Darren Grey, Securious Ltd, is a Lead Implementer of ISO 27001 and discussed the standard during June’s SWCSC Networking Meeting.
- Is a justified risk management framework
- Establish, implement, maintain and continually improve an ISMS – never ending process, always learning and improving
- Ensures the organisation’s assess and monitors risk to InfoSec
- Implement controls (document / technical) to manage risks
- Risk appetite always changes and need to understand what that is
- Look at risk and mitigate the controls with policies, procedures and technical controls
- Holistic security: assets, physical, technical, strategic, risks & opportunities (things that have not happened yet) / problems & improvements (incidents that we learn lessons from)
- Continually in the cycle of improvement
- 10 clauses that can be combined to other ISO standards
Why Do Organisations Want ISO 27001?
- Bidding & supply chain demand (due diligence)
- Build security robustness and resilience
- Reassuring stakeholders – clients, 3rd parties, staff
- World recognised standard, proactive risk management (culture change), not being the weakest link in the chain, foundation of good practice for org expansion, combining management systems, financial drive but understand the benefits when implemented
How Do You Get It?
- One size (international standard) fits all
- Understand your system – Who? Why? How?
- Leadership, ISMS team, all staff (role specific)
- Mandatory & non-mandatory documents
- What is your risk appetite?
- What is important?
- What is the risk?
- What is expected?
- Evidence = objectives, risk identification, plans, actions, checks/audit
- Improvement – Plan, Do, Check, Act
Plan Do Check Act:
Process of certification
- Get in touch with an external auditing body (UKAS)
- Implement your ISO (and run it)
- Gather evidence
- Full internal audit
- ISMS management meeting – full agenda
- External Audit – Stage 1
- Doc review and understanding
- External Audit – Stage 2
- Evidence gathering – are you running an ISMS?
- Reduce risk
- Robust security processes & Risk Management
- Continued improvement of processes, procedures & awareness
- Increased reputation & win new business
- Engaging employees & supply chain
- Leadership buy in
- Resource – ISMS team knowledge or leavers
- Understanding ISO is ‘a toll to be owned & used’
- Paper exercise – not a tick box exercise
- Blame culture
- Cost of gaining certification – ISO can still be implemented
- ISO is a tool to be implemented and used by the organisation
- System of improvement
- Considered response to org risk
- Know what is important
- Know how you will protect it