What’s the value of international standards in the age of COVID-19? Well, in the case of information management system standard, ISO/IEC 27001, the standard prescribes baselines for securing information assets. If you haven’t noticed, those information assets are increasingly under threat with the sharp rise of cyber attacks.
So, what should Security teams know about the best-practice standard?
First, a little background: the ISO 27000 series is a family of information security management standards, focused on Information Systems Management (ISM). Originally dubbed BS7799, ISO 27001 was eventually included in the set of ISO standards when the organisation began adding ISMS standards.
What does ISO 27001 define precisely? The standard lays out methods and practices of implementing information security in organisations. It provides flexible guidelines – targeted at companies in all sectors and of all sizes – for how those methods and practices should be implemented. The standard also seeks to enable secure, reliable communications of security risk, which is often missing at the organisational level.
Included in the standard are the requirements that an ISMS must fulfill in order to achieve certification. Those specifications are broad, however. Specific requirements are not given in this generic standard as it is applicable to all businesses in all sectors. As is the case with ISO standards in general, requirements are left to individual companies to develop and implement. ISO 27002, in particular, provides supplementary guidelines.
What ISO 27001 outlines, instead, is the broad requirement for planning, implementation, operation, and continuous monitoring and improving of a process-oriented ISMS. It calls on organisations to identify and assess risks, as well as define control objectives.
What else: the standard also identifies the necessity of adequate training as a prerequisite for implementing then communicating security procedure – as an aside, we’ve learned in this pandemic moment that the lack of training of newly remote workers has providing a soft underbelly to opportunistic hackers. That procedure must then be continuously monitored, checked on, and improved upon, so as to ensure the effectiveness and efficiency of the ISMS.
The standard also tasks senior management – not just top executives but business line owners – with control of the end-to-end certification and implementation process, including the determination of a security policy, definition of roles and responsibilities, recruitment and preparation of necessary personnel and material resources, as well as decisions on risk management.
There’s another element of ISO 27001 well worth mentioning. And that’s physical security operations. In the era of social distancing and new safety guidelines, physical security itself is changing. But it’s often forgotten that even in socially-distanced facilities, information assets exist in physical space, leaving them highly vulnerable to compromise. That is even with the most robust cyber security measures in place.
So, what does ISO 27001 say about physical security? The standard instructs complying organisations to look at the risks relating to physical access of their information assets. Firms must then put in controls, where appropriate, to manage (limit or simply control) physical access to those assets.
Of course, that only scratches the surface of what the best-practice standard has to say. If you’re keen to learn more, download our guide to ISO 27001.