Case Studies

Info-security management standard

by Mark Rowe

A standard for information security management is not only a compliance tool to manage risk, according to British Standards (BSi); it can act as a vehicle for business growth.

Briefly, BSi describe the ISO 27001 standard as a ‘best practice framework for establishing, implementing, monitoring and reviewing how an organisation manages its information security risks’. Whether the threats are distributed denial-of-service attacks (DDoS) against your computer network, hacking, or the accidental or deliberate leaking of corporate data, BSi argue that there’s no avoiding those crimes and risks. The ISO 27001 and other standards may not merely be the cost of doing business by showing you comply with Government standards in tenders; the standard helps you to recover from some cyber-security breach, and helps you spot weaknesses – and strengths. BSi stress – and it was true when the ISO 27001 was merely a British Standard 7799 – that information security is not only about IT, but the physical security of data, whether the screening of workers who are handling data, or the locks and access control on a server room.

What’s the difference between the new, 2013 version of ISO 27001, and the previous, 2005 one? For one thing, the International Organisation for Standardisation (ISO) is requiring all standards to have a common core – in other words, the parts of the management system that aren’t specific to a discipline, whether info-security or complaints management (yes, there is a standard for that), will look the same. So that is good if your business runs several standards, such as 9001 (quality management) or environmental management (14001) besides security-related ones. Dr David Brewer sets this out at the start of his Introduction to ISO/IEC 27001:2013, published by British Standards. The standard is much the same; for instance it still expects top management to take a lead (as in practice, if those at the top don’t set the tone, other staff don’t bother either). And it’s not enough to do info-security; you have to document it, and keep monitoring and measuring. What makes 27001 of interest to all in security, whether IT or physical guarding, is that the standard covers electronic, physical and personnel security alike, from teleworking and work with mobile devices, to protecting computers from malware, to managing staff when joining or leaving.

What about the cloud?
The 2013 version has some differences: unlike 2005, the new version does not explicitly require you to identify assets, threats and vulnerabilities. You now have to say who your ‘interested parties’ such as customers and suppliers. What next? There is no ISO standard for cloud security; instead British Standards directs you to the Cloud Security Alliance’s (CSA) two-year-old Security, Trust and Assurance Registry (STAR). Briefly, it’s a searchable registry for potential cloud customers to review the security practices of cloud providers. According to the CSA, in these early days of cloud adoption, voluntary self-regulation of cloud providers is preferable to government regulation. However the CSA does not guarantee the accuracy of STAR self-assessments.

Case studies

Thames Security Shredding (TSS) Ltd, pictured, offers collection and destruction of confidential documents. The market has emerged because of regulation such as the Data Protection Act, and also the risk of identity theft. Mark Treadwell founded the firm in 2010. He decided on ISO/IEC 27001 to give his work information security; and to give assurance to customers of his service. He chose ERS Consultancy Ltd to help with reaching the standard. ERS began with an information risk assessment. Sonia Sooch, Senior Consultant of ERS Consultancy Ltd, explains: “As well as identifying gaps within an existing system, the advantage of the ISO/IEC 27001 standard is that it permits continuous monitoring and review, which then enables the management system to be continually improved.” While certifiation can be long and fiddly, BSI awarded the company 27001 in November 2010, four months after the project began; one of the quickest 27001 implementations to date. The shredding firm reports a significant change in attitude and heightened security awareness among staff leading to better protection of confidential data. The 27001 standard is a process rather than some boxes that you tick; hence the need for regular assessments; for example, all security incidents are recorded and corrective actions taken.

Fredrickson International is a debt collection agency (DCA) with three sites in Surrey. The firm employs 300 staff and recovers debt of £100m a year; its clients include a central Government department and banks. Hence compliance is important; and reputation; and information security, as much of the work involves receiving, analysing and storing consumer and business credit information. Risks include hacking, and theft of data that criminals could use to do identity fraud. The company was also motivated by high profile instances of data loss within its sector. Simon Jones, Managing Director at Fredrickson, says: “Rather than simply say we are compliant, we felt it would provide the market with the confidence it needed, if we were to undergo independent assessment of our ISO 27001 Information Security Management System with BSI.” To reach the standard, the firm did a ‘gap analysis’, of how it had to fine tune its systems. While the firm had many of the policies and procedures required, documents were not accessible and knowledge was only shared on a need to know basis. Fredrickson created an information security committee, with the aim of raising awareness. Managers used staff training and posters to make staff understand the importance of information security and the role staff had to play. A shared drive for documents, accessible by staff across the firm, was created. As for practical gains from the ISO 27001 certification, it’s meant fewer man hours needed to complete IT security questionnaires required by clients in bidding for work. The firm suggests that ISO 27001 certification might be imposed by many of its clients when selecting outsourced partners.

From the BSI website – several case studies –

http://www.bsigroup.com/Documents/iso-27001/case-studies/BSI-ISO-IEC-27001-case-study-Fredrickson-International-EN-UK.pdf

And resources that you may need for your ISO/IEC 27001 Information Security Management System –

http://www.bsigroup.com/en-GB/iso-27001-information-security/Resources-for-ISO-27001/

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing