Robert Lyons, Sales & Marketing Manager at Certification Europe and member of the Appraisals Board at Guaranteed Irish shares expert insights into cyber security for their fellow Guaranteed Irish members with key considerations around ISO 27001 Information Security Management System Guidelines for businesses.
As Senior Manager for the Sales and Marketing Division of Certification Europe, Rob has built and maintained a wide range of client relationships across a diverse portfolio of over 100 public and private sector organisations. His client base includes An Garda Síochána, South Dublin County Council, United Laboratories, Abbvie, Malinkrodt, Facebook and PWC.
Rob has a sophisticated understanding of building cross-functional teams around each client account incorporating team skills, disciplines, and expertise to exceed client satisfaction.
What is happening?
Most modern-day bank robbers do not wear masks, instead they use laptops and other pieces of equipment to invade your business and damage your reputation in the hope of getting you to pay up. As if getting hacked was not bad enough, if you have had a breach, you also must report the breach and potentially face a fine.
How things have changed, with regular hugely concerning reports in the media of information security breaches and cyber-attacks across the globe. A recent exemplar being the reports of the callous Health Service Executive and Dept. of Health cybersecurity ransomware attacks that have resulted in significant, and dangerous, impacts on the provision and delivery of high quality and safe healthcare services in Ireland – accompanied by huge public outrage and indignation at the temerity of an attack on such an emotionally charged, deep-rooted and critical societal service.
Irish businesses of all sizes have seen their data encrypted with Malware usually through specially targeted infected emails or unsafe sites.
These attacks can be crippling for any business, so why do so many companies still underinvest in protecting their operations and what should businesses do now?
A 27001-conformant ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organisation’s information security to underpin the achievement of its business objectives (security or otherwise). Appropriately grounded on risk assessment and treatment (identification, estimation, evaluation, treatment, monitoring and review), an ISMS includes policies, procedures, protocols, guidelines and associated resources and activities, collectively managed to protect organisational information assets (information and processing facilities). Successful ISMS implementation includes analysing the requirements for the protection of information assets and addressing criteria (clause requirements and information security controls) to ensure their protection (Advisera, 2020; BH Consulting, 2007; ISO/IEC, 2018; ISO/IEC, 2013).
Thus a 27001 ISMS can be viewed as a set specific, systematic criteria requiring an organisation to:
- Determine the internal and external issues/matters relevant to its function and operation (including the services that it provides) and thereby understand and contextualise its information security requirements.
- Identify interested parties (customers, clients, employees, regulators, shareholders, owners, etc.) and their information security needs and expectations.
- Determine and document the scope of its information security management system (ISMS) through understanding its own information security requirements and those of its interested parties.
- Carry our foundational, critical information security risk assessment within its defined ISMS scope resulting in the identification and selection of controls to treat (address, respond to) unacceptable risks (in addition to the information security controls already in place) – and plan/implement such controls.
- Establish information security objectives and how they will be achieved.
- Continuously evaluate the implementation of information security and achievement of information security objectives.
- Continuously improve information security.
All these criteria are “driven” by organisational top management leadership and commitment to information security and will take the form of policies, procedures, forms, records, and other documented information as well as processes and technologies (Advisera, 2020; BH Consulting, 2007; ISO/IEC, 2018; ISO/IEC, 2013).
In conclusion, ISO/IEC 27001:2013 is an international, evidence-based, best practice, top-down, management driven, risk-based continuous improvement standard for managing information security. And as a result, surely a key consideration for all organisations dealing with data and information in our world today.
Contact Robert Lyons at rlyons@certificationeurope.com or call +353 1 642 9300.
