ISO 27001Information Security If you hadn’t picked up on it by now, one of my primary concerns is ensuring that all of my data is compliant and secure. Since we are responsible for the bookings and schedules of millions of individuals, we have to treat this matter very seriously.
This post is not about which standards we comply with but rather how we arrange our approach to data security. The “big one” for us is the topic of this essay. You may have figured correctly that this pertains to a different standard; particularly, ISO 27001
For many years, we have been putting forth effort to become ISO 27001 certified. Since we first began our company, the standard has served as a foundation for how we think about and approach data security. When developing new procedures or implementing new regulations, we have always gone to the ISO 27000 standard series (as well as the NIST 800 standard series, which is another helpful one) for direction. However, there is a distinction to be made between utilising it to guide our decision-making and totally embracing it, as well as having it checked and verified by an independent party. During the past few months, that was one of the activities that we had been participating in.
What does ISO 27001 stand for? ISO 27001Information Security
My explanation is going to be geared at those of you who are unfamiliar with what ISO 27001 is. The ISO 27001 standard asks about your processes and the way you think about potential dangers. Adopting the standard requires you to be aware of the data and assets you own, as well as the potential threats that might harm them, the methods you use to mitigate those threats, and the controls you need to put in place to ensure you are doing what you claim you are doing. Then you will need an overarching system to monitor these risks and controls to verify that you are doing what you are supposed to be doing, that you are doing it correctly, and that you are continually becoming better.
The full setup is referred to as the ISMS, which stands for the Information Security Management System. An authorised third party, in this case the BSI, will conduct an audit of this system as well as your organization’s application of it. You will be granted certification if it meets the requirements of the standard.
It is essential to understand that the presence of robust security features does not necessarily ensure that data will remain secure. As a result, we always take measures to reduce potential dangers. A compliance with the ISO 27001 standard will not “make you secure.” It draws a line in the sand and tells you how safe you are currently, as well as the areas in which you should focus your energy to become more secure. Building a strong and reliable system is more important than developing a flawless one at this stage.
How did 10to8 manage to get their ISO 27001 certification?
What struck me as most surprising was the level to which the certification process energised and altered the way in which we conduct business.
Previously, our clients were the primary source of the majority of our exposure to the standard. We receive a great deal of concerns regarding compliance, particularly from bigger firms that deal with sensitive consumer information. These questions nearly invariably adhere to a specific format that we’ve referred to as ‘Appendix A.’
ISO 27001Information Security Appendix A of ISO 27001 is a set of suggested ‘controls’ that are used to assess the data security measures (or the ongoing reduction of risks to data) in an organisation. This list may be found in the appendix. They come in a total of 114.
Therefore, on a very frequent basis, companies write to us requesting, in slightly various ways, a total of 114 concerns regarding the safety of their data. It’s really frustrating because each one is somewhat unique and reflects the strategy of that specific firm.
We had been through numerous different standards to assure data privacy (such as HIPAA, EU-GDPR, and CCPA), and we had put in place our very own best practises. The ‘Appendix A’ surveys have not been the only thing that has been required of us.
When I looked through the standard, I realised that even after all of that, there was still a lot of work to be done! The purpose of a procedure that is rigorous, like ISO 27001’s, is to discover any holes in the system.
The greatest danger facing a company is…
It is common knowledge that humans provide the greatest threat to any company; in other words, we are walking security hazards. For instance, cracking the encryption on a device that is encrypted is tough, yet reading a password over someone’s shoulder when they have opened the device in public is simple! We humans bring a great deal of danger into the world.
Instead of going over each and every policy we’ve implemented or feature we’ve introduced to make us more secure, I thought I’d share the conclusion of our risk assessment that I consider to be the most interesting: our strategy for dealing with e-mails.
Every one of us has, at some point, opened our email inbox to find an urgent message asking us to make a transfer of funds or to click on a link. It might appear that they are from friends and coworkers, but upon further scrutiny, it is shown that they are not. Phishing assaults like this cost businesses $5 billion annually, and there are millions of these attacks carried out every single day.
We came to the conclusion that if we trusted email communications, then it would only be a matter of time until someone would click the link, which may result in major damage.
How therefore can we communicate while also lowering the danger to our computer systems?
The solution was surprisingly simple to find. There are numerous more methods of communication available to businesses, such as Microsoft Teams, Slack, Google Hangouts, and Zoom. In contrast to email, these technologies require users to verify themselves at both ends before receiving and sending messages. Because we need “MFA” (multi-factor authentication), you can be certain that they are quite safe.
The use of email as a reliable means of internal communication is no longer the norm.
What was discovered during the inspections was…
All of this labour was done in preparation for something that we had never experienced before. A checkup on something. You are need to pass an audit in order to obtain ISO 27001 certification. You expose your company and how it operates, demonstrate all that you do, and then cross your fingers that the results are satisfactory. It’s kind of like cleaning up, and then having someone come in to make sure that you really have taken care of everything by checking inside all of the cabinets and searching under the bed before leaving.
We had successfully implemented the best practise. We had produced a significant number of documents. But the results of our first inspection demonstrated why it is necessary to conduct inspections.
The results that we had created could be compliant, but it was impossible to identify anything in the enormous amount of documentation that we had prepared. It was impossible to tell if anything was missing, and it was clear that something had, in fact, go missing. ISO 27001Information Security
We had cleaned up our space without first determining where exactly everything need to be placed. Because of this, it was difficult for us to provide evidence that we had taken appropriate security measures, and our inspector pointed out that it was also challenging for us to administrate.
The second stage consisted of a comprehensive, in-depth examination that lasted for four days and included interviews with workers. We undertook a monumental amount of cleaning and organising tasks. From explicit desk policies to instructions for our weekly Friday festivities, every document and policy in the whole organisation is being aligned with the ISO 27001 procedure. This includes both internal and external documents. Then we did a second review to ensure that the standard was consistent with all of our procedures.
The outcomes provided a great deal of satisfaction. We passed the second inspection with flying colours, and not long after that, we got our certificate from BSI for being compliant with ISO 27001:2013.
Now comes the hard part of the labour. Because achieving ISO 27001 certification is a process, it implies that we are continually working to improve all facets of data security and risk. We are following our Information Security Management System (ISMS) and iterating to decrease threats to 10to8 data. ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security ISO 27001Information Security