This week, the Information Commissioner’s Office (ICO) launched its plan for 2015-18, ‘A clear course for changing times’, in which it set out its goal for the next three years, “to achieve a society in which:
- “All organisations which collect and use personal information do so responsibly, securely and fairly.
- “All public authorities are open and transparent, providing people with access to official information as a matter of course.
- “People are aware of their information rights and are confident using them.
- “People understand how their personal information is used and are able to protect themselves from its misuse.”
Public concern about data security
Admirable stuff, but the ICO’s own Annual Track 2014 – Individuals report from last September shows that this goal will take some achieving. According to the report, “[nearly] two thirds (63%) of the public say that ‘you have lost control over the way your information is collected and processed’, while nearly half (48%) disagree that existing laws and organisational practices provide sufficient protection.”
- 85% of respondents expressed concern about organisations passing or selling their personal details on to other organisations.
- 77% were concerned about organisations not keeping their personal details secure.
These attitudes are hardly surprising. 2014 saw the compromise of an estimated one billion records in a series of data breaches that seemed to hit some of the largest organisations in the world, as well as a number of smaller enterprises, many of which suffered irreparable damage as a result of their poor information security practices.
Information security best practice
If the ICO is to achieve its goal, then effort is needed from every organisation that collects, processes or stores personal information. It’s not just the threat of fines from the ICO that should motivate organisations to get their houses in order, either: customer concern soon turns to customer churn. If 85% are already worried about the security of their personal information, even slight concerns about their safety will make them take their business elsewhere.
Organisations that want to reassure their customers and stakeholders that they take information security seriously should implement a best-practice information security management system (ISMS), as set out in the international standard ISO 27001.
An ISMS provides a framework for best-practice information security addressing people, processes and technology. All organisations can implement an ISMS suitable to their needs, and can achieve certification to the Standard through an independent accredited certification body, providing reassurance to stakeholders, partners and customers that international best practice is being followed.
IT Governance’s fixed-priced ISO 27001 Packaged Solutions provide implementation resources and support for organisations of all sizes, making it easy for them to achieve a level of cyber security appropriate to the risks they face. Click here for more information >>