CALL US TODAY : (0)20 8798 9282


ISO 27001 is also about people

ISO 27001 is also about people. Often when information security is discussed it centres around technology and IT, however although technology and products are very important, information security is very much about people as well. In fact it is probably reasonable to state that around 80% of information security incidents are caused by people, and the cost is high. Of course you can do a lot with the right products and technology such as tight rules relating to what I can and can’t install on my corporate PC, email filters, firewalls, encryption and software that helps me understand suspicious events within my 50 million logs per day database. Despite all these kind of technologies you will still see information security incidents, and one reason for that is people, and their awareness of information security. Sometimes it is just pure human error that is the cause, for example sending an email to the wrong person containing sensitive information. Yes you can argue that this kind of error should have been prevented by policy and technology. It is however still one of the more frequent information security incidents that I see. Other times it is a more sinister and targeted approach where people are tricked into doing something that causes to compromise information security. Phishing or spear phishing are the typical incidents that are seen, and in particular spear phishing can be really difficult to detect as a normal human being. Even “security experts” can sometimes be tricked by sophisticated spear phishing. To test how well prepared you and your people are try adding social engineering to your penetration test framework. It... read more

The cost of cybercrime

The cost of cybercrime is high! No news here, I think everyone knows that. Many studies have been made and published showing the cost of cybercrime is high and getting higher each year. Still when a company then publish their latest quarterly financial results you can’t help feeling surprised (or shocked even) about the true cost of cybercrime. Remember TalkTalk? They are the Telecoms company that had an attack last year in which personal information and credit card information of some of their customers were stolen. The latest Q3FY16 trading update from TalkTalk now reveals the cost of this attack: Total cost of cyber-attack was £60m Of which trading impact is £15m; And exceptional costs £40m-£45m Reading the Q3FY16 trading update from TalkTalk it is quite interesting to see that the way you chose to communicate and be transparent after a cyber-attack can actually help your brand. Dido Harding, TalkTalk CEO: “In fact trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.“ Perhaps you are thinking this only happens to the big companies. My company is small and does not really have a lot to steal so it won’t happen here. In reality every company has information that can be turned into a profit for a cybercriminal such as personally identifiable information (PII), credit card information, customer information, intellectual property, etc. Sometimes you might have information that can be used to break into another company, for example VPN access codes or it could be information that could be used to intercept the transport of valuables or... read more

Is ISO 27001 certification just for large organisations?

Is ISO 27001 certification just for large organisations? That is quite often a question raised to me or in various public domains. There is for example a discussion going on at the moment on the ISO27000 for information security management LinkedIn forum . In my view the short answer is no. The size of the organisation has no impact on whether ISO 27001 certification is feasible, appropriate or relevant. There might be other things than size of the organisation that will make it relevant or not as I will try to discuss later in this blog. Sometimes the same question is asked without the word “certification”. ISO 27001 on its own is a standard that provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Or, as I like to think of it, it is really just good practice for anyone who has information where they would like to protect the Confidentiality, Integrity and Availability of that information…and honestly who would not have that need? So I would suggest that any organisation regardless of size should get a copy of the ISO 27001 standard and perhaps as well also the ISO 27002 guideline (code of practice for information security controls). Read these documents and take some best practice into your own organisation. So what about ISO 27001 certification? Is that feasible for a small organisation? As I have already eluded to above I don’t think size matters when it comes to ISO 27001 certification and it is definitely feasible for a small organisation to obtain ISO 27001 certification. Of course reading between the lines of... read more

ISO 27001 in 2016

  Is 2016 going to be the year where you achieve ISO 27001 certification? It might have been something you have been considering for some time now. Not a day goes by without the media reporting of some sort of information security breach (Hyatt or Talk Talk or AshleyMadison just to mention a few) More and more of your customers are either asking directly for ISO 27001 certification or they are asking for you to explain (in great length) how you control certain aspects of information security. You have read or heard about the new EU legislation (General Data Protection Regulation) that is coming into effect in 2018 with massive potential fines if you are not able to protect and react appropriately. You might also have been thinking that formalising a lot of the controls you already have in place would be good as it would help provide a solid platform from which you can both grow the business as well as ensure the business keeps improving. Whatever the reason 2016 is the year to get started with ISO 27001…but where to start? Well unless you have a lot of spare time on your hands I would suggest you solicit some expert help. Too many times I see systems that have been wrongly designed…hey if you need a filling done in a tooth you would not try to do it yourself would you? To design, build and implement a management system that complies with the ISO 27001 standard takes both time and specialist knowledge, but if you engage an expert to help you then the system could be up and running... read more

What is ISO 27001, Information Security and why should you use it?

What is information security and what is ISO 27001? Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. ISO 27001 is the international standard for information security and is regarded an internationally recognized best practice framework for an information security management system (ISMS). It helps you identify the risks to your important information and put in place the appropriate controls to help reduce the risk. So based on the context of your business/organisation and the stakeholders requirements, a risk assessment will guide you on the controls needed. The controls would either seek to prevent incidents, detect incidents or help recover from an incident. The standard is an excellent framework for anyone who has information assets…and let’s face it who hasn’t these days. You can use the framework to help you improve your business and you can use the framework to obtain external verification through ISO certification that can help create trust with your potential customers. Designing and implementing an ISMS will not only mean more business for your business, it will also provide you with a platform for protection of your most important assets as well as give you a system that will ensure business continuity should the security defences be compromised. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, software and hardware. (Can you buy security? No, but you can use ISO 27001 to get closer!). These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to... read more

Designing ISO 27001 for Business

When designing an ISO 27001 (Information Security) compliant management systems many things can go wrong and if you are not careful you might end up with an information security management system that is not as good as it could be. By that I don’t mean that good systems are certified and bad systems are not. You can find systems that have been certified to comply with the ISO 27001 standard, but that are not designed to provide the most value for the business or its customers. So what do I mean by a “good design”? Well good design in my view is a management system that will support the business, provide value to the business through increased revenue, lower cost and higher productivity as well as be compliant with the ISO 27001 standard. In addition it will set an appropriate level of information security controls that is aligned with the stakeholders risk appetite. The system design would also take into account return on investment, i.e. the risk impact compared to the mitigation investment. The most common mistake we see in designing ISO 27001 compliant systems are systems that are designed to an inappropriate level of information security. This can either be a system that ties down the business in too many unnecessary controls and hence prohibits the business from doing business (too secure compared to risk impact and likelihood) OR it can be a system that does not have enough controls in place (too insecure compared to risk impact and likelihood) and hence is leaving the business open to risks that are not acceptable and not in line with the... read more

ISO 27001 encourages learning and improvement

ISO 27001 is in incredible demand these days. Certainly if you are an organisation that are active in the UK market, it has become almost a mandatory requirement to have an independently verified ISO 27001 Information Security Management System (ISMS) in place. Part of what we do at JSC Consultant is to provide ISO 27001 assessment services to BSI clients so as you might expect we see many ISO 27001 information security management systems. As you might also expect the quality of the ISMS can differ quite significantly. Some systems are unfortunately just not fit for purpose and would not provide the minimum level of information security or in some cases the opposite is true where the information security management system is just too restrictive (compared to the risk level of the business) and is tying the business unnecessarily down. However the key “ingredient” we always look for in a system is the ability to either prevent incidents from happening or identify incidents that has occurred, and then do a thorough analysis of what went wrong (or could have gone wrong), what learning can we take away from the incident, and what improvement can we implement as a result. However, you do not always have to wait for incidents to happen to you for you to learn. A great source to subscribe to is Krebs on Security which recently reported on the Target Corp. breach and what went wrong and what learning anyone can take away from an incident like that. In summary, it is believed that hackers broke into Target via one of Target’s 3rd party suppliers that had... read more

What are the key benefits of ISO 27001

So what are some of the benefits of ISO 27001? Truth be told, in most cases when a client is approaching us regarding ISO 27001, it is to get certified because the end customer is requesting ISO 27001 certification. There is absolutely nothing wrong with having that motivation as the starting point, but you will hopefully also realise, that there are many more benefits to ISO 27001 than just certification. Below I have listed some of the benefits of ISO 27001 that I find are key: Satisfying customer requirement of certification against ISO 27001 Makes tender responses quicker and easier Decreasing the cost associated with information security breaches Reduces likelihood of facing prosecution and fines Increased productivity through a process improvement approach Increased employee satisfaction by eliminating unnecessary work Protects brand and reputation of the organisation Minimized business risk through formal risk management procedures Protecting the confidentiality, integrity and availability (CIA) of key information assets Having preventative information security measures in place Having corrective information security measures in place Improves the ability to recover operations and continue business as usual if a major incident happens Differentiation in the marketplace Compliance with legislation and regulation Higher revenue and customer satisfaction through increased trust Supports your preferred supplier status Helps to prepare for the unexpected Reduce third party scrutiny of information security requirements A management system that ensures regular review and reporting on the organisation, its objectives and areas for improvement Supports continuous improvement in the business Establishing trust with interested parties Builds a culture of... read more

Who wants 100% information security and a free lunch?

I guess most people would say yes, but I am sorry, as everyone knows there is no such thing as a free lunch. In reality there is also no such thing as 100% information security, or at least I am not sure you actually want that with the associated implications for your business and bottom line. Protecting the Confidentiality, Integrity and Availability of information has to be done in a balanced way. If you are a business for example, that is providing cloud services to your customers, you need to strike a balance between being able to operate as a business, providing availability and protection for your customer’s information as well as making it easy for your customers to use your service. The balance could be found by using a risk management process. Risk is a combination of, how likely a threat is going to cause an incident and the consequence of that incident taking place. Risk occurs, when a threat and a corresponding vulnerability both exist. To reduce the likelihood you can apply preventive measures such as IT security policies, training & awareness, operating procedures, access control, antivirus, firewalls, etc. To reduce the consequence you would apply corrective measures such as Business Continuity Plans (BCP) and Disaster Recovery (DR) procedures. There is often discussion and confusion over the definition of the term BCP and DR. My view is, that BCP is to ensure, that adequate temporary measures are brought into play as fast as required, so that ongoing customer activity is maintained. The DR should focus on getting the original facilities back into full working order as quickly... read more

ISO 27001 projects – When “business as usual” get in the way…

The most common obstacle we meet when helping clients with their ISO 27001 projects (or any ISO project for that matter…or, come to think of it, any internal change/improvement project) is Business As Usual (BAU). It basically means, that people and organisations have all the best intentions to find the time and get the design and implementation done, but when reality hits, they find themselves being too busy with BAU, so they never get time to do the “other” work. This causes projects to lose momentum and if the break gets too big, before you restart the project, you sometimes need to go a few steps back and start all over again. The interesting thing is, that typically these organisations have a huge desire to get this done and they want to get it done ASAP. Let’s do it in 4 months instead of 6 months – Yeah. Reality however is, that these projects sometimes end up taking 12 months. And I am not talking about projects without proper leadership support and resources. Even when there is terrific support from the top as well as resources allocated, BAU can get in the way. So should we just accept that, this is how it is? Or is there something, you can do to get more done and finish the project closer to the 4 month target than to the 12 month average? Yes, there is, however it is not a silver bullet but rather a combination of a number of small things, that we have seen work (again here I assume, that you have basic requirements in place such as... read more