Information Security today is one of the most important pillars that decide the success or failure of any organization, whether public, private, micro enterprise, business, educational, financial, or non-profit. In this blog post, Jaspreet Singh, Associate Director, IT and Assurance, India, EY lists down the key benefits of the new ISO 27001.
According to National Institute of Standards and Technology, Information security is defined as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.”
Organizations often have the misconception that if they are not a big name or doing anything critically important, then they wouldn’t be a target. In today’s scenario, it doesn’t matter who you are or if you stand out in some way. Cyber criminals have programs to scan computers connected to the internet and to identify those with a weakness to penetrate and launch attacks against them. Reasons for launching attacks vary and can be for money, access to additional resources, competitive advantages, grievance or vengeance, curiosity, mischief, attention or notoriety. Hence it becomes important to safeguard your company data or brand reputation.
ISO 27001 and key benefits
Considering IT security is a critical aspect for businesses, Rule 43A of IT Amendment act 2008 makes it a company’s legal responsibility to implement “reasonable security practices and procedures” and have a comprehensive documented information security program and information security policy.
ISO/IEC 27001:2013, the first revision of ISO/IEC 27001 and is an internationally accepted standard of requirements dealing with all aspects of information security and includes domains like physical security, human resource security, operational security, network security, secure software development life cycle, supplier relationships and focuses on legal regulatory and contractual obligations of the organization. The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed in implementing, operating and continually improving the management system, there is increased focus on top management commitment and renewed emphasis on metrics for performance and meeting security objectives.
The numbers of suggested risk mitigation controls in the 2013 revision have been consolidated from 133 to 114 with addition of many new controls, rewording of a few existing controls and dropping many redundant controls from the 2005 standard. This revision takes into account the changed risk context that organizations are faced with, with the increased dependencies on technology, mobile computing, business outsourcing, vendor dependency and data privacy.
In addition to protecting the day-to-day business operational activities, the new standard focuses into new domain like Project Management and Development Lifecycles and security policy for suppliers. By merging the business needs with the security and technology requirements early in any project, increases the probability to both reduce development times and increase the security posture of projects all at once. Similarly, a documented information security policy for suppliers allows organizations to mitigate the risks associated with suppliers and outsourced parties access to organizations information assets.
Influences and Inferences
The two other major influences for the standards revision are firstly, an ISO requirement that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. This alignment will help organizations to seamlessly integrate certain mandatory requirements of information security management system with other management systems like business continuity management system (ISO 22301) and quality management system (ISO 9001).
The second influence was to align the information security risk management with the principles and guidance given in ISO 31000 (enterprise risk management). With this simplification the organizations are free to choose any risk assessment approach and are not bound to follow the asset based risk management approach of ISO 27001:2005 thereby giving organizations the flexibility to have a single risk assessment methodology across several integrated management systems. These will not only bring more efficiency in managing and operating multiple management systems implemented in the organization but also provide the top management a holistic picture of the risks and opportunities of the organization.