Information security standards such as those developed and published by the ISO (International Organization for Standardization) might not be enshrined in law, but that doesn’t mean they should be viewed as a ‘nice to have’ or an afterthought in your security policies and practices.
While there are hundreds of accreditations available through the ISO, one of the most publicised of recent times is ISO 27001. Put simply, ISO 27001 prescribes best practice on how to design and deploy an effective ISMS (information security management system), which comprises the policies, procedures, legal, physical and technology controls that an organisation uses for information risk management. The Standard can drive dramatic benefits for organisations across a wide range of sectors, especially in light of the GDPR (General Data Protection Regulation), which has now been in force for nearly a year.
What does an ISMS involve?
The Standard advises organisations to begin by defining a security policy, then define the scope of the ISMS, and from there conduct a risk assessment. Once the risk assessment is complete, organisations can manage any identified risks, select their control objectives and the controls to be implemented, and finalise the SoA (Statement of Applicability).
After implementing an ISMS, organisations could seek accredited certification to ISO/IEC 27001:2013. From there, the potential business value is rich and varied.
Why should we care about ISO 27001?
According to the most recently available ISO figures, nearly 40,000 organisations adopted ISO 27001 in 2017, making it one of the most popular resources in the ongoing fight against cyber crime. The cyber threat landscape is constantly evolving, and most organisations now recognise that it is likely to be a case of when they suffer an attack or data breach, rather than if. The processes and approaches mandated by ISO 27001 not only shore up organisations’ cyber defences very robustly; they also mean that should the worst happen, said organisations find it quicker and easier to get back on their feet.
Achieving ISO 27001 is also a considerable differentiator for your organisation. In a recent press release, Nathaniel Davidson, CTO of Kryon – which recently became the first RPA vendor to receive the certification – said:
We believe that trust should not be given blindly to any technology, especially when woven throughout a business’ processes […] This ISO/IEC 27001:2013 accreditation is a reflection of our ongoing commitment to providing our customers with the level of security that they expect and deserve.
His sentiments accurately demonstrate the value of ISO 27001 as an instrument to bolster a company’s reputation among customers and competitors alike.
ISO 27001 and GDPR
Indeed, data protection and privacy are particularly salient aspects of ISO 27001, especially following the enforcement of the GDPR last year, affects every organisation that processes EU residents’ data.
Additionally, data privacy is becoming an increasingly high-profile topic in the mainstream media, with global organisations like Facebook coming under fire for sharing personal data for a fee. Consumers are becoming increasingly aware of the ways organisations are using their data, and want to take back control. Organisations cannot afford to take a blasé approach to data privacy; they need to have a structured, logical and comprehensive strategy.
How Vigilant Software can help
Vigilant Software’s vsRisk Cloud solution guides organisations through their risk assessment in line with all of ISO 27001’s requirements, allowing users to identify risks by selecting assets, threats and vulnerabilities, and to apply controls to reduce those risks to an acceptable level within the compliance framework. vsRisk Cloud automatically produces the SoA required by ISO 27001, and enables the risk assessment to be easily repeated year after year.
In line with the demands of the GDPR, we have now updated vsRisk Cloud with a specific module focusing on data privacy, so that this crucial area can be appraised and managed as part of the broader ISO 27001 risk assessment.
For more information on how Vigilant Software can help you manage your data privacy, get in touch today.
Our easy-to-integrate, Cloud-based tools – vsRisk Cloud, the Data Flow Mapping Tool, the DPIA Tool, GDPR Manager and Compliance Manager – help you identify your legal requirements, understand the data you process and conduct information security risk assessments in line with international best practice.
To request a free seven-day trial of any of our tools, please click here.