Embrace ISO 27001

Oct 15, 2015   //   by David   //   Blog, Information Security  //  No Comments

‘Info Sec sits with the IT Department’, is a comment I hear regularly from clients in the Business Continuity area.  Of course in many organisations it does. The risk for those of us who specialise in BC is that Information Security becomes more and more important to Executives and Business Continuity gets pushed to the bottom of the heap.

Again a trend I see when doing supply chain reviews for clients is that companies who have ISO 27001 say that their BC plan complies with that Standard and that is sufficient. They have no interest in achieving ISO 22301 as what they have already complies with a Standard.

And guess what?  Most companies are happy to accept that as sufficient evidence of their supply chain being suitably covered!

Selling the need for Information Security (Or ISO 27001) is fairly easy, the fear factor works a treat here! You just need to list the hacks and leaks; Sony, Ashley Madison, various banks and many more.

Selling BC is a more difficult matter.  Yes you can cite plenty of examples of incidents but they rarely hit home in the same way.  That can often be because the media loves to focus on security breaches. For example the New York Times had 700 stories about security issues last year!

So is ISO 27001 a threat or a benefit to those of us who come from a BC background? Well the obvious answer is that it is both!

Just look at our own Institute’s threat survey which showed that cyber-attacks were the number one threat, if that is what our responders are saying we must address their concerns.

What if you don’t know about Information Security though?  You may have no technical background and it may mean little or nothing to you when the jargon starts to roll out.

Actually you know more than you think!  Step back a little, all of us in the BC world know a great deal about running exercises. And they will have covered just about any issues you want to name; fire, flood, plague of frogs (a very specialist one that!), pandemics and many more.  A security breach is just another incident so if you want to start showing how much value a BC person can add, try running an exercise on a security breach.

You can easily Google information to give you a good technical sounding starting point or someone in IT can explain how a breach could occur if you don’t know yourself, but in the end our exercises often start by simulating the response AFTER an event. Given that, the ‘how’ isn’t always so critical.

The key focus should be on reputational damage at one end and steps to prevent a repeat at the other.  This is a good chance to test how well your Comms spokesperson can respond to the firestorm that will happen in the media and on Twitter. Your reputation is at risk and a poor response can be catastrophic.

It is also a chance to put your IT Department under pressure on how they would cope!




Being more involved

An exercise is a good start as a BC person but what next?  Well good security is more than technical prevention.

Many, many breaches are caused by human decisions and errors. Opening attachments which hide viruses and clicking on links. Good information security follows the 90/100 rule. 10 percent of security is technical and 90 percent relies on you to adhere to policies and good practices.

For example, the lock on the door is 10 percent. You remembering to lock it, checking to see if it is locked, ensuring others do not prop the door open, and keeping control of keys is 90 percent.

So get a copy of ISO 27001:2013, read the requirements, be surprised at how much you recognise and begin to work on adding it into your BIAs and BCPs.

Embrace ISO 27001 and turn a threat into an opportunity!