CALL US TODAY : (0)20 8798 9282

SharePoint ISMS tool to manage your ISMS or QMS

This blog is about a new SharePoint ISMS and QMS solution. Would you like to have a tool that can help you run some of the critical processes in your information security management system (ISMS) or in your quality management system (QMS)? A tool that is run from the cloud and hence can enable your team to collaborate? A tool that will help you: Manage your ISMS? Manage your QMS? Manage risks? Manage nonconformities? Manage corrective actions? Manage incidents? Manage opportunities for improvement? Manage recurring tasks such as the quarterly restore test or the annual business continuity test? A tool that will send out email reminders when tasks are due for review or close to the deadline? A tool that will tie the whole thing together in an online dashboard ready for your management review? A tool that will help you either get ISO 27001 / 9001 certified or help you stay certified with a minimum strain on the resources needed to run your management system? Well look no further as JSC Consultant has developed an online Microsoft SharePoint ISMS tool that can either be hosted by us or run on your own O365 SharePoint. The SharePoint ISMS consist of several modules. The risk module is where you would determine risks based on assets, threats and vulnerabilities. You would score the risks based on likelihood and impact and then select controls to mitigate any risks that are not accepted. The module will then help you manage the risk treatment plan as well. The action module is where you log a nonconformity, an incident, an event, an opportunity for improvement...

Information Security and HR

Information Security and HR – How should HR play a role in Information Security? HR has a very important role to play when it comes to information security. Contrary to common believe responsibility for information security does not rest solely with IT. Of course, IT often has a very important role to play making sure that technical controls are designed and implemented. Likewise, HR has a pivotal role to play ensuring policies are based on values of transparency, privacy and security. Often when things go wrong in Information Security it is because of the human element of the equation. One of the recent interesting cases are for example the supermarket Morrisons breach. According to People Management Magazine Online: Employers may be liable for confidential data leaks caused by current or former employees, after the High Court found retailer Morrisons vicariously liable for the actions of a worker who exposed 100,000 colleagues’ personal information to the public. The supermarket had denied liability for the actions of Andrew Skelton, a senior internal auditor at its Bradford headquarters, who stole information including the salaries, birth dates and bank details of vast swathes of its workforce in 2014. He then leaked the information via data sharing websites and shared it with several newspapers. Of course, I am not saying that HR would be able to completely prevent such a breach, but HR can help by ensuring; Strong screening controls are in place, That staff only have access to data and systems that they need to have access to That comprehensive employee contracts that includes information security are drawn up, That Information Security is...

GDPR Certification

GDPR Certification. Is that possible? Well it is now. The British Standard BS10012 2017 provides a specification for a personal information management system (PIMS) and if you implement this you would also be able to get a 3rd party certification body, such as BSI for example, to come and audit as well as certify your compliance with the standard. Of course you might not want to go through certification, but if you are looking at ensuring compliance with GDPR this standard would be a great help even without certification. So what is in the standard? Great news, the structure is similar to other management system standards such as ISO 27001 or ISO 9001. This means that if you already have a management system, that complies with one of these ISO standards, then you would recognise a large part of this PIMS standard including: Context of the organization Leadership Planning (which includes risk management) Support Operation Performance evaluation Improvement Of course, each of these areas would need to be considered with personal information and the GDPR in mind. Specifically, chapter 8 is a large part of the standard where you will be required to consider areas such as: Key appointments (including Data protection office / DPO) Identifying and recording uses of personal information Risk assessment and treatment Training and awareness Keeping PIMS up to date Fair, lawful and transparent processing Processing for specific legitimate purposes Adequate, relevant and in line with data minimization principles Retention and disposal Security issues Rights of natural persons Should I use this standard? Of course. We all must comply with GDPR. Some might be further down...

GDPR and why encryption is important?

GDPR and why encryption is important? Encryption is like backup. Everyone agrees that is the right thing to do, but still some will do it, and some will not. With backup, it is a no brainer – you should backup (often, regularly and keep copies off site based on a strategy that is appropriate to your risk appetite). I think the same applies with encryption – if you have sensitive information you should consider encryption. What is encryption? (See ICO for more details) Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information. In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures. Why use encryption? So why should you consider encrypting your data? Well today the use of mobile devices is everywhere (laptops, phones, hard drives, USB sticks) and the risk of these devices being lost or getting into the wrong hands are likely if not very likely. Just look at the latest security breach relating to London Heathrow airport. Another reason for encryption is the use of the internet. Of course, most would already be using encryption for various internet transactions for example when communicating with the online bank or when visiting sites that have the https in their url. I would suggest that more should also consider using a VPN encryption when accessing the internet from a public wifi. Deloitte has also had a breach of their...

Continued growth in ISO 27001 certifications world wide

Growth in ISO 27001 certifications is reported. The International Standards Organisation (ISO) reports a 21% rise in ISO 27001 certifications worldwide. ISO and IEC’s standard for information security, ISO/IEC 27001 saw a 21% increase to 33,290 certificates worldwide. This is reported through the ISO Survey of Certifications.  The ISO Survey of Certifications is an annual survey of the number of valid certificates to ISO management system standards worldwide. The UK accounting for 10 % of global certificates issued (the UK ranks second in the world with 3,367 certificates issued). ISO 27001 is the best-practice framework for implementing an Information Security Management System (ISMS). Through a risk balanced focus on technology, processes and people the standard will help design and implement an ISMS that will both help protect, detect & respond and recover in case of a cyber security incident. This survey certainly supports, what we are seeing as well. More and more organisations are implementing an ISMS according to the ISO 27001 standard and reaping the benefits such as: Safeguards business interests Supports business objectives Achieves a competitive business advantage Enables cost effective and relevant security based on risk Aligns with the industry standard for information security management Supports your preferred supplier status and/or tender responses Clearly sets out how to address and manage the key information security requirements Demonstrates how information and information systems are safeguarded Helps to prepare for the unexpected In JSC Consultant our approach is: All our Senior Consultants have an extensive background in business They also have many years of ISO 27001 training, assessment and implementation experience No project is the same and hence time is spent understanding the specific situation of the client Projects typically include...