ISO 27001 in plain english

Often perceived as shrouded in an eerie mist of complexity and strange terminology, ISO 27001 is an established information security standard. In this blog, we’ll explain what this means – in layman’s terms – and explain why it is a sensible investment for organisations of all shapes and sizes. In its simplest form, it’s a structured framework that helps organisations to understand what their valuable information is, develop an appreciation for the sort of “bad things” which can happen to that information, and implement a sensible safety net of controls to stop them happening.

Introducing “CIA”

However, not all information has the same value or sensitivity (compare a confidential password database with publicly available product brochures, for example), so we need to look at three characteristics to determine how much protection it needs:

  • Confidentiality – can it only be seen by persons that are authorised to see it
  • Integrity – can the information be trusted, has it been modified without authority?
  • Availability – ensuring that information can be accessed as and when required

We can start to see that sensible business systems and processes will help us provide appropriate protection for each of these considerations. For example, confidentiality can be maintained by user names, strong passwords and proper logging of user activity. Integrity is assisted by implementing access control to minimise access, or perhaps by having regular back-up media which could be recovered. Availability considers many things, from the resilience of power, networks and systems – through to our business continuity arrangements.

Sprinkle on some risks…

Think about all the things that could affect your organisation’s valuable data, or perhaps the buildings or infrastructure upon which it depends for its security. There are many of these, for the sake of a short blog, here’s a small selection of risks that should be assessed by an organisation:

  • risks of information theft by an employee, or a contractor
  • damage to information from a computer virus outbreak, or theft by some form of malware
  • disclosure of information to the wrong customer from unchecked software changes
  • server failure because of hard drive capacity issues
  • risks to your data centre environment because of historical flood risks or proximity to an airport
  • increased risks from outsourcing sensitive data to a third-party cloud provider

Some risks will happen on a more frequent basis than others, whilst some will have a major impact and others relatively minor. So alongside the identification of risks, we should seek to understand the probability of them actually happening, and the impact if they did.

… and stir in carefully selected controls

There are lots of “bad things” which we need to identify and do all we can to remove or at the very least minimise to an acceptable level. You’re hopefully already doing sensible things, so for our five examples above you could be implementing:

  • employment contract clauses, supplier agreements, and appropriate activity monitoring
  • robust anti-virus and anti-malware protection, ensuring it is updated regularly
  • formal change management for all software changes, involving multiple personnel
  • infrastructure capacity checks, taking action when pre-agreed thresholds are reached
  • environmental checks, ensuring your valuable infrastructure is protected from risks

The ISO 27001 (2013) standard offers a framework of 114 controls that could be implemented, but there’s nothing to stop you from adding in additional controls if you think they are appropriate. There are alternative control sets that can be introduced if they are more relevant to the protection of our specific organisation or its sector.

Statement of Applicability

The ISO 27001 standard requires the production of a “Statement of Applicability” to illustrate how controls have been implemented to protect your organisation’s assets. Your risk assessment activities above may indicate to you that some controls are weak or inappropriate, so opportunities should be taken to implement more robust controls, or perhaps transfer the risks to a more suitable third party, or maybe even stop undertaking the risky activities altogether.

And that’s it?

Not quite. Whilst asset identification, risk assessment and control implementation may require a clear head and a good supply of strong black coffee, there’s a number of related activities which ISO 27001 expects to see. Once again we’ll spare you a long list, but think along the following lines:

  • Involving your senior management, demonstrating their agreement and commitment to information security objectives which protect your business
  • An appropriate framework of information security policies and procedures, and records to demonstrate how they’ve been followed
  • A comprehensive employee and contractor security education programme – they need to understand their roles and responsibilities
  • Internal audit activities, a programme of formal checks taking an objective view of how well your information security plans are working
  • Improvement initiatives – doing things better when there is an opportunity to do so.

Next Steps

We hope that this end of the blog finds you more informed than ten minutes ago. With our help, protecting your business and gaining the recognition of formal ISO 27001 certification is a realistic and achievable goal. Take a look at our Activ Secure Information Security Management System (ISMS) to see how we can help simplify your journey to ISO 27001 certification, or  contact us for more information on how we can help you with your information security requirements.