ISO 27001: A path to better information security

Roughly a 7 minute read by Chris Willerton

Header 4

You’re perhaps thinking “ISO 27000 and what?”… Hopefully the second part of the title should resonate with you though, especially in these modern digital times. Essentially, we’re talking about information security; how it can be (continuously) improved and how we can place it right at the centre of an organisation to give it the appropriate emphasis.

Before we jump in, let’s go back to the “ISO 27001” part…

What is ISO 27001?

ISO stands for the International Organisation for Standardisation. They are an independent, non-governmental organisation that has a collection of recognised standards that people and businesses can follow. These standards span a wide range of sectors and topics from information security all the way to food safety, and are a way that we can agree on the best practices for such topics.

27001 is the designated number for the standard about information security. There is a relatively lengthy history to it, which goes most of the way to explaining the name, but I’ll leave that out of this post!

Now that’s cleared up, let’s take a look at why ISO 27001 is important and what the top level requirements and approach should be to following this standard.

ISO 27001 is first and foremost about risk management. When you think about the use of information within your organisation you need to ask yourself two important questions:

  1. Do you know your risks?
  2. Are you in control?

If you can say “yes” to both of these then that is truly something! You likely have accreditation to ISO 27001 already (or similar), or perhaps you might not have thought deeply enough about these questions within the context of your organisation?

In terms of knowing your risks, it quickly becomes abundantly clear that they exist everywhere when it comes to information security, and the potential for this information to be mismanaged, misplaced, corrupted, abused, or stolen is enormous. To perform any kind of activity, in any kind of organisation, regardless of size, you 100% rely on the security of your information. In fact, you probably take this reliance for granted.

Working with the 27001 standard we have to acknowledge that we can’t mitigate all risk, but we can set acceptance criteria to measure each risk against and then decide whether we’re going to take some form of action to treat it, or whether we have the appetite to live with it.

Discovering risk

As part of our ongoing improvement process we operate a risk register - a commonly accepted practice when working with the standard. This is a collation of all the risks to the organisation, which we can work through and decide on a suitable course of action for each. We do this using a matrix of likelihood and impact rated 1 to 5, which gives us a score for each risk between 1 and 25. We then classify each risk using an acceptance range for the final score. For example: a score of 1-5 might be acceptable, 6-15 might be deemed as needing treatment, and 15+ is a very high risk and needs immediate action. This has been a really useful exercise for us to complete because once you get into the right mindset, the illustration of the amount of risk that most organisations live with each day becomes very clear.

Risk Treatment Matrix

As a starting point, it’s good to have a think about some of the more obvious risks to your organisation and then follow the above approach to categorising their likelihood and impact. A few example risks are outlined below to try and get you started:

  • The integrity of system backups is not checked regularly enough, which means a failed system cannot be restored which in turn affects availability of a critical service.
  • There is no log of the office access keys given to each team member, which means that there is not enough control about who has access to your organisation’s premises.
  • A confidential report was left unattended on someone’s desk, which means an unintended person might have read through confidential information.

Once you’ve warmed up, a good approach is to then go over each of the requirements set out in the 27001 standard and complete the exercise for any risks that come out of discussion.

This leads me onto the standard itself, and back to the question: are you in control? The intended outcome of the 27001 standard is the creation of an information security management system, or ISMS. The whole point of an ISMS is to preserve the confidentiality, integrity, and availability of information; providing a strong level of confidence to interested parties that any risks have been adequately managed. In order to be successful, the ISMS needs to be closely integrated into your organisation’s processes, policies and controls. You likely already have some processes, policies, and controls that are contributing to your existing information security, and by following the standard you can build on and supplement these to enhance your security confidence.

When you read through the standard, it would be easy to think that some of the requirements are a bit draconian, but this comes down to how you approach the treatment of each risk. At Engage, our culture is immensely important to us, and as such when working on the practicalities of our ISMS we always have this at the forefront of our minds. We’d never want to introduce procedures or policies that affect the team in a negative way. Hopefully with a bit more thinking we can develop an approach that satisfies each requirement and avoids any unwanted impact. Essentially, it’s up to each organisation to adopt sensible and practical controls that satisfy the standard, increase security confidence, and don’t disrupt day to day business too much.

What does this mean for our clients?

At Engage, we’ve always had a strong focus on information security and operating to the ISO 27001 standard demonstrates our commitment to this practice. This is also hugely beneficial to our clients who can be confident in working with an agency suitably equipped to manage their data and in turn reduce their own level of risk. This is especially true in a world where hefty fines for misuse of data can cripple businesses, privacy concerns are in the daily news, and degradation of customer trust can happen more quickly than ever. We predict that having ISO 27001 will increasingly become a requirement at all levels of procurement for digital services too, so we’re glad to be ahead of the curve.

Hopefully this post has gone some way to explaining a bit about the ISO 27001 standard, and what a top level approach to working with the requirements might be. Perhaps it has inspired some thought on the level of risk you currently accept, and whether a stronger focus using the 27001 standard would be a responsible undertaking. It feels particularly poignant to be working on this in the midst of the current pandemic too, with the additional risk of people working from home. We’re currently looking closely at any improvements we can make to our existing remote working guidance, taking in all the context of the 27001 standard.

Our intention is to share more about our continuous improvement process, and how we’re implementing our ISMS through fast changing times, so keep an eye out for future posts.