Here is a free document I created a while back and which I feel hasn't…
Here are two questions that every Board and Owner should really be asking themselves;
- Do we hold or handle information our customers, employees or you, as directors or owners consider to be confidential?
e.g. contracts, customer data, market sensitive information, private and confidential ‘stuff’, salary information, employment contracts, personal data, applicant data, performance reports, board reports, business plans, or R & D documents
- Do we have Professional Indemnity Insurance?
If so, have you checked the terms and conditions recently? You may find that your insurer expects you to have an Information Security Management System.
If you’ve answered YES to either or both, then ask yourself the following;
- Have we upgraded to an Information Security Management system (ISMS)?
- Is it ISO 27001 certified?
If NO, then you should consider the additional risks you are running to your revenue and reputation, should this confidential information be stolen or leaked.
ISO 27001, or to give it its full title, ISO/IEC 27001:2013 is THE standard for Information Security Management Systems. An organisation that holds the ISO 27001 certification demonstrates that it takes a systematic, risk based approach to ensuring the Availability, Confidentially and Integrity of its corporate information. And that of its customers and suppliers.
As such, it shows, to its employees, customers, suppliers and industry regulators that it takes information security seriously. That it is trustworthy.
Why is ISO 27001 Accreditation Important?
Threats,vulnerabilities and risks abound. Every day, we see, read and hear stories about sensitive corporate information being lost or stolen. About that information being used to bring firms to their knees financially, about it being used to steal peoples’ identities, about it being used to ruin reputations. Reputations that may have taken decades to build. Firms that have gone through the significant steps required to develop, implement and maintain an accredited Information Security Management System clearly show that they take it seriously. And are prepared to do what it takes to manage the risks to an appropriate level for their business.
Would it Matter?
According to the IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: United States;
“The total average cost paid by breached organizations has increased from $5.4 million to $6.5 million. The average cost for a stolen record has increased from $201 to $217, of which $74 represents direct costs and $143 indirect costs.”
The equivalent costs in the UK are £1.5M for a major breach suffered by a large organisation and just over £300,000 for a SMB.
What impact would that have on your revenue and reputation?
What Does ISO 27001 Involve?
Establishing an accredited Information Security Management System (ISMS) is best thought of as a business change or transformation project and not as an IT project!
That’s because, whilst much of the information security infrastructure is likely to involve IT, most of the work involves transforming your business requirements, your ‘Risk Appetite’, your Leadership and your People and Culture. Rare is the IT function skilled in these arts.
Central to an effective ISMS is a simple concept – it needs to work to the benefit of the business. Which means, you, as a leader absolutely must be fully involved in ensuring that the scope, risk assessment and controls meet your business requirements and strategy.
Get this wrong and the ISMS ends up running the business rather than supporting it. Get this wrong and employees ignore the processes defined in the ISMS and revert to doing what is easiest and most convenient. And that’s not trustworthy.
What’s Your Risk Appetite?
The ISO 27001 approach really makes you and your colleagues work through your appreciation of risk and in particular, it forces you to establish a framework for measuring just how much risk you are prepared to accept in your business operations.
Personally, I think this is one of the most valuable aspects of ISO 27001. It’s essential to the development of the ISMS and valuable more generally across the whole organisation because it provides a mechanism for enabling decisions to be made at all levels, so improving agility and organisational flexibility. Whilst still maintaining control and accountability.
Roles, Responsibilities and Resources
ISO 27001 also puts the onus on leaders to ensure that their employees, contractors, consultants and suppliers have all the tools, skills, training and resources they need to keep confidential information secure. Again demonstrating that leadership is key and accountable.
Records and Reviews
A further powerful aspect of the ISO 27001 standard is its emphasis on monitoring and recording. ‘What gets measured gets done’. By keeping data on the relevant and important factors, you will be able to reassure yourself and all other interested parties about the continued integrity of your ISMS. You’ll also be aware when things start to go wrong. And it will help flag when change is needed.
Continuous improvement is baked into the standard. You can’t fit once and forget. Which, let’s be clear, is a blindingly obvious requirement in the fast changing Information Security environment.
I’ve only skimmed the surface of ISO 27001 in this article. There is much more that could be covered. Hopefully though, I’ve given you a flavour of what it is and some of the highlights, from a leadership perspective.
Is ISO 27001 of Value to your Organisation?
If you handle confidential information about your employees or clients, or their data, then it probably is. If you’ve got confidential company information you want to keep confidential, then it probably is. Only you can tell.
Let me leave you with a couple of questions.
Having read the above, would you be more likely to trust a firm with your confidential data if they held the ISO 27001 accreditation?
And if they didn’t have the accreditation, what additional questions would you ask?
If you aren’t ISO 27001 accredited, why?
Get in touch and we can arrange a chat over a coffee to explore this topic in more detail.
Here are links to more articles about Information Security Management and ISO 27001
- Information Insecurity; If it Isn’t ISO 27001, Can You Trust It?
- Information Insecurity; It’s a People Problem
- Information Insecurity; Too Little Too Late…
- ISO 27001; Simply the Best