To be more specific: do we think that ISO 27001 is the best framework for providing information security in smaller enterprises – regardless of size?
There’s a heated debate now trending regarding cyber security for SMEs. Adopting an International Standard like ISO 27001 is seen by many as too costly and time-consuming for small organisations to adopt and certify to.
So what’s all the fuss about ISO27001? Is it just that Government and international companies are insisting that their suppliers comply with the standard, as part of some bureaucratic exercise that ticks the cyber security boxes? Or are there some very good reasons why organisations of all sizes – right down to virtual microbusinesses – are adopting ISO27001?
ISO 27001 “Ever more popular” – really, despite what you may have heard!
Steve Watkins, Consultancy and Training Director at IT Governance, says, “Experience shows that ISO 27001 certification is becoming ever more popular with businesses. Our clients increasingly see the direct benefits for their own operations as well as the assurance certification offers their customers.” I have witnessed this phenomenon and I would recommend keeping an open mind, even if you associate standards with tick boxes and forms. In my experience, the most passionate advocates of ISO27001 are found in the ranks of small companies.
Read our recent Case Study: Eagle FastTracks to ISO27001 certification
So why isn’t every company either adopting ISO27001 if they aren’t yet certified? It’s fair to say there is a degree of resistance in some circles – let’s examine the reasons given and logic behind some of the objections.
ISO 27001 “Too large, too complex, and too costly” – some have claimed
A comment made on one of my Linkedin posts by a Data Security professional who espouses this viewpoint sums up the general feeling among SMEs. It’s a sincere remark and I welcome the contribution that it makes to the debate – however, and unsurprisingly given that we are experts in ISO 27001 compliance, I do not agree with the statement:
“I believe that for the vast majority of organisations ISO27001 is wholly inappropriate, too large, too complex and too costly to implement to a certified level.”
Soon after, another comment from an IT professional appeared in a similar vein, containing a sentiment that I know is felt by many commentators:
“I agree with [Linkedin member] that the ISO is not appropriate for many (most?) organisations, although clearly its principles are good guidance for technical protective measures.”
To put the case against ISO27001 in simple terms, it’s ‘too much effort’.
This is an understandable conclusion for directors and senior managers whose energies are focussed on achieving growth and ROI for shareholders – naturally enough! In fact, I think it’s fair to say that they would all prefer to take advice that basically says: “Don’t waste your time with ISO27001: that’s a standard for organisations that have the resources to afford it… go for something basic instead. You don’t need to assess all the risks involved yourself and apply controls; leave that to us, the IT security professionals.”
This would be fine, if the risks could be addressed simply by upgrading software, buying and installing security hardware, and running anti-malware – measures that qualified security consultants often recommend. It’s not that there’s necessarily anything wrong with spending your money in this way; rather, the problem is that, in the end, it’s your responsibility.
If your firm of accountants said: “Don’t worry about calculating your P&L: leave that to us, you don’t need to be involved at all – after all, we’re the experts!” – Would you pack your clubs and head off for the golf course? Even if you find reading accounts a chore, and, at times, mentally taxing, you know that it’s your job to understand what the numbers actually mean. You may also sign the accounts to say that, to the best of your knowledge and abilities, the figures presented accurately reflect the financial position.
Success is about staying in control – ISO27001 helps you to achieve this
It’s your enterprise: you must establish and remain in control. That goes for cyber security: the stakes are high, and you need to manage the risk.
The fact is, some cyber threats really could put you out of business – damage your reputation for years to come – or at the very least, cost you more in fraud each year than applying appropriate management controls.
The arguments in favour of ISO27001 are complex in comparison to the “Can’t afford it – haven’t got the time to adopt it” thinking that is fairly common among hard-pressed SME managers and many of their IT security consultants, but they need to be articulated and understood. So here goes:
ISO 27001 is based on risk assessment – that’s why it’s such a good idea!
What is a risk assessment in this context? I would start with some advice from the Department for Business Innovation & Skills (BIS) published in their document ‘Cyber Risk Management: a Board Level Responsibility’:
“Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue that it actually is.” – Note: “strategic”.
ISO 27001 Risk Assessments – what exactly are the business objectives?
Risk management plans developed in response to cyber security threats usually have the following linked objectives, which are:
- To eliminate risks;
- To reduce ‘acceptable’ levels, in either of the following ways:
- Living with them, exercising carefully the controls that keep them ‘acceptable’.
- Transferring them, by means of insurance, to some other organisation.
For obvious reasons, human nature interjects at this point by saying: “We have insurance, therefore, there’s no need to worry.” – A nice idea indeed. Unfortunately: (a) most corporate policies either specifically exclude cyber risk or substantially limit the insurer’s liabilities to levels that would prove ineffective in the event of a serious cyber breach (how far would £50,000 go if you had to defend your organisation in the Courts against claims of negligence after thousands of credit card and bank account records were stolen from servers, resulting in millions of Pounds of preventable fraud?); (b) Just because you have insurance doesn’t permit you to be negligent as a director: for example: would you knowingly allow your employees to smoke in the building even if your fire insurance policy was fully-paid up?
How do you know whether or not those on the payroll and visitors to the building are smoking indoors in flagrant disregard for the law, and contrary to your clearly-defined policy? Answer: you measure the effectiveness of management controls and enforce policy in response to the risks identified.
How do you assess risk in relation to the emerging cyber security threats?
Risk management strategies are usually based on an assessment of the economic benefits that the organisation can derive from an investment in a particular control. For every control that you implement, the calculation would be that the cost of implementation would be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation. ‘Risk appetite’ is the phrase used to describe managers’ level of preparedness to take risks.
Ask yourself a simple question: “Do I know what the risks are in our case? Remember that the decision to delegate responsibility does not let you off the hook if the honest answer is: “No, I do not know what risks we face.”
For me, addressing the risk issue is fundamental to the requirements of effective cyber security and is the principal benefit of adopting ISO27001. The standard expects periodic reviews of security risks and related controls will be carried out – taking account of the vulnerabilities, assessing the impact of changes in the business, its goals or processes, technology and/or its external environment (such as legislation, regulation or society) and simply to confirm that the controls remain effective and appropriate. Citing Alan Calder and Steve Watkins’ excellent book, IT Governance: An international guide to data security and ISO27001/ISO27002 – Fifth Edition, (at £49.99 a real bargain for any senior manager seeking advice on whether or not to adopt the ISO27001 standard): “Periodic review is a fundamental requirement of any risk assessment or risk management strategy.” In other words, risk assessment is the core competency of information security management. Risk assessments must be conducted on a regular basis. We can add that ‘the execution of its [the standard’s] provisions is entrusted to appropriately qualified and experienced people’.
You run a small firm. How can you resource ISO 27001 risk assessments?
Understandably, it is difficult for a smaller business to retain specialist information security expertise in-house than for a larger one. It’s also true that the internal risk assessment role needs to be maintained over time – it’s common sense to do so as well as a clear requirement of ISO27001 – and the person involved needs to undergo regular training and be involved in risk assessment issues to be fully-competent: a big commitment for an SME. Hiring external risks assessors is one way out of the dilemma, and has the advantage of ensuring that the person chosen is up to date on relevant issues and wholly objective. An appropriate middle course and an increasingly popular one for SMEs is to contract on a multi-year basis with an appropriately trained individual or consultancy firm to provide risk assessment support and guidance as and when required – and if you will forgive the plug here, a service available from IT Governance Consultancy.
So what can IT Governance do to help your company assess cyber risks?
Much more than you may be aware of!
Our ISO 27001 consultants and technical experts can also assist you in managing cyber breaches, carrying out an impact assessment and helping you to put in place counter-measures to tackle cybercrime at every level, conveying the right messages to colleagues to support effective decision-making.
In particular, our experts can show you how to develop your own information security management system (ISMS) to fully-comply with the ISO 27001 standard; – providing robust protection for your data, maintaining its integrity and making it easily available to everyone who has a need for it within your organisation, whenever and wherever it’s required. Drawing on our extensive experience of ISO 27001 projects, we can support you in carrying out a business examination/risk assessment of the costs and actual impact of those types of breaches most likely to affect your organisation, and put in place a business continuity framework so that you can deal with events and breaches that could not be foreseen with reasonable effort.
That last point is important: having robust, regularly tested, incident management processes and contingency planning in place to recover from and reduce the impact of any compromises to the business could save your reputation when the time comes. Clause 4.2.2.g of the ISO 27001 standard requires the implementation of controls that will enable ‘prompt detection of and response to security incidents. The controls that you construct must ensure that any error or failure during execution is capable of prompt detection and that planned corrective action, whether automated or manual, is effective in reducing the risk to an acceptable level, – whatever happens next! Can you say that your organisation has properly assessed the risks and that your controls are/will be effective in countering threats?
Why leave it to chance? ISO 27001 certification requires commitment, time and money and we understand these are areas of concern for Senior Managers – which is why we are holding a series of events across the UK, in partnership with leading certification bodies that assess organisations for compliance with the ISO27001 standard. See the details of these below.
On the other hand, if you want advice about information security sooner than that, we would be happy to arrange for one of our expert consultants to contact you.
We can show you how to get started on your ISO 27001 project and keep it on track to achieve clearer value for money from better information security management. The end result of our help will be peace of mind, because by working with IT Governance to set up and manage an Information Security Management System (ISMS), you will know that risks have all been properly identified and remediated in a way that reflects the appropriate response in your situation. What’s more, you will be in control!
What could your ISO 27001 consultancy services achieve – starting today?
The project support provided by our consultants transfers the knowledge that you need at each and every stage in adoption. What is more, you can hire us for either the whole job or any part of the process – for example, we can help you to:
1. Carry out a Health Check lead by our experts
2. Define strategy for achieving certification to suit your requirements
3. Perform a detailed risk assessment
4. Develop documentation (high level and/or low-level, as required)
5. Roll out a management system and associated controls
6. Determine training and awareness needs
7. Prepare for Internal, Stage 1 and Stage 2 (certification) Audits
8. Achieve regulatory compliance / accredited certification
9. Maintain your management system/s (surveillance cycle)