ISO 27001 is also about people. Often when information security is discussed it centres around technology and IT, however although technology and products are very important, information security is very much about people as well. In fact it is probably reasonable to state that around 80% of information security incidents are caused by people, and the cost is high.
Of course you can do a lot with the right products and technology such as tight rules relating to what I can and can’t install on my corporate PC, email filters, firewalls, encryption and software that helps me understand suspicious events within my 50 million logs per day database.
Despite all these kind of technologies you will still see information security incidents, and one reason for that is people, and their awareness of information security. Sometimes it is just pure human error that is the cause, for example sending an email to the wrong person containing sensitive information. Yes you can argue that this kind of error should have been prevented by policy and technology. It is however still one of the more frequent information security incidents that I see.
Other times it is a more sinister and targeted approach where people are tricked into doing something that causes to compromise information security. Phishing or spear phishing are the typical incidents that are seen, and in particular spear phishing can be really difficult to detect as a normal human being. Even “security experts” can sometimes be tricked by sophisticated spear phishing.
To test how well prepared you and your people are try adding social engineering to your penetration test framework. It is often amazing, how far you can get when you carry a mop and a bucket of water or how quick the CDROM labelled “organisational change in XYZ Ltd.” left in the pub across the street, will be snapped up and inserted into a PC giving unauthorised access to the network.
ISO 27001 is quite clear on the people side of information security and would ask you to comply with a number of “people controls”. The one I would like to mention is A.7.2.2 which states:
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
Through our ISO 27001 consultancy work we see a number of ways to do this. Some of the best practices are:
- Internal security expert road trip
- Face to face training
- Online training
- Posters and leaflets
- Hints and tips through screensavers
- Tests
- Surveys
…and there are probably many more best practices. The key is to do a number of these things (or even better all of them in a comprehensive awareness programme) on a regular basis ensuring an always up to date people information security awareness. Plus of course getting the appropriate technology and processes in place as well.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So if you are considering ISO 27001 call us now (+44 7966 79 6789) to discuss how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.