We all use various frameworks to set out how to operate in an efficient and effective manner. Cybersecurity and information security should not be any different – there are many great frameworks available, some quite easy to follow, some very technical and others are used for specific industries.
Over the years, I have worked with many frameworks in attempts to standardise information security. Some standards work well, while others can cause more harm than good, as they may have not been effectively worked out in the first place, or they are more suited to academia than real-world situations.
Some really good interoperable global standards have been produced since 1947 from the International Organisation for Standardisation (ISO), headquartered in Switzerland. The ISO defines rules and standards to aid in tasks for virtually all products that people use, including rules and standards about how products are made and how quality control tests should be performed. This is brilliant for cybersecurity and information security in the modern, online world.
Global ISO technical committees are in place to review and update these standards on a regular basis, typically every three to five years. These committees call out to industry groups and thought leaders for input, so you can be assured that a strong vetting process has taken place of the information contained within these standards.
What are the Basics of an ISO Standard?
All ISO standards are based around a fundamental Plan-Do-Check-Act (PDCA) approach, also known as the Deming Cycle. It is an iterative cycle that helps to build the maturity of the framework or, in ISO terms, the management system.
Planning is important for understanding the organisation defining the scope of the management system, setting policy, investigating risk appetite and determining what risks exist. The doing is key, where strategy is set, controls and procedures are defined and the competency of people is addressed by way of communication, training and awareness. Checking is fundamental to ensure integrity of the management system. This is done by way of monitoring, measurement, developing an internal audit approach and having effective management reviews in place. The final component is acting on the audit findings by way of treating non-conformities and looking at ways to continuously improve and evolve the management system.
The ISO 27001 Information Security Management System (ISMS)
A structured PDCA cycle approach is used and the following components are required:
1. Plan |
2. Do |
|
1.1 Initiating the ISMS |
2.1 Information security strategy |
|
1.2 Understanding the organisation |
2.2 Document management |
|
1.3 Analyse the existing system |
2.3 Design of controls & procedures |
|
1.4 Leadership and project approval |
2.4 Communication |
|
1.5 Information security scope |
2.5 Training and awareness |
|
1.6 Information security policy |
2.6 Implementation of controls |
|
1.7 Risk assessment |
2.7 Incident management review |
|
1.8 Statement of applicability |
2.8 Operations management |
|
3. Check: |
4. Act: |
|
3.1 Monitoring, measurement, analysis & evaluation |
4.1 Treatment of non-conformities |
|
3.2 Internal audit |
4.2 Continuous improvement |
|
3.3 Management review |
||
2.5 Training and awareness |
||
2.6 Implementation of controls |
The Benefits of Implementing an ISMS
An ISMS provides customers and stakeholders with confidence in how you manage risk related to information security. Additionally, it provides senior management involved in information security with an efficient management process. It can offer a competitive advantage due to customer trust and market share. From a regulatory aspect, it demonstrates compliance with customer, regulatory and government requirements. The ISMS can help to align information security with the organisation’s objectives and can enhance integration between business operations and information security. Importantly, an ISMS keeps intellectual property and valuable information secure.
A simple conversation with your information technology staff or consultant can be the first step to enhance your capabilities in order to develop and implement an effective and efficient ISMS, with the next step educating your executives about this initiative in order to protect your valuable corporate data from internal and external threats.
Tim Rippon is an author, speaker and trainer of cybersecurity and business continuity. He holds a certified Master of Information Security (ISO 27001), certified Master of Business Continuity (ISO 22301) and Lead Cyber Security Manager (ISO 27032) from PECB. Tim is actively involved in various industry groups, including the Australian Women in Security Network (AWSN) and the Business Continuity Institute, where he volunteered for five years, including two years being a board member of the BCI Australasia. Tim is founder and director of elasticus, advising Australian-based executives on how to best manage cybersecurity, disaster recovery and business continuity prior to the occurrence of a major disaster or crisis. He can be contacted via mobile 0417 036 026.