CALL US TODAY : +44 (0)20 8798 9282


Solid growth in ISO 27001 certifications world wide

Solid growth in ISO 27001 certifications is reported. The International Standards Organisation (ISO) reports a 20% rise in ISO 27001 certifications worldwide. ISO and IEC’s standard for information security, ISO/IEC 27001 saw a 20% increase to 27,536 certificates worldwide. This is reported through the ISO Survey of Certifications.  The ISO Survey of Certifications is an annual survey of the number of valid certificates to ISO management system standards worldwide. ISO 27001 is the best-practice framework for implementing an Information Security Management System (ISMS). Through a risk balanced focus on technology, processes and people the standard will help design and implement an ISMS that will both help protect, detect & respond and recover in case of a cyber security incident. This survey certainly supports what we are seeing as well. More and more organisations are implementing an ISMS according to the ISO 27001 standard and reaping the benefits such as: Safeguards business interests Supports business objectives Achieves a competitive business advantage Enables cost effective and relevant security based on risk Aligns with the industry standard for information security management Supports your preferred supplier status and/or tender responses Clearly sets out how to address and manage the key information security requirements Demonstrates how information and information systems are safeguarded Helps to prepare for the unexpected In JSC Consultant our approach is: All our Senior Consultants have an extensive background in business They also have many years of ISO 27001 training, assessment and implementation experience No project is the same and hence time is spent understanding the specific situation of the client Projects typically include a thorough gap analysis and risk assessment as... read more

ISO 27001 and law firms

  ISO 27001 and law firms. As the BBC could report, a partner at Mossack Fonseca, the Panamanian law firm at the centre of a huge leak of confidential financial data, says it was the victim of a hack. Ramon Fonseca said the leak was not an “inside job” – the company had been hacked by servers based abroad. It is surprising, that not more law firms are choosing to adopt the international standard for information security given the fact that these typically would keep a lot of confidential information. Perhaps it is time for law firms to ask themselves, if systems and confidential information (whether electronic or paper) are safe and secure? According to the ISO survey there were 1923 ISO 27001 certificates in the UK in 2013. That number grew 17.6% to 2261 in 2014, however that growth was mainly made up of the Information Technology industry sector. Of course a number of these IT companies will be providing secure services to law firms, but I would expect the number of law firms looking to ISO 27001 to be a much larger piece of the pie, given the kind of information they hold. So why does ISO 27001 and law firms not appear to be a match made in heaven? I think this latest breach will get more law firms to think about information security and perhaps consider implementing ISO 27001. However as a minimum I would recommend, that taking a look at the latest guidance from the ICO would really benefit any kind of company. 10 practical ways to keep your IT systems safe and secure: Assess the threats... read more

ISO 27001 Internal Audit

ISO 27001 Internal Audit. Part of running an effective ISO 27001 Information Security Management System (ISMS) is to run an effective internal audit programme. The purpose of the audit programme is make sure, that the ISMS conforms to your own requirements as well as the requirements of the standard and to check that it is working effectively. If you have a good audit programme, you should get lots of improvements. If you don’t get lots of improvement, you should review your audit programme. The ingredients you need to run an effective audit programme, is an audit plan, really good auditors and a process, that ensures non-conformities or observations get acted upon. You need “business consultants” Really good auditors are trained in auditing and can ensure objectivity and are impartial to the area being audited. The auditors you chose, also need to have certain traits (see list of auditor traits), and you certainly need people, who understand how to look at a process and be able to add value. I always like to think of auditors as “business consultants”. In large organisations this is fairly simple to set up as they typically have the resources and you can find auditors, who are completely independent of the process they are auditing. In small and medium sized organisations this can be tricky, both in terms of finding the resources, as well as in terms of finding auditors, who are independent. Outsource Internal Audit Many organisations therefore chose to outsource the audit function to an external consultant, allowing employees to focus on the core business and leaving the auditing to an expert. By outsourcing... read more

ISO 27001 is also about people

ISO 27001 is also about people. Often when information security is discussed it centres around technology and IT, however although technology and products are very important, information security is very much about people as well. In fact it is probably reasonable to state that around 80% of information security incidents are caused by people, and the cost is high. Of course you can do a lot with the right products and technology such as tight rules relating to what I can and can’t install on my corporate PC, email filters, firewalls, encryption and software that helps me understand suspicious events within my 50 million logs per day database. Despite all these kind of technologies you will still see information security incidents, and one reason for that is people, and their awareness of information security. Sometimes it is just pure human error that is the cause, for example sending an email to the wrong person containing sensitive information. Yes you can argue that this kind of error should have been prevented by policy and technology. It is however still one of the more frequent information security incidents that I see. Other times it is a more sinister and targeted approach where people are tricked into doing something that causes to compromise information security. Phishing or spear phishing are the typical incidents that are seen, and in particular spear phishing can be really difficult to detect as a normal human being. Even “security experts” can sometimes be tricked by sophisticated spear phishing. To test how well prepared you and your people are try adding social engineering to your penetration test framework. It... read more

The cost of cybercrime

The cost of cybercrime is high! No news here, I think everyone knows that. Many studies have been made and published showing the cost of cybercrime is high and getting higher each year. Still when a company then publish their latest quarterly financial results you can’t help feeling surprised (or shocked even) about the true cost of cybercrime. Remember TalkTalk? They are the Telecoms company that had an attack last year in which personal information and credit card information of some of their customers were stolen. The latest Q3FY16 trading update from TalkTalk now reveals the cost of this attack: Total cost of cyber-attack was £60m Of which trading impact is £15m; And exceptional costs £40m-£45m Reading the Q3FY16 trading update from TalkTalk it is quite interesting to see that the way you chose to communicate and be transparent after a cyber-attack can actually help your brand. Dido Harding, TalkTalk CEO: “In fact trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.“ Perhaps you are thinking this only happens to the big companies. My company is small and does not really have a lot to steal so it won’t happen here. In reality every company has information that can be turned into a profit for a cybercriminal such as personally identifiable information (PII), credit card information, customer information, intellectual property, etc. Sometimes you might have information that can be used to break into another company, for example VPN access codes or it could be information that could be used to intercept the transport of valuables or... read more

Is ISO 27001 certification just for large organisations?

Is ISO 27001 certification just for large organisations? That is quite often a question raised to me or in various public domains. There is for example a discussion going on at the moment on the ISO27000 for information security management LinkedIn forum . In my view the short answer is no. The size of the organisation has no impact on whether ISO 27001 certification is feasible, appropriate or relevant. There might be other things than size of the organisation that will make it relevant or not as I will try to discuss later in this blog. Sometimes the same question is asked without the word “certification”. ISO 27001 on its own is a standard that provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Or, as I like to think of it, it is really just good practice for anyone who has information where they would like to protect the Confidentiality, Integrity and Availability of that information…and honestly who would not have that need? So I would suggest that any organisation regardless of size should get a copy of the ISO 27001 standard and perhaps as well also the ISO 27002 guideline (code of practice for information security controls). Read these documents and take some best practice into your own organisation. So what about ISO 27001 certification? Is that feasible for a small organisation? As I have already eluded to above I don’t think size matters when it comes to ISO 27001 certification and it is definitely feasible for a small organisation to obtain ISO 27001 certification. Of course reading between the lines of... read more

ISO 27001 in 2016

  Is 2016 going to be the year where you achieve ISO 27001 certification? It might have been something you have been considering for some time now. Not a day goes by without the media reporting of some sort of information security breach (Hyatt or Talk Talk or AshleyMadison just to mention a few) More and more of your customers are either asking directly for ISO 27001 certification or they are asking for you to explain (in great length) how you control certain aspects of information security. You have read or heard about the new EU legislation (General Data Protection Regulation) that is coming into effect in 2018 with massive potential fines if you are not able to protect and react appropriately. You might also have been thinking that formalising a lot of the controls you already have in place would be good as it would help provide a solid platform from which you can both grow the business as well as ensure the business keeps improving. Whatever the reason 2016 is the year to get started with ISO 27001…but where to start? Well unless you have a lot of spare time on your hands I would suggest you solicit some expert help. Too many times I see systems that have been wrongly designed…hey if you need a filling done in a tooth you would not try to do it yourself would you? To design, build and implement a management system that complies with the ISO 27001 standard takes both time and specialist knowledge, but if you engage an expert to help you then the system could be up and running... read more

What is ISO 27001, Information Security and why should you use it?

What is information security and what is ISO 27001? Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. ISO 27001 is the international standard for information security and is regarded an internationally recognized best practice framework for an information security management system (ISMS). It helps you identify the risks to your important information and put in place the appropriate controls to help reduce the risk. So based on the context of your business/organisation and the stakeholders requirements, a risk assessment will guide you on the controls needed. The controls would either seek to prevent incidents, detect incidents or help recover from an incident. The standard is an excellent framework for anyone who has information assets…and let’s face it who hasn’t these days. You can use the framework to help you improve your business and you can use the framework to obtain external verification through ISO certification that can help create trust with your potential customers. Designing and implementing an ISMS will not only mean more business for your business, it will also provide you with a platform for protection of your most important assets as well as give you a system that will ensure business continuity should the security defences be compromised. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, software and hardware. (Can you buy security? No, but you can use ISO 27001 to get closer!). These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to... read more

Designing ISO 27001 for Business

When designing an ISO 27001 (Information Security) compliant management systems many things can go wrong and if you are not careful you might end up with an information security management system that is not as good as it could be. By that I don’t mean that good systems are certified and bad systems are not. You can find systems that have been certified to comply with the ISO 27001 standard, but that are not designed to provide the most value for the business or its customers. So what do I mean by a “good design”? Well good design in my view is a management system that will support the business, provide value to the business through increased revenue, lower cost and higher productivity as well as be compliant with the ISO 27001 standard. In addition it will set an appropriate level of information security controls that is aligned with the stakeholders risk appetite. The system design would also take into account return on investment, i.e. the risk impact compared to the mitigation investment. The most common mistake we see in designing ISO 27001 compliant systems are systems that are designed to an inappropriate level of information security. This can either be a system that ties down the business in too many unnecessary controls and hence prohibits the business from doing business (too secure compared to risk impact and likelihood) OR it can be a system that does not have enough controls in place (too insecure compared to risk impact and likelihood) and hence is leaving the business open to risks that are not acceptable and not in line with the... read more

ISO 27001 encourages learning and improvement

ISO 27001 is in incredible demand these days. Certainly if you are an organisation that are active in the UK market, it has become almost a mandatory requirement to have an independently verified ISO 27001 Information Security Management System (ISMS) in place. Part of what we do at JSC Consultant is to provide ISO 27001 assessment services to BSI clients so as you might expect we see many ISO 27001 information security management systems. As you might also expect the quality of the ISMS can differ quite significantly. Some systems are unfortunately just not fit for purpose and would not provide the minimum level of information security or in some cases the opposite is true where the information security management system is just too restrictive (compared to the risk level of the business) and is tying the business unnecessarily down. However the key “ingredient” we always look for in a system is the ability to either prevent incidents from happening or identify incidents that has occurred, and then do a thorough analysis of what went wrong (or could have gone wrong), what learning can we take away from the incident, and what improvement can we implement as a result. However, you do not always have to wait for incidents to happen to you for you to learn. A great source to subscribe to is Krebs on Security which recently reported on the Target Corp. breach and what went wrong and what learning anyone can take away from an incident like that. In summary, it is believed that hackers broke into Target via one of Target’s 3rd party suppliers that had... read more