Need for standardized Information Security Management System (ISMS) – ISO 27001
“Black Friday shoppers wary of credit card fraud”
“Data breaches put holiday shoppers at higher risk for fraud”
These are the headlines that the consumers are bombarded with on the advent of each major event/holiday. So, it’s a business imperative to put in place a process/mechanism to secure their information assets. But diverging management focus from being competitive in terms of pricing, customer experience and unique products in order to formulate a mechanism to address all the information security concerns is not the solution. So what is?
ISO 27001, an information security standard, provides a framework on managing security of information assets covering process, people and systems (hardware/software). These standards have been widely accepted by all type of organizations such as multi-nationals, government organizations, NGO(s); and have been successfully implemented across all type of industries (manufacturing, banking, oil & gas, telecommunication etc.)
The strong acceptance of the ISO 27001 standard is derived from the fact that it provides a process of implementing, monitoring, audit controls so as to manage the organization’s risk profile. ISO 27001 highlights 35 control objectives spanned across following 14 domains covering a total of 114 controls.
Information security policies
Organization of information security
Human resource security
Physical and environmental security
System acquisition, development and maintenance
Information security incident management
Information security aspects of business continuity management
Furthermore the ISO 27001 standard uses “Plan-Do-Check-Act” model to achieve continuous improvement.
Define ISMS (Information Security Management System) scope in terms of information assets and risk profile of the organization. Perform risk assessment to evaluate the key risks to the company and identify control objective & controls to mitigate those risks.
Formulate and implement controls to ensure all the relevant control objectives are met. Focus on training and awareness programs. Effectiveness of any security control is as good as its weakest link (which is often people).
Perform periodic audit the effectiveness of controls implemented to meet the control objectives and mitigate the key business risks. Review risk assessments at regular intervals to evaluate whether risk(s) highlighted yesterday are still applicable today.
Improve/correct any control that failed during audit process. Perform gap analysis to identify areas of improvement.
The benefits of adopting a standardized ISO 27001 ISMS approach include:
- Due Diligence to address increasing pressure from customer/regulators & other parties regarding security of the information assets;
- Pro-active approach instead of fire-fighting;
- Differentiating factor for customers when choosing similar products offered you and your competition as well as provides confidence to trading partners and company’s stakeholders;
- Integration of information security in the already established risk management practices;
- Consistency when your organization is heavily reliant on third party services;
- Measurable to justify ROSI (return on security investments); and
- Information security corporate governance and legal
- Establish Ownership via highlighting employee’s responsibilities.
However, the degree to which the organization could benefit from implementation of ISMS depends on the level of commitment from senior management and acceptability from all stakeholders.