Information security has taken centre stage in strategic planning for businesses of all sizes, whether you have 30 or 30,000 employees. Larger enterprises have the resources to create governance, risk and compliance (GRC) groups, but for small business owners and startup CEOs, all the responsibility for keeping information safe tends to collect at the top.
As information volumes expand logarithmically, and a host of regulatory bodies revise their requirements with greater regularity, companies have found more and more of their resources are going just to predictive analytics on what could go wrong. Each scenario comes with its own risk and exposure profile, ranging from distracting to devastating. Malicious agents and accidental events can bring down entire networks without warning, so the most proactive IT managers have put together plans and best practices to reduce risks and speed recovery. That's where the ISO 27001 standard come into the picture.
What is ISO 27001?
To address these proliferating threats systematically, the ISO 27001 standard was developed by a committee of subject matter experts representing over 100 countries around the world. ISO facilitated this process over several years. The standard establishes a baseline for an information security management system (ISMS). This was updated in 2013, so it is currently referred to as ISO/ IEC 27001:2013.
Implementation of an ISMS preserves the "confidentiality, integrity and availability" of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
Let's look at each of those three terms individually in the context of this standard.
Confidentiality -- Customers and partners need to have assurance that their private information assets will not be shared inappropriately or left unattended in vulnerable software or physical locations.
Integrity -- This refers to the accuracy and completeness of information. Accounting records maintained in software such as Xero need to have their integrity preserved for tax purposes and general business management so that reports are accurate.
Availability -- Just a bank customer expects access to their own money, companies and individuals should have easy access to the information they share, with the ability to amend, update or delete that information on demand.
Why would a small business need ISO 27001?
Within two years of the introduction of these guidelines, more than 30,000 global businesses of all sizes secured their ISO 27001 certification. It has become even more valuable for small businesses recently as they seek ways to comply with legislation such as the Privacy Act in Australia or the General Data Protection Regulation (GDPR) in the European Union. Certification also makes sense due to all of the information security threats to small businesses, including but not limited to:
Hackers - motivated by challenge, ego, status or money
Computer criminals - motivated by destruction of information, illegal information disclosure, monetary gain or unauthorised alteration
Industrial espionage - motivated by competitive advantage and economic espionage
Insiders - motivated by curiosity, monetary gain
Disgruntled ex-employees - motivated by anger and frustration
The ISO explained that companies are looking for a "systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure."
What risks do small businesses face that ISO 27001 could help with?
Today the biggest threats to private information assets come from phishing, fraud, loss, and ransomware attacks that block managers from being able to access their vital business systems. Accenture's study on the cost of cybercrime found that companies all over the planet lose about $2.4 million per attack on average and they spend 50 days or more trying to recover. Costs have increased by 62 percent over the past 5 years. The study also showed that smaller companies pay 4X more per worker per attack because the costs can't be spread out over a larger field of cost centres.
One of the biggest threats to information security for a small company is the lack of attention to hard copy documents. ISO 27001 standard applies to information security in the real world just as much as protection of digital assets. What often happens is that workers print out documents and leave them in public areas or on their desks where the information is exposed to visitors, contractors and cleaning staff, any of whom could profit from sharing private company information assets without violating any legal agreements.
Another huge risk factor involves removable media. USB sticks, external drives, digital cameras, Wi-Fi transfers and Bluetooth-enabled devices represent a vulnerability for downloading information assets, uploading viruses and access to networks for malicious code. Informal processes will not protect a business from financial losses and legal exposure, but following the ISO 27001 standard can.
What does ISO 27001 address?
This set of standards was designed to assure the confidentiality, integrity and availability of:
- Employee records
- Configurations of technology assets (for restoration)
- Information in internal communications
- Customer information
- Location of your assets, physical and digital
- Project tenders
- Product development plans
- Financial information
The security of this information is required by law in some instances, and the loss of it would expose your company to legal challenges. Data breaches and the loss of customers cost global companies $40 million for every 1 million records lost in 2018 and nearly all of those data were due to criminal or malicious attacks.
Where should you start to comply with ISO 27001?
Even if your organization is not planning on seeking out certification in ISO 27001 standard, you owe it to your customers and other stakeholders to protect their information to the best of your ability.
Best practices recommend you should:
- Purchase an Information Security Management System from ISO Templates.
- Look for the highlighted prompts in the template documents to add company-specific information such as logos, name, addresses and change any requirements that won't be able to be implemented.
- Follow the steps on the implementation plan provided with the Information Security Management System.
- Complete the Inventory of Assets including the valuation of the assets.
- Complete the Statement of Applicability based on the status of the 114 security controls in your business.
- Complete a risk assessment and treatment plan in accordance with the detailed steps in the Risk Management Procedure using the Information Security Risk Register.
- Conduct information security awareness training using the PowerPoint template provided.
- Keep refining and improving your information security as new threats emerge, or move on to a certification audit from a third party to determine how close you are to recognition by the ISO.
On the other side of ISO 27001 compliance
Small businesses can benefit greatly from the authority conferred by ISO certification in information security. Compliance with ISO 27001 through the implementation of an ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. Once your company is certified or at least compliant with the ISO 27001 standard, you benefit from better communications using secure channels, lower risk exposure, stronger trust from internal/external stakeholders and a substantial competitive advantage over less secure peers in the market.