BSEE-SEP21-PG32 TUV SUD_Layout 1 04/08/2021 10:56 Page 32
BSE DATA MANAGEMENT, COMMUNICATIONS & SECURITYE
Developing an information security management system
5. Identify and implement risk measures and controls
Here, the organisation implements measures and practices to mitigate all of the risks identified in the risk assessment. The results of these measures and practices should then be monitored and modified as required to improve their effectiveness.
6. ISMS audit
David Goodfellow, UK Business Assurance Manager at TÜV SÜD, a global product testing and certification organisation.
With a tested and proven ISMS in place, the organisation should conduct a certification assessment pre-audit to identify any potential issues that could negatively impact the outcome of the certification audit. Any nonconformities with the requirements of ISO/lEC 27001 can then be addressed and/or corrected.
In the 21st century, digitised data is as essential to everyday life as air and water, but unfortunately cyberattacks and data breaches are becoming all too common. As well as increasing risk to businesses and consumers, this creates risk for critical infrastructure, such as power generation facilities, where cyberattacks could potentially bring major cities and communities to a standstill. This is why organisations like airports, public utilities and public authorities prioritise data protection.
also creates large amounts of sensitive data and such breaches compromise security. An effective information security management system (ISMS) can help enterprises of all sizes defend themselves against cyberattacks and other malicious data breaches that could have serious legal or business continuity implications. ISO/IEC 27001 is the leading international standard for information security management. It provides a practical framework for the development and implementation of an effective ISMS to protect against the root causes of information security risks, offerring a well- established methodology for prioritising assets and risks, evaluating controls and developing remediation plans. Its scope is intended to cover all types of information, regardless of its form, which can include digitised data, documents, drawings, photographs, electronic
W
communications and transmissions, and recordings.
Organisations that achieve ISO/IEC 27001 certification can reduce overall information security risks by protecting themselves against cyberattacks and preventing unwanted access to sensitive or confidential information. ISO/IEC 27001 simplifies compliance with applicable security regulations and requirements, and helps
organisations foster an organisation- wide security culture.
Certification benefits
Certification to ISO/IEC 27001 can represent an important step in an organisation’s efforts to protect its IT infrastructure, as it strengthens its ability to protect itself against cyberattacks and helps prevent unwanted access to sensitive or
hile building control systems deliver energy saving solutions and real time monitoring, this
confidential information. An ISO/IEC 27001-certified ISMS can also help an organisation meet the legal and regulatory requirements applicable in many countries, as well as customers’ contractual requirements. As ISO/IEC 27001 provides a formal, systematic approach to information security, it also increases the level of protection of sensitive and confidential information. This can result in a reduction in overall business risk and help to mitigate consequences when breaches actually occur. By protecting information confidentiality and ensuring the integrity of business data and IT systems availability, disruptions to critical processes and the financial losses associated with a security breach are minimised.
Rather than being seen as a cost to the organisation, ISO/IEC certification can actually lower the total costs of IT security by reducing the risk of security breaches and the costly consequences associated with data breaches, such as financial damage and reputational harm. Likewise, ISO/IEC 27001 certification demonstrates a strong commitment to the security of confidential information and can deliver a significant marketplace advantage, as stakeholders and customers will be confident that you are maintaining the highest information security standards. Furthermore, an increasing number of companies only work with suppliers that have implemented an ISO/IEC 27001 certified ISMS.
Steps to follow
Implementing an ISMS according to the requirements of ISO/IEC 27001, and obtaining certification includes a number of specific steps. Of course, not all ISMS implementation efforts are identical, since individual organisations will have unique issues to address, and vary in their degree of system readiness. However, the following steps apply to most organisations, regardless of their industry or level of preparedness:
32 BUILDING SERVICES & ENVIRONMENTAL ENGINEER SEPTEMBER 2021 Read the latest at:
www.bsee.co.uk
1. Obtain management commitment The successful implementation of any management system, including an ISMS, requires a commitment from leadership at the highest level of the organisation. Without such a commitment, other business priorities will inevitably erode implementation efforts.
2. Define the information security policy
At this stage, the organisation identifies and defines its information security policy based on the specific goals and objectives that it hopes to achieve. This policy will serve as a framework for future development efforts by establishing a direction and set of principles regarding information security.
3. Define the scope of the ISMS With its information security policy in place, the organisation must then identify the specific aspects of information systems security that can be effectively addressed within the scope of its ISMS.
4. Complete a risk assessment of current information security practices
Applying the most appropriate methodology, the organisation should then conduct a thorough risk assessment to identify the risks that are currently being addressed, as well as system vulnerabilities and threats that require attention.
Finally, an independent certification body should be employed to conduct a formal audit of the organisation’s ISMS for compliance with ISO/lEC 27001. A successful audit results in a recommendation for certification, which is then issued by the certification body.
Conduct surveillance audits. Organisations that achieve ISO/lEC 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following certification.
Mitigate risk
The prevalence of cyberattacks and data breaches are increasing daily, and now threaten organisations of every size and in every industry. In cases involving critical infrastructure elements, data breaches can affect the safety of millions of people, and threaten the well-being of communities of all sizes.
An ISMS is a vital element in the effort to control or mitigate the risk associated with cyberattacks against digitised data. ISO/IEC 27001 provides a formal framework for the implementation and maintenance of an effective ISMS. Not only does ISO/IEC 27001 give organisations confidence that information is protected, it proves they have identified the risks, assessed the consequences and put in place effective controls that will minimise any damage from cyberattack.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50
