Since the EU GDPR (General Data Protection Regulation) took effect in May 2018, Scottish organisations are inevitably focusing on protecting the confidentiality, integrity and availability of the personal data they process in order to minimise the risk of administrative fines, reputational damage and legal action.
It’s also important to remember that all information – not just personal data – is at risk of compromise, and that every Internet-facing organisation needs to implement effective measures to mitigate the information security risks it faces. Protecting intellectual property and sensitive corporate data is just as important to your organisation’s prosperity. Organisations need to acknowledge that protecting intellectual property and sensitive corporate data is just as important to their prosperity.
Information security is not just about technology
The majority of data breaches are caused by human error, and it is this element that often leads organisations to overestimate the strength of their defences.
Last month, Police Scotland began raising awareness of a new form of phishing email that is targeting organisations recruiting for staff. The emails appear to be job applications and contain an attached CV that, when clicked, can download malware and compromise the organisation’s system.
Phishing emails and drive-by downloads spread malware via software and network security vulnerabilities. Employees can often access information they shouldn’t, increasing the risk that they will share it with the wrong person. Laptops can be lost, phones can be stolen and paperwork is easily misplaced.
When any employee can inadvertently jeopardise your organisation’s security, it should be clear that mitigating information security risks isn’t just about installing antivirus and anti-malware programs. You need a more proactive approach that secures the whole business.
What is ISO 27001?
The international standard ISO/IEC 27001:2013 (ISO 27001) sets out the specifications for an ISMS (information security management system), a risk-based approach to information security that incorporates people, processes and technology.
An ISO 27001-compliant ISMS is a cost-effective approach to information security: because it’s based on regular risk assessments, you’ll implement only those controls that address the specific risks you face – keeping expenditure to a minimum.
The benefits of ISO 27001 certification
ISO 27001 is the only international information security management standard to which organisations can achieve independently audited certification.
Certification will show regulators, stakeholders and potential clients that you take data security seriously, and significantly reduce the risk of a data breach occurring. The government and many larger organisations require their supply chains to conform to ISO 27001 as a prerequisite for doing business.
For most organisations, achieving certification to the Standard is advisable, not compulsory. Even without certification, implementing the best-practice methods set out in the Standard can still provide significant benefits.
Complying with ISO 27001
Implementing an ISO 27001-compliant ISMS needn’t be complex and overwhelming.
A gap analysis will show you how your existing practices compare against the requirements of the Standard. Most organisations have some information security measures in place, so it’s very likely that you have many of ISO 27001’s controls in place already. Bringing them into line with the Standard’s requirements and integrating them into a proper management system could be well within your reach.
How IT Governance can help
IT Governance delivers training, consultancy, gap analysis, penetration testing, books and toolkits to organisations in Scotland, helping them with their data protection, cyber security and compliance projects.
CISMP – Certificate in Information Security Management Principles Training Course
If you’re interested in information security management, you might want to book a place on our Scottish CISMP training course, held in Glasgow and Edinburgh.