In this blog post, Peter Walker, Protecht's Chief Information Officer, answers some questions around information security and getting ISO 27001 certified.
I receive notifications of data breaches and information security reports with lessons learned on a daily basis. The number, magnitude and consequences of these incidents continue to rise. As Protecht's CIO, it’s a sobering thought when you are managing other people’s highly sensitive data.
While we have always had information security processes and procedures in place for many years, I recognised the need to do more and to be able to quickly demonstrate to the Protecht Executive Team and external parties that we had in place a robust and effective information security risk management framework in place. As a separate driver, we needed to be able to demonstrate to our Australian Commonwealth Government clients and prospects that we met the very stringent information security management requirements of the Australian Signals Directorate.
During 2014 we undertook research into what was deemed good industry practice for Information Security management and selected the ISO 27001 standard from a number of competing standards. During the course of 2015 we updated policies and procedures and put in place additional security controls that allowed us to be recommended for ISO 27001 certification in December 2015, getting the oficial approval in January 2016.
ISO 27001 is the international standard for Information Security Management. What it provides is an Information Security Management System along with 114 controls covering 14 domains. ISO 27001 is supported by ISO 27002 which provides the implementation guidance for each of the 114 controls.
The primary reason for selecting ISO 27001 was to ensure we had in place the world recognized industry best practice implemented for Information Security.
Other reasons for selecting ISO 27001:
One of the first requirements you come across for ISO 27001 is the requirement for management support. The investment into implementing an ISO 27001 compliant Information Management System is significant. For us it required several people for the best part of the year. Another aspect of management support is that the implementation requires change, and change from all parts of the business. With management support it is easy to push this out; without it it’s just IT people telling the business what to do which generally never goes down well! Management support is critical to the adoption or ISO 27001. The Protecht Executive team saw the benefits from the adoption of ISO 27001 and with their support I believe we achieved the adoption of the ISMS across the organisation.
As part of the implementation of ISO 27001, we built registers, compliance attestations and KRI questions to support all aspects of the ISMS within our internal instance of Protecht.ERM. The ISO 27001 standard is risk based and therefore fits well into Protecht.ERM. We also developed a number of registers, reports and dashboards to manage broader aspects of ISO 27001 such as Business Continuity and testing, Suppliers, Risk Assessments and Incident management.
Managing the Information Security Management System within Protecht.ERM provides a number of benefits:
The ISO 27001 certification provides a level of confidence to our clients regarding Protecht’s commitment in managing information security.
Take information security seriously and use suppliers who have the same or greater level of passion in ensuring strong information security controls based on their context of operations. Finally, if you are looking at implementing ISO 27001 or have implemented using spreadsheets and Word documents, speak to Protecht to see how Protecht.ERM can be used to support your adoption of ISMS.
Protecht is an international company founded by some of the most accomplished risk professionals in the industry. Since 1999, we have delivered training, advisory and software solutions that intensify the Risk Management focus and discipline of government departments, corporations around the world.