search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
• • • SECURITY MANAGEMENT • • •


Developing an information security management system


In the 21st Century, digitised data is as essential to everyday life as air and water, but unfortunately cyberattacks and data breaches are becoming all too common, and can put an entire industrial facility at risk, says David Goodfellow, divisional director business assurance at TÜV SÜD


facilities, where cyberattacks could potentially bring major cities and communities to a standstill. This is why organisations like airports, public utilities and public authorities prioritise data protection. An effective information security management


A


system (ISMS) can help enterprises of all sizes defend themselves against cyberattacks and other malicious data breaches that could have serious legal or business continuity implications. ISO/IEC 27001 is the leading international


standard for information security management, published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It provides a practical framework for the development and implementation of an effective ISMS to protect against the root causes of information security risks, offering a well-established methodology for prioritising assets and risks, evaluating controls and developing remediation plans. Its scope is intended to cover all types of


information, regardless of its form, which can include digitised data, documents, drawings, photographs, electronic communications and transmissions, and recordings. First published in 2005, ISO/IEC 27001 is based


on BS 7799 Part 2, Information Security Management Systems – Specification with guidance for use, which was issued by the British Standards Institute in 1999. As originally published, ISO/IEC 27001 was


largely based on the “plan-do-check-act” (PDCA) model, also widely used by other management system standards. However, a 2013 revision of the standard adopted the framework detailed in Annex SL of the Consolidated Supplement of the ISO/IEC Directives. Annex SL mandates the use of a common


structure and terminology in all new and newly revised management system standards and maintains the PDCA model only as a basic principle. ISO/IEC 27001:2013 also emphasises the importance of measuring and evaluating the effectiveness of an ISMS. Furthermore, the catalogue of proposed controls, as included in Annex A, was updated to reflect the latest technological developments.


s well as increasing risk to businesses and consumers, there is risk for critical infrastructure, such as power generation


Certification benefits Organisations that achieve ISO/IEC 27001 certification can reduce overall information security risks by protecting themselves against cyberattacks and preventing unwanted access to sensitive or confidential information. ISO/IEC 27001 simplifies compliance with applicable security regulations and requirements, and helps organisations foster an organisation-wide security culture. Certification to ISO/IEC 27001 can represent an


important step in an organisation’s efforts to protect its IT infrastructure, as it strengthens its ability to protect itself against cyberattacks and helps prevent unwanted access to sensitive or confidential information. An ISO/IEC 27001- certified ISMS can also help an organisation meet the legal and regulatory requirements applicable in many countries, as well as customers’ contractual requirements. As ISO/IEC 27001 provides a formal, systematic


approach to information security, it also increases the level of protection of sensitive and confidential information. This can result in a reduction in overall business risk and help to mitigate consequences when breaches actually occur. By protecting information confidentiality and ensuring the integrity of business data and IT systems availability, disruptions to critical processes and the financial losses associated with a security breach are minimised. Rather than being seen as a cost to the


organisation, ISO/IEC certification can actually lower the total costs of IT security by reducing the risk of security breaches and the costly consequences associated with data breaches, such as financial damage and reputational harm. Likewise, ISO/IEC 27001 certification demonstrates a strong commitment to the security of confidential information and can deliver a significant marketplace advantage, as stakeholders and customers will be confident that you are maintaining the highest information security standards. Furthermore, an increasing number of


companies only work with suppliers that have implemented an ISO/IEC 27001 certified ISMS. An ISO/IEC 27001 certification demonstrates a strong commitment to the security of confidential information, and can deliver a significant marketplace advantage.


Steps to follow Implementing an ISMS according to the requirements of ISO/IEC 27001, and obtaining certification includes a number of specific steps. Of course, not all ISMS implementation efforts are identical, since individual organisations will have unique issues to address, and vary in their degree of system readiness. However, the following steps apply to most organisations, regardless of their industry or level of preparedness:


1. Obtain management commitment The successful implementation of any management system, including an ISMS, requires a commitment from leadership at the highest level of the organisation. Without such a commitment, other business priorities will inevitably erode implementation efforts.


2. Define the information security policy At this stage, the organisation identifies and defines its information security policy based on the specific goals and objectives that it hopes to achieve. This policy will serve as a framework for future development efforts by establishing a direction and set of principles regarding information security.


3. Define the scope of the ISMS With its information security policy in place, the organisation must then identify the specific aspects of information systems security that can be effectively addressed within the scope of its ISMS.


4 Complete a risk assessment of current information security practices Applying the most appropriate methodology, the organisation should then conduct a thorough risk assessment to identify the risks that are currently being addressed, as well as system vulnerabilities and threats that require attention.


5. Identify and implement risk measures and controls Here, the organisation implements measures and practices to mitigate all of the risks identified in the risk assessment. The results of these measures and practices should then be monitored and modified as required to improve their effectiveness.


42 ELECTRICAL ENGINEERING • JUNE 2022


electricalengineeringmagazine.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52