requirements.
6. Do you have an established, repeatable and documented information security risk assessment process?
Following a consistent, documented information security risk assessment is critical to effective security – which is why regulations such as the GDPR often mandate implementing security measures that are “appropriate to the risk”. If you don’t know what risks you face, you can’t protect yourself from them. And if you are unsure how critical individual risks are, it is also difficult to prioritise them, or to put appropriate and proportionate measures in place. On the other hand, if you take a risk-based approach, you should see a good return on investment and your organisation protected.
Download our free green paper 'Risk Assessment & ISO 27001' to discover more about the risk assessment process.
Download now >>
7. Do you consider the confidentiality, integrity and availability of information in your risk assessment programme?
In order for data – or information in general – to be deemed secure, you should consider all three aspects of security: confidentiality, integrity and availability:
- Confidentiality – the information is only accessible to those who need access to it.
- Integrity – the information is protected from unauthorised modification or destruction.
- Availability – the information is accessible to authorised persons as and when required.
vsRisk Cloud is an online tool for conducting an information security risk assessment aligned with ISO 27001. It is designed to streamline the process and produce accurate, auditable and hassle-free risk assessments year after year.
Find out more >>
8. Do you assess the likelihood and impact of information security risks in relation to your organisation’s risk appetite?
The level of a given risk is often calculated as a product of likelihood and impact – in other words, combining how likely it is that the risk materialises with how big the negative impact could be.
As part of the risk assessment process, the overall risk should be compared against your organisation’s risk appetite (risk tolerance). If it’s unacceptable, you need to do something about the risk. This could involve putting measures in place to reduce the risk, but could also involve outsourcing the risk (e.g. through insurance), or eradicating the source of the risk altogether.
9. Have the controls that you’ve selected been compared to the 114 controls in ISO 27001 Annex A?
When selecting controls, it’s always a good idea to compare them against a respected and widely adopted framework or control set. That way, you know that you are keeping in line with best practice. It also means that you are a step closer to certifying to that framework (where applicable), should you want to at a later stage – perhaps to win certain contracts or to reassure customers and suppliers.
ISO 27001’s Annex A is often used as a global benchmark for information security, as it takes a best-practice approach to information security without being tied to any particular technology or processes. This means that any organisation anywhere in the world can apply its controls as part of an information security programme.
10. Do you maintain records of actions undertaken to mitigate, eradicate or manage the risks?
It is important that you record all risks identified, along with any actions taken or decisions to accept the risk as-is. Ideally, your records will also show when the risk was last reviewed, when the next review is due and who the risk owner is. This will provide an easy means of checking how your organisation manages its risks, which is a valuable tool for tracking your progress implementing an information security programme, and can also be reviewed by auditors or regulators.
11. Do you have an effective information security staff awareness programme?
The weakest link in an organisation’s defences is its staff. After all, they are the ones who might click a phishing link or allow someone to tailgate them through a door. The best way to mitigate these kinds of risks is to train your staff – even a short, interactive e-learning awareness course can make a big difference.
Find out more >>
12. Do you have a process for identifying the information security skills and competences you need, and developing them if necessary?
It is important you have – either in-house or via a third party – the right people, with the right skills and competences, to implement controls and conduct the necessary assessments. Ideally, you’d have a process in place to efficiently identify what skills you need and, if you don’t already have them, how to obtain them.
As the information security landscape is so changeable, with new threats and solutions being discovered all the time, staff with security responsibilities may require additional training.
13. Do your staff understand the importance of information security and how they can contribute to it?
As part of the awareness training, staff should understand that security is everyone’s responsibility – not just a matter for the IT team. Anyone who has access to confidential information may also present a security weakness, so they need to know how they can protect that data. That means, among other things, not sharing passwords and making sure no one is looking over your shoulder when working in a public area.
14. Do you have a continual improvement programme to ensure that your information security measures and processes are constantly monitored and improved?
As new threats constantly emerge, and your organisation’s requirements may change with time, it is important to regularly review your measures and processes. A continual improvement programme – an ISO 27001 requirement – will help.
15. Have you considered bringing in an expert to independently audit the efficacy of your information security processes and plans?
Bringing in an independent auditor will help verify that your security measures are robust, and can help reassure customers, suppliers and other stakeholders that you are protecting their information.
We have helped more than 600 organisations achieve ISO 27001 certification, and because we are backed by the team that led the implementation of the world’s first ISO 27001-compliant ISMS, we can guarantee certification. Your journey to success starts with us.
Find out more about our ISO 27001 consultancy services >>
16. Does your management team regularly review actions being taken to manage information security over time?
Top management can’t just set an information security programme running and then ignore it – management needs to be involved and to understand the programme’s needs and how they relate to the organisation’s wider interests. As information security incidents and data breaches can lead to huge financial losses through a combination of fines, production losses and reputational damage, management should take an active interest in information security. That includes reviewing actions that have been (or will be) taken, and providing input where necessary.
Speak to an expert
If you’re looking for guidance or support, we’re here to help. Request a call back from one of our ISO 27001 experts or contact our customer service team for further information.