- Security TWENTY
- Women in Security
How do you assess and confirm the standards and reliability of potential trading partners and who can you trust with your financial information, your commercial terms, your designs, your IP and your information security? Moreover, as businesses are targets for cyber criminals what actions will mitigate these threats? asks Jeremy Martin, director of 27k1 Limited.
ISO 27001 is the internationally recognised system standard for information security. It aims to help organisations follow best-practice for the safekeeping of information assets. Compliance and accreditation to the standard is a two-stage process: stage one requires requires the development of the policies and procedures which underpin the Information Security Management System. Stage two is a systematic review and gap analysis of all corporate information security assets, including software, hardware, property, personnel, IP and documentation. This will enable the business to assess the likelihood and business impact of potential threats, loss and damage and then take positive action to shore up any vulnerabilities and safeguard their Information Security assets.
Businesses can choose and define the scope of their ISO 27001 management system. A Statement of Applicability is then drawn up and the business works towards implementing the recommendations of the SoA, with a view to being audited by an approved assessor from an accredited standards authority, such as BSI, Lloyds Register, Intertek and others.
Gaining ISO 27001 certification is a statement of intent. Whereas this was once the preserve of large organisations, increasingly, small to medium sized businesses are gaining ISO 27001 accreditation, to demonstrate their Information Security posture and compete for tenders that demand proof of their Information Security credentials.
Problems with spreadsheet approach
Historically, information security asset risk assessments have been undertaken using spreadsheets, under the guidance of an external ISO 27001 accredited implementer or internal, IT team who work their way through the 114 controls within the 35 control categories of the standard. The process can be complex and protracted, prone to error and expensive.
The 27k1 app
The 27k1 app has been developed to simplify this process and whilst being feature rich, is intended to be intuitive to use, low cost and the most comprehensive software solution of its’ type available on the UK and global market.
Once downloaded, the 27k1 app takes users from a gap analysis of the assets, through to risk identification, evaluation and treatment, linking them and the required controls together and dynamically updating to the SoA. Along the way, the multi-user license permits users to input asset data, selecting preconfigured controls and threat levels that may be readily adjusted to assess and evaluate the risks to the information security assets across the business.
The Geneva-based International Standards Organisation has developed a range of ISO accreditations. These accreditations ensure that high standards are set for compliance across a broad range of business disciplines, including Information Security. According to the latest, 2017 data from the ISO, the Information Technology sector accounts for the highest number of ISO 27001 accreditations, seen in the following countries:
Japan 9161; China, 5069; UK, 4503; India 3272.