Many organisations would claim that information is their most valuable asset, yet they don’t have the management commitment to ensure that information is secure. That is according to Richard Skipsey of SGS United Kingdom Ltd. He says:“Managers delegate online security to the IT department and think the job is done.”
Yet the cost to UK plc of security breaches is “in the order of billions of pounds a year, he adds. He points to the 2013 Information Security Breaches Survey by the Department for Business, that suggested that 78 per cent of large organisations were attacked by an unauthorised outsider in the previous year and that smaller businesses, which used not to be a target, are now also coming under increasing attack. The average cost to a large organisation of its worst security breach ranged from £450,000 to £850,000, while smaller organisations faced bills of £35,000 to £65,000 for the worst incidents.
Mr Skipsey welcomes the fact that the importance of management commitment, with effective measurement, is emphasised in ISO 27001:2013, the revised international standard covering the security of an organisation’s information and IT systems. He says: “Effective information security must be championed, funded and managed at board level. It needs to be implemented as part of an overall business strategy, not in isolation.”
The strategy must also include all information that is valuable to an organisation – from research and design prototypes to forecasts and negotiating positions. It is also not limited to online activity and includes paper records, images and even conversations, he adds. Mr Skipsey is Global Product Manager – ISO 27001 and ISO 22301 at SGS, the inspection, verification, certification, testing and training body.
SGS, which has been accredited by UKAS to assess ISO/IEC 27001:2013, has just updated its booklet on ‘Issues to be considered when establishing an Information Security Management System’ to reflect the changes since the initial standard ISO 27001 was established in 2005. The booklet summarises the principal requirements for guiding and establishing an information security policy and system.
About SGS
SGS is an inspection, verification, testing and certification company. With more than 80,000 employees, SGS operates 1650 offices and laboratories around the world. Visit www.sgs.co.uk.
