In today’s world information security is a real challenge and technology, good or bad, is inevitable. Technology is in fact the one that determines how we approach the security of information in order to manage security threats.
Technology allows us to do everything at a much faster pace and much more efficient. However, we must not lose sight of the fact that it does the same thing for criminals. We are at a stage where we store, process and transfer data in unimaginable quantities, but it’s the information we extract from it that represents the true value.
A few months ago I wrote an article called “Quality Management – between necessity and indifference” because I noticed there are a lot of people that understand, accept and even want quality, but when one is faced to take necessary measures to assure it, a series of problems appear.
The exact same thing is happening to information we hold and we should protect. We know of its importance, we accept and want its protection. This is why I found interesting an approach to “Information Security Management” starting with the idea that information controls businesses.
Information controls businesses and represents the “based theory of competitive advantage” (Robert M Grant) because no organization can function without critical and reliable information.
That being said, an extremely important question arises: how do I know that my organization secures all the information it holds?
We store in our computers, mobile devices and/or cloud, information about our current or future projects, fabrication processes, financial documentation or even client details that can be accessed from everywhere with an internet connection. We can’t be too sure of their safety, can we?
I must also mention the huge quantity of personal information that should remain confidential, but do we even have the guarantee that these are truly secured?
There is a way to make sure that my organization is efficiently securing its information: implementing an Information Security Management System based on a process that involves full performance control of overseen processes.
Information security of my organization, my clients and partners, is guaranteed by attaining an ISO 27001 certificate.
What does the ISO 27000 family of standards say?
“The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).” – http://www.iso.org
What does the standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements say? It “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”
Tricky, right? No worries, in fact everything is quite simple.
Information security should be viewed from a holistic perspective, in order to face the challenges of preventing real security threats such as fraud, sabotage, espionage, fire, floods or terrorism.
It is not mandatory to be certified, but the advantages offered by implementing a Information Security Management System based on ISO 27001 should bring more interest from the manufacturers and service providers.
We live in a world where managers focus on two major areas: optimizing processes and creating new business strategies that puts them ahead of their competitors.
Therefore, in order to adapt to current market demands, clientele and sometimes legal requirements, companies have started to obtain an arsenal of ISO certifications that target several domains and issues: Quality (ISO 9001), Environment (ISO 14001), Occupational Health and Safety (ISO 18001), Information Security Management (ISO 27001), IT Service Management (ISO 20000), Business Continuity (ISO 22301), and the list can go on.
What do all these standards have in common? Risk Management. This should not be seen as a negative element, but more so as an opportunity to identify and improve processes, which only leads to a positive approach to risk.
An approach based on taking risks assumes a proactive and preventive approach, as the costs of preventing will always be lower than those of repairing.
The first and most important step in implementing a standard involves documenting and approaching the company’s activities in an organized manner.
That being said, one of the main roles of efficiently implementing a standard is the protection of both employer and employee. This way, both will have a clear description of what to expect from each other, and a set of rules that will reduce the risk of misunderstanding.
When talking about implementing a management system based on a standard, no matter what the standard is, we must first and foremost understand the real benefits.
Initially, a shiny new certificate may boost the company’s image or even land a new contract. Going beyond the superficial aspect and bragging rights of owning a certificate, we should take a step back and see the real long term benefits implementing a standard will have on any company, small or large.
Of course beyond all the advantages offered by ISO 27001, there are a series of myths that should be known and addressed.
Dejan Kosutic, in his book “Secure & Simple – A Small Business Guide to Implementing ISO 27001 on Your Own”, presents “What ISO 27001 is not – 7 most common myths”. With his permission, I will list 3 myths the way he presents them.
- “The standard requires xyz” – “The standard requires passwords to be changed every three months.” “The standard requires that multiple suppliers must exist.” … The standard doesn’t say anything like that…
- “We’ll let the IT department handle it” – This is the management’s favorite – “Information security is all about IT, isn’t it?” …The truth is, implementation of ISO 27001 is more a business project than an IT project.
- “This standard is all about documentation” – Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point of ISO 27001 implementation is that the employees perform their activities in a secure way, and the documentation is here to help you do that.
ISO 27001 brings value to an organization only if the certification represents the presence of good management practices, meaning the system is implemented well.
I truly believe that in order to be successful in a highly competitive market and with high-security risks, any organization needs to implement an Information Security Management System and this objective should not be ignored.
- “Secure & Simple – A Small Business Guide to Implementing ISO 27001 on Your Own” by Dejan Kosutic
- The International Organization for Standardization (ISO)
- Mihai Dantis, Business Development Manager South East Europe at ELO Digital Office Romania