The accelerated adoption of digital technologies is a bit of a double-edged sword. While it clearly drives new levels of efficiency, productivity and innovation, it can also introduce new vulnerabilities. Increased reliance on cloud, mobile, edge and wireless technologies to support remote and hybrid workforces substantially expands the typical organization’s attack surface.
The World Economic Forum says the emerging technology environment is creating “hidden and systemic risks” that must be addressed to ensure the security of increasingly interconnected businesses. The WEF further suggests that companies build on existing cybersecurity frameworks to ensure compliance with recognized security standards.
The ISO 27001 standard is one of the key frameworks for improving and formalizing business processes around information security and privacy. It details best practices for establishing and maintaining an information security management system (ISMS), which is an overarching management system for all security controls. It covers all corporate data — including financial information, intellectual property, employee details, and information managed by third parties — and can be adapted to fit organizations of any size and in any sector.
The framework provides guidance on the implementation of 114 individual security controls divided into 14 categories, with an eye toward ensuring all these controls are properly integrated into an overarching environment. This broad range of these controls helps ensure the confidentiality, integrity and availability of information, as well as compliance with legal, statutory and regulatory obligations.
More Than IT Security
It is important to note that ISO 27001 is not strictly an IT standard. Although it obviously involves the use and proper integration of security technologies, it also addresses a variety of security practices that don’t directly involve IT.
For example, one of the 14 categories focuses entirely on physical security measures to prevent unauthorized access to a company’s facilities and IT equipment. It also covers maintenance practices, backup power, fire suppression systems and the secure disposal of equipment.
Perhaps most important, the standard addresses the human element of information security. According to an IBM Cyber Security Intelligence Index Report, human error is a major contributing cause in 95 percent of all data breaches. Incidents often involve employees who unintentionally mishandle sensitive data, commit policy violations with workarounds that bypass IT processes or download unapproved applications in order to keep daily workflow moving.
Emphasizing Employee Awareness
Dozens of ISO 27001 controls are designed to ensure employees understand good security practices. For example, “clear screen” and “clear desk” policies mandate that employees log off their computers and make sure all papers and removable storage media are put away if they are leaving for an extended period. Several other safeguards apply to increasing numbers of remote workers, including the threat of unauthorized access to information from family and friends and the use of privately owned equipment.
The standard also requires organizations to implement security awareness training programs for employees. They should promote general security best practices and an understanding of social engineering and hacking techniques. Phishing awareness should be a core topic because these are gateway attacks that set the stage for many other threats.
Beyond the obvious security benefits, compliance with the ISO 27001 standard is just a good business practice. In fact, many companies now make compliance a requirement for business partners and vendors. In an increasingly interconnected economy, ISO 27001 compliance demonstrates to customers and partners that your organization is committed to ensuring the security and privacy of their sensitive information.
To learn more about incorporating ISO 27001 into your security framework, give us a call. Our cybersecurity specialists can guide you through the process and provide an assessment of your current security controls.
