A Directors brief on ISO27001 Information Security Management
Submit Articles Back to Articles
It is generally accepted that information is the greatest asset any
organisation has under its control. Managing Directors are aware that the supply
of complete and accurate information is vital to the survival of their
Today more and more organisations are realising that information security is
a critical business function. It is not just an IT function but covers:
- Risk Management;
- Physical Security;
- Business Continuity;
- Regulatory and Legislative Compliance.
Business has been transformed by the use of IT systems, indeed it has become
central to delivering business efficiently. The use of bespoke packages,
databases and email have allowed businesses to grow while encouraging remote
communication and innovation.
Most businesses rely heavily on IT but critical information extends well
beyond computer systems. It encompasses knowledge retained by people, paper
documents as well as traditional records held in a variety of media. A common
mistake when incorporating an information security system is to ignore these
elements and concentrate only on the IT issues.
Information security is a whole organisation matter and crosses departmental
boundaries. It is more than just keeping a small amount of information secret;
your very success is becoming more dependent upon the availability and integrity
of critical information to ensure smooth operation and improved competitiveness.
C I A
These are the three requirements for any ISMS.
Managing Directors' Perspective
Your vision is central to organisational development; driving improvements in
all areas of the business to create value. With information technology being key
to so many change programmes, effective information security management systems
are a prerequisite to ensuring that systems deliver on their business
objectives. Your leadership can help create the appropriate security culture to
protect your business.
Organisations are increasingly being asked questions about ISO 27001,
particularly by national or local government, professional and the financial
sector. This is being driven by adoption of the standard as part of their legal
and regulatory obligations. In some areas this is becoming a tender requirement.
Others are seeing a competitive advantage in leading their sector and using
certification in information security management to develop customer/ client
confidence and win new business. With public concern over security issues at an
all time high, there is a real need to build effective marketing mechanisms to
show how your business can be trusted.
You will certainly be aware of your responsibilities for effective
governance, and be answerable for damaging incidents that can affect
organisational value. The risk assessment, which is the foundation of the
standard is designed to give you a clear picture of where your risks are and to
facilitate effective decision making. This translates into risk management, not
simply risk reduction and therefore replaces the feeling many directors have of
risk ignorance in this area. This will help you understand the potential risks
involved with the deployment of the latest information technologies and will
enable you to balance the potential downside with the more obvious benefits.
Whether, as part of compliance, such as required by Professional Bodies,
Sarbanes Oxley, Data Protection Act, or as part of an effective governance,
information security is a key component of operational risk management. It
enables the formulation of effective risk analysis and measurement, combined
with transparent reporting of ongoing security incidents to refine risk
Giving values to the impact security incidents can have on your business is
vital. Analysis of where you are vulnerable allows you to measure the
probability that you will be hit by security incidents with direct financial
An added benefit of the risk assessment process is that it gives you a
thorough analysis of your information assets, how they can be impacted by
attacks on their confidentiality, integrity and availability, and a measure of
their real value to your business.
Although the detail within the risk assessment process can be complex, it is
also possible to translate this into clear priorities and risk profiles that the
Board can make sense of, leading to more effective financial decision making.
How well would you cope if a disaster affected your business?
This could be from some natural cause such as flood, storm or worse from
fire, terrorism or other civil unrest. The areas not often considered are
sickness, failure of utilities or technology breakdown.
Business continuity planning in advance of a disaster can mean the difference
between survival or extinction of the business.
Many of the businesses affected by the Bunsfield Fuel Depot disaster never
recovered. Those with an effective business continuity plan have emerged like
the phoenix from the ashes.
Many businesses claim to have a plan but if the plan is untested or ill
prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place to
prepare for and be able to deal with, such an emergency.
ISO 27001 Sections
- Security policy - This provides
management direction and support for information security.
- Organisation of assets and resources
- To help manage information security within the organisation.
- Asset classification and control -
To help identify assets and protect them appropriately.
- Human resources security - To
reduce the risks of human error, theft, fraud or misuse of facilities.
- Physical and environmental security
- To prevent unauthorised access, damage and interference to business
premises and information.
- Communications and operations management
- To ensure the correct and secure operation of information processing
- Access control - To control access
- Information systems acquisition,
development and maintenance - To ensure that security is built into
- Information security incident management
-To deal effectively with any identified security incident.
- Business continuity management -
To counteract interruptions to business activities and to protect critical
business processes from the effects of major failures or disasters.
- Compliance - To avoid breaches of
any criminal and civil law, statutory, regulatory or contractual obligations,
and any security requirement.
About the Author
Chris Eden FIBC, MISSA, ACQI is a director of Quality Matters Limited an
established independent management consultancy based in Essex, UK which
Information Security Management consultancy.
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2008-10-12 18:57:26 in Business Articles