INDUSTRY COMMENT
The ISO/IEC 27001 information security management system
The prevalence of cyberattacks and data breaches is making companies increasingly concerned about the protection of their data, and that is why organisations with critical infrastructure like airports, public utilities and public authorities prioritise data protection. That’s according to David Goodfellow, divisional director for business assurance at TÜV SÜD, a global product testing and certification organisation
F or example, a
cyberattack on power generation facilities could potentially bring major cities and communities to a
standstill. As building controls get smarter, with energy saving solutions and real time monitoring, this creates large amounts of sensitive data and such breaches compromise security, potentially resulting in significant financial damage and reputational harm. An effective information security management system (ISMS) can help enterprises of all sizes defend themselves against cyberattacks and other malicious data breaches that could have serious legal or business continuity implications. ISO/IEC 27001 is the leading
TÜV SÜD’s David Goodfellow
international standard for information security management. It provides a practical framework for the development and implementation of an effective ISMS to protect against the root causes of information security risks, offering a well-established methodology for prioritising assets and risks, evaluating controls and developing remediation plans. Its scope is intended to cover all types of information, regardless of its form, which can include digitised data, documents, drawings, photographs, electronic communications and transmissions, and recordings. Organisations that achieve ISO/ IEC 27001 certification can reduce overall information security risks by protecting themselves against cyberattacks and preventing unwanted access to sensitive or confidential information. ISO/ IEC 27001 simplifies compliance with applicable security regulations and requirements, and helps organisations foster an organisation-wide security culture.
Protecting IT infrastructure
Certification to ISO/IEC 27001 can represent an important step in an organisation’s efforts to protect its IT infrastructure. It strengthens its ability to protect itself against
cyberattacks and helps prevent unwanted access to sensitive or confidential information. Organisations that certify their ISMS to the requirements of ISO/ IEC 27001 gain a number of important benefits. For example, an ISO/IEC 27001-certified ISMS can help an organisation meet the legal and regulatory requirements applicable in many countries, as well as customers’ contractual requirements. As ISO/IEC 27001 also provides
a formal, systematic approach to information security, it increases the level of protection of sensitive and confidential information. This can result in a reduction in overall business risk and help to mitigate consequences when breaches actually occur. By protecting information confidentiality and ensuring the integrity of business data and IT systems availability, disruptions to critical processes and the financial losses associated with a security breach are minimised.
Rather than being seen as a cost to the organisation, ISO/ IEC certification can actually lower the total costs of IT security by reducing the risk of security breaches and the costly consequences associated with data breaches, such as financial damage and reputational harm. Likewise, ISO/IEC 27001 certification demonstrates a strong commitment to the security of confidential information and can deliver a significant marketplace advantage, as stakeholders and customers will be confident that you are maintaining the highest information security standards. Furthermore, an increasing number of companies only work with suppliers that have implemented an ISO/IEC 27001 certified ISMS.
Certification steps
Implementing an ISMS according to the requirements of ISO/IEC 27001, and obtaining certification includes a number of specific steps. Of course, not all ISMS implementation efforts are identical, since individual organisations will have unique
issues to address, and vary in their degree of system readiness. However, the following steps apply to most organisations, regardless of their industry or level of preparedness:
1. Obtain management commitment
The successful implementation of any management system, including an ISMS, requires a commitment from leadership at the highest level of the organisation. Without such a commitment, other business priorities will inevitably erode implementation efforts.
2. Define the information security policy At this stage, the organisation identifies and defines its information security policy based on the specific goals and objectives that it hopes to achieve. This policy will serve as a framework for future development efforts by establishing a direction and set of principles regarding information security.
3. Define the scope of the ISMS With its information security policy in place, the organisation must then identify the specific aspects of information systems security that can be effectively addressed within the scope of its ISMS.
4. Complete a risk assessment of current information security practices
Applying the most appropriate methodology, the organisation should then conduct a thorough risk assessment to identify the risks that are currently being addressed, as well as system vulnerabilities and threats that require attention.
5. Identify and implement risk measures and controls Here, the organisation implements measures and practices to mitigate all of the risks identified in the risk assessment. The results of these measures and practices should then be monitored and modified as required to improve their effectiveness.
24 BUILDING SERVICES & ENVIRONMENTAL ENGINEER JUNE 2022
6. ISMS audit With a tested and proven ISMS in place, the organisation should conduct a certification assessment pre-audit to identify any potential issues that could negatively impact the outcome of the certification audit. Any nonconformities with the requirements of ISO/lEC 27001 can then be addressed and/or corrected.
Finally, an independent certification body should be employed to conduct a formal audit of the organisation’s ISMS for compliance with ISO/lEC 27001. A successful audit results in a recommendation for certification, which is then issued by the certification body.
Conduct surveillance audits
Organisations that achieve ISO/ lEC 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following certification.
Effective information security management
An ISMS is a critical element in the effort to control or mitigate the risk associated with cyberattacks against digitised data. ISO/ IEC 27001 provides a formal framework for the implementation and maintenance of an effective ISMS. It proves that an organisation has identified the risks, assessed the consequences and put in place effective controls that will minimise any damage from cyberattack. Not only does ISO/IEC 27001 give organisations confidence that information is protected, it is also compatible with other management systems standards, which simplifies the auditing process for organisations certified to multiple management systems standards.
Read the latest at:
www.bsee.co.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50
