Subscribe

Guest Blog: Dr Luke Feeney, Certification Europe

/ 26th January 2022 /
Jake Mulcahy

Sponsored Content

Concerned about increasing risk of cyber-attack? ISO/IEC 27001 International Standard can help, writes Dr Luke Feeney of Certification Europe

It was not too long ago that the terms 'information security' and 'cybersecurity' were unheard of in popular lexicons. Today things have changed, with regular reports of information security breaches and cyber-attacks across the globe. A recent exemplar was the callous ransomware attack on HSE systems that resulted in dangerous impacts on the provision of healthcare services in Ireland. There was widespread public outrage and indignation at the attack on such an emotionally charged, deep-rooted societal service.

First off, a declaration. I do not write as any kind information or cyber security expert, rather as a 'continuously learning' practitioner who implements and audits an international, evidence-based standard for information security management called ISO/IEC 27001. Experience has convinced me that conformance with this standard can underpin effective and efficient organisational information and cyber security management.

However, before I extol the virtues and value of implementing ISO/IEC 27001, it is worthwhile to first define exactly what is an information security standard, and then highlight how conforming to ISO/IEC 27001 requirements can help organisations in their continuing and ever evolving battle against information and cyber security attack.

An information security standard is a published, specification document containing a common language, a technical specification and companion criteria designed to be used as rules or definitions to assure a level of information security performance in a rigorous and consistent manner.

Interestingly, the International Organization for Standardization (ISO) suggests that their standards can contribute to making life less complicated by increasing the reliability and effectiveness of the goods and services we purchase, access and use. Put simply, an evidence-based information security standard is a set of established, evidence-based specifications, rules, definitions and criteria that organisations and their customers, clients, employees etc refer to (or better still defer to) as a common reference point for excellence in the secure management of data and information.

In Association with

Whilst there are a number of internationally recognised information security standards and frameworks, ISO/IEC 27001 is an evidence-based, best practice, international standard providing specifications, rules, definitions and criteria for an organisational 'system' to manage information security.

27001 can be implemented in any organisation, irrespective of location, size, industry or technological advancement. It is part of an ever-expanding set of ISO/IEC international standards and codes of practices for information security often referred to as the 'the 27001 (or 27000) family'.

Implementing a 27001-conformant ISMS provides organisations with a systematic approach for the protection of their information and information processing facilities, and assurance that their data and information is secure when in their custody. Additionally, as technology evolves, ISO/IEC continues to develop new standards and codes of practices to address changing information security requirements.

Furthermore, organisations, via an accredited certification service provider, can seek external certification to 27001 and thereby outwardly evidence that an international, evidence-based ISMS is in place to protect data, information and information processing facilities.

Thus a 27001-conformant ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security to underpin the achievement of organisational business objectives. Appropriately grounded on risk assessment and treatment, an ISMS includes policies, procedures, processes and associated resources and activities, collectively managed to protect organisational information assets.

Successful ISMS implementation includes analysing the requirements for the protection of information assets and addressing criteria to ensure their protection.

A 27001 ISMS requires an organisation to:

• Determine the internal and external issues relevant to its function and operation, including the services that it provides, and thereby understand and contextualise its information security requirements.
• Identify interested parties, such as customers, clients and employees, and their information security needs and expectations.
• Determine and document the scope of its ISMS through understanding its own information security requirements and those its interested parties.
• Carry out foundational, critical information security risk assessment within its defined ISMS scope, resulting in the identification and selection of controls to address unacceptable risks, and plan and /implement such controls.
• Establish information security objectives and how they will be achieved.
• Continuously evaluate the implementation of information security and achievement of information security objectives.
• Continuously improve information security, based on evaluation.

All of these requirements must be driven by top management leadership and commitment to information security.

In conclusion, ISO/IEC 27001 is an international, evidence-based, best practice, top-down, management driven, risk-based continuous improvement standard for managing information security. It may not be exactly perfect, and can be challenging to implement and maintain, but surely it is a key consideration for all organisations dealing with data and information in our world today. And it's the very minimum that the public expects.

Benefits of ISO 27001

Protecting your organisation's information is critical for the successful management and smooth operation of your organisation. Achieving ISO 27001 will aid your organisation in managing and protecting your valuable data and information assets.

By achieving certification to ISO 27001 your organisation will be able to reap numerous and consistent benefits including:
• Keeps confidential information secure
• Provides customers and stakeholders with confidence in how you manage risk
• Allows for secure exchange of information
• Provide you with a competitive advantage
• Enhanced customer satisfaction that improves client retention
• Consistency in the delivery of your service or product
• Manages and minimises risk exposure
• Builds a culture of security
• Protects the company, assets, shareholders and directors

Dr Luke Feeney is ISO/IEC 27001:2013 Lead Auditor and Trainer with Certification Europe, and Director of Quality, Risk and Patient Safety at the National Maternity Hospital

Visit certificationeurope.com

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram