Undertaking an information security risk assessment of your organisation’s assets (whether you are looking to achieve ISO 27001/ISO 27005 compliance or not) is not a straightforward task. Vigilant Software talks to Phil Hare, an information security professional about how to make your cyber security risk assessment life easier using specifically designed software. The business benefits risk assessments bring to your organisation, with or without the ISO 27001/ISO 27005 certification at the end of it, are also discussed.
1. How did you get in to the information security field and what were the business drivers that led you there?
It was interest more than anything. I have an IT background which over the years has involved experience in a broad range of topics and disciplines. Information security and ISO27001 in particular, allows me to draw on all of that experience and put it to practical use.
2. You have a broad knowledge of information security risk assessment. What is, in your opinion, the key part of an information security risk assessment?
Put simply it’s people. There are lots of things that are important to get right – granularity of the assets, good understanding of scope, methodology and so on – but to perform a risk assessment properly you must have a working knowledge of the assets in question. To have that, you have to talk to the people who know why they are there, how they are used, in what context and by whom. You can only do that by talking to the people who actually have responsibility for them. The devil, as ever, is in the detail, and it’s the people on the ground who can give you that detail.
3. What is the most challenging ISMS (information security management system) project that you have been involved in? What helped you overcome the challenges?
Although one or two do spring to mind, there are several reasons why I won’t draw on them directly, not least of which being various non-disclosure agreements! However, they’ve all been challenging in one way or another; all organisations are different, they all have different reasons for implementing their ISMS and they all have different resources to draw upon. An ISMS is something that is structured to work for the organisation; perhaps the biggest challenge is making sure that approach is taken, rather than trying to shoe-horn the organisation into the framework for an ISMS.
4. You have been heavily involved in the development of the information security risk assessment tool, vsRisk. In one or two sentences, why should anyone care about the tool?
vsRisk is designed to make information security risk assessment as painless as possible; it saves vast amounts of time, and in doing so, significant amounts of money.
5. What would you say to anyone attempting an ISMS project without vsRisk?
Good luck! I’m not saying that to be flippant – we created vsRisk because we know that without it an information security risk assessment can be very, very labour intensive.
6. What are the business benefits of information security risk assessments, with or without going the whole way and gaining ISO27001 certification?
Resilience. As a rule, organisations tend to fair better if they are aware of a cause before the effect is felt, rather than having to figure out what happened after the damage has been done. I would not be exaggerating at all when I say it can be the difference between having a business – a livelihood – and not. You can’t predict the future, but you can prepare for it, and an information security risk assessment provides you with a detailed map for doing so.
7. What is the number one piece of advice that you would give to any organisation contemplating an ISO 27001 project?
Get everyone on board, and I mean everyone, from the CEO to the receptionist (in fact, especially the receptionist). It really is a team effort, it requires input from the whole organisation, and for that everyone has to understand why it’s being done. An ISMS is there to help people, not hinder them, and for it to work everyone in an organisation has to buy in to the fact that that really is the objective.
8.What would you say to any organisation not considering IS0 27001 certification?
Consider it. Alan Calder and Steve Watkins, both of whom were leading lights in the vsRisk project way back when, have written extensively on the subject of ISO 27001. The book “The case for ISO 27001” is a good starting point, pinpointing benefits such as cost-effective, fit-for-purpose information security and regulatory compliance; out-performance of yuor competitors; and competitive advantage.
9. What do you think will be main changes in the information security demands of businesses over the next 5 years?
It would be easy to say that the continuing shift towards hosted solutions, home working, BYOD and, of course, the ever fluid global financial and geopolitical situations, are the likely suspects. In truth, though, it’s none of these, or perhaps all of them. The real answer is “I cannot know”. It’s the black swan effect; what we don’t know is of far more importance than what we do, and in the light of that, all I can say is this: be flexible, be prepared, and (of course) be vigilant.