In this blog post, Peter Walker, Protecht's Chief Information Officer, answers some questions around information security and getting ISO 27001 certified.
Why are you concerned about information security?
I receive notifications of data breaches and information security reports with lessons learned on a daily basis. The number, magnitude and consequences of these incidents continue to rise. As Protecht's CIO, it’s a sobering thought when you are managing other people’s highly sensitive data.
While we have always had information security processes and procedures in place for many years, I recognised the need to do more and to be able to quickly demonstrate to the Protecht Executive Team and external parties that we had in place a robust and effective information security risk management framework in place. As a separate driver, we needed to be able to demonstrate to our Australian Commonwealth Government clients and prospects that we met the very stringent information security management requirements of the Australian Signals Directorate.
During 2014 we undertook research into what was deemed good industry practice for Information Security management and selected the ISO 27001 standard from a number of competing standards. During the course of 2015 we updated policies and procedures and put in place additional security controls that allowed us to be recommended for ISO 27001 certification in December 2015, getting the oficial approval in January 2016.
What Is ISO 27001?
ISO 27001 is the international standard for Information Security Management. What it provides is an Information Security Management System along with 114 controls covering 14 domains. ISO 27001 is supported by ISO 27002 which provides the implementation guidance for each of the 114 controls.
Why did we select it?
The primary reason for selecting ISO 27001 was to ensure we had in place the world recognized industry best practice implemented for Information Security.
Other reasons for selecting ISO 27001:
- ISO is an International Standard it is globally recognised
- The standard is risk based, which fits well with a us as a risk management company
- The standard is based around continuous improvement
- It demonstrates our competence and credibility to our clients
- Clients can use our ISO 27001 certification as part of their supplier due diligence
- Competitive advantage, not all providers can prove they manage information security effectively
What level of Executive Management support did you need and have?
One of the first requirements you come across for ISO 27001 is the requirement for management support. The investment into implementing an ISO 27001 compliant Information Management System is significant. For us it required several people for the best part of the year. Another aspect of management support is that the implementation requires change, and change from all parts of the business. With management support it is easy to push this out; without it it’s just IT people telling the business what to do which generally never goes down well! Management support is critical to the adoption or ISO 27001. The Protecht Executive team saw the benefits from the adoption of ISO 27001 and with their support I believe we achieved the adoption of the ISMS across the organisation.
How does Protecht manage its ISMS?
As part of the implementation of ISO 27001, we built registers, compliance attestations and KRI questions to support all aspects of the ISMS within our internal instance of Protecht.ERM. The ISO 27001 standard is risk based and therefore fits well into Protecht.ERM. We also developed a number of registers, reports and dashboards to manage broader aspects of ISO 27001 such as Business Continuity and testing, Suppliers, Risk Assessments and Incident management.
Managing the Information Security Management System within Protecht.ERM provides a number of benefits:
- Recording of Evidence – is important under ISO 27001 as there needs to be proof that tasks have been executed. Protecht.ERM helps by recording who and when tasks have been reviewed, updated and/or completed.
- Notifications – automated notifications provide staff with reminders to perform routine tasks such us updating Risk Assessments, or tests of Business Continuity.
- Workflow – allows us to define the workflows to support processes such as incident management
- Key Risk Indicators – provides the means to monitor the Information Security Management System (ISMS)
- Risk Analytics – provides the visualization of the ISMS system. Risk Analytics also allows us to add advanced analysis is areas such as incident management
- Actions – this is the key aspect of the ISMS in that the actions allow us to record, plan and track progress of improvements to the ISMS.
What does all this mean for Protecht’s clients and prospects?
The ISO 27001 certification provides a level of confidence to our clients regarding Protecht’s commitment in managing information security.
- The ISMS complies with the requirements from international standard ISO 27001
- Protecht has an Information Security Management System (ISMS) in place
- Protecht is audited by an external auditor on a regular basis against the standard
- A continuous improvement process is in place for Information Security
- Controls recommended by the standards are in place and audited
Do you have any final words to share with our readers?
Take information security seriously and use suppliers who have the same or greater level of passion in ensuring strong information security controls based on their context of operations. Finally, if you are looking at implementing ISO 27001 or have implemented using spreadsheets and Word documents, speak to Protecht to see how Protecht.ERM can be used to support your adoption of ISMS.